locked
Ensure 'xp_cmdshell' Server Configuration Option is set to '0' RRS feed

  • Question

  • Hi,

    Our Security team got following security vulnerability in our production database. Database version is SQL Server 2017.

    Ensure 'xp_cmdshell' Server Configuration Option is set to '0' 

    1) Please let us know if we set it to 0 is there any impact any database?

    2) And how do we know any database user is using this feature?

    Regards

    Arif

    Tuesday, August 4, 2020 7:28 AM

All replies

  • 1)Microsoft has a built-in extended stored procedure called xp_cmdshell. we have a user that is not a sysadmin, but is a user of the master database and we want to grant access to run xp_cmdshell.

    2) This is not related to any database.it is only command used in dos.

    if it is not require then you can disable xp_cmdshell.

    https://social.technet.microsoft.com/wiki/contents/articles/37872.sql-server-installation-on-centos-linux.aspx

    Tuesday, August 4, 2020 8:53 AM
  • 1) Please let us know if we set it to 0 is there any impact any database?

    The database as such is not impacted, but there could be code running in the database that is impacted.

    2) And how do we know any database user is using this feature?

    When it comes to stored procedures you can run
    SELECT object_name(object_id)
    FROM   sys.sql_modules
    WHERE  definition LIKE '%xp_cmdshell%'

    However, this will catch things is executed in loose scripts or by batches submitted by client code.

    You need to run this query in all your databases.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se


    Tuesday, August 4, 2020 9:12 AM
  • Hi Arif,

    Please check if below blog could help you.

    Is disabling xp_cmdshell in SQL Server really secure? 

    We can disable it through T-SQL or SSMS UI.

    The following code with disable xp_cmdshell using sp_configure:

    -- this turns on advanced options and is needed to configure xp_cmdshell
    sp_configure 'show advanced options', '1'
    RECONFIGURE
    -- this disables xp_cmdshell
    sp_configure 'xp_cmdshell', '0' 
    RECONFIGURE

    Right click on the instance name and select Facets 

    Best regards,
    Cathy 


    ""SQL Server related"" forum will be migrated to a new home on Microsoft Q&A SQL Server!
    We invite you to post new questions in the "SQL Server related" forum’s new home on Microsoft Q&A SQL Server !
    For more information, please refer to the sticky post.




    Tuesday, August 4, 2020 9:17 AM