sp_check: SQL Server Database Checks

xp_cmdshell enabled

What's the issue?

You have the instance configuration 'xp_cmdshell' set to enabled.

Why is this a problem?

Enabling the xp_cmdshell configuration allows for the spawning of a Windows command shell and passes a string for execution. Because this is a frequent target for malicious software, it is recommended to only have xp_cmdshell enabled if needed.

However, considering that by default xp_cmdshell can only be executed by members of the sysadmin role - who can also enable or disable this configuration at will - we recommend that more attention be given to the members of the sysadmin role than whether or not xp_cmdshell is enabled.

What should you do about this?

Review whether or not you use xp_cmdshell in any of your code. If you do not, you can disable this feature with the following T-SQL, which first requires enabling 'show advanced options'.

EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure 'xp_cmdshell', 0;

What do the Vulnerability Levels mean?

0 - Information only. This is stuff you should know about your instances like version and service account used, but if you don't know it…well, now you do.

1 - High vulnerability requiring action. These are the issues that could most likely lead to your company being front page news for all the wrong reasons. If your instances have any results at this level then we recommend cancelling that 3-martini lunch and instead huddling with your team to figure out when to address these issues.

2 - High vulnerability to review. These include settings and assigned permissions you should review soon, if not immediately. These findings may not necessarily indicate a clear vulnerability, but we've found unexpected vulnerabilities in these categories at many, many clients.

3 - Potential vulnerability to review. These are configurations or assigned permissions you may be using that could lead to problems for users. Or maybe they're just required for your applications. Either way, we recommend reviewing these to make sure these are correct.

4 – Low vulnerability with recommended action. These are typically security inconsistencies that should be addressed. They aren't likely to cause problems, but you should clean up the mess.