SQL Server: Why is xp_cmdshell disabled by default?

Question

What are the security reasons why the xp_cmdshell extended stored procedure is disabled by default?

+3

juur Sep 26 '10 at 8:06

1 answer

Garett · Accepted Answer · 2010-09-26T09:04:03+0000

You can find an explanation in the PermissionsSQL Server documentation section , which states that:

Since malicious users sometimes try to elevate their privileges by using xp_cmdshell, xp_cmdshell is disabled by default.

A more detailed explanation can be found in the SQL Server Security blog . A short excerpt from the blog says:

xp_cmdshell , , , , , , / - , . Xp_cmdshell , , .