The Command Shell

Security holes are all around. Are there any in xp_cmdshell?

Security holes are all around. Are there any in xp_cmdshell?

Recently I heard a few people arguing over the use of xp_cmdshell in a particular situation. One person was adamant that there was a security risk in using this feature. Many of you probably feel the same way, and even the SQL Server platform has recognized there could be dangers with this feature and has it disabled by default, as part of the secure by default installation.

However the security around this procedure has been improved over the years. Non system administrators cannot execute xp_cmdshell by default. Administrators can open up access using a proxy account, but this requires specific configuration changes by administrators. This means that a lot of the danger of using xp_cmdshell for administrative tasks has been removed.

Or has it? This Friday I wanted to poll you and find out what you think. Many of you are creative in how you use SQL Server and will think of possibilities that many of us would not consider.

Is there a security risk in allowing xp_cmdshell to be used by members of the sysadmin role?

I’m not looking for potential issues if a proxy account exists. Instead I’m asking if there are real dangers in allowing administrators to use this tool? I assume you trust your administrators and they will not maliciously use this tool to cause issues in your SQL Server. Let us know how you feel this week.

Steve Jones

The Voice of the DBA Podcasts

We publish three versions of the podcast each day for you to enjoy.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged , , . Bookmark the permalink.

2 Responses to The Command Shell

  1. The real risk is that you are giving SQL Server administrators access to resources outside of SQL Server. If your SQL Server service account is an administrator on the server then you have just granted anyone who is an administrator on SQL Server administrative access to the server itself. And once you have administrative access to the server you have the ability to get access to any other instances on the server etc.

    That being said if you are going to trust someone to be an administrator on your SQL Server then you should probably trust them enough not to use any additional access you may have “accidently” granted them through use of xp_cmdshell.


    • way0utwest says:

      It’s a risk, but making someone a sysadmin is a risk as well.

      There are potentially good reasons not to allow this, but I’m not sure they are far and wide. Note that current best practice is not to make service accounts administrators.


Comments are closed.