July 16, 2003 at 8:58 am
I am thinking about deleting xp_cmdshell from my production environment. I hardly ever use it. My organization's security guide suggests removing it.
However, I feel nervous about deleting it.
Would doing so cause any unforeseen or hidden problems down the road? We are behind a firewall and I've denied execution of it. Is that good enough to minimize the security risk? If that is good enough maybe I should just leave it??
July 16, 2003 at 9:01 am
I wouldn’t delete it, prefer to deny the access
Shas3
July 16, 2003 at 12:16 pm
The catch: The problem is, anybody with sysadmin privs can put it back unless you can remove the .DLL, which I don't believe you can. I think some other essential extended stored procedures are part of that DLL.
With that said, if you drop it, an exploit that doesn't know to re-add it back can't use it, right? So it's generally recommended to drop this if you can. Take a look at sp_dropextendedproc.
By default, xp_cmdshell is only accessible by sysadmin. Denying access doesn't prevent them from getting to it. As long as you don't grant access to it, you've accomplished the same thing as deny. Sysadmins ignore permissions, so the deny doesn't do anything for them.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply