First: By default, the use of xp_cmdshell is limited to SQL Server administrators. SQL Server administrators have all-encompassing powers (within SQL Server) – including the ability to turn xp_cmdshell on or off – so adding xp_cmdshell to their arsenal changes nothing, security-wise.
Second: For a non-administrator user to use xp_cmdshell, an administrator must specifically grant permissions to them. Enabling xp_cmdshell does not grant any nefarious powers to any user.
Third: xp_cmdshell security, then, is all about controlling your service account. If your SQL Server service account is not local administrator, and that account only has permissions to that single server, you’re covered! Note that Microsoft itself also recommends that service accounts should not be local administrator.
The issue is privilege escalation. If someone in your IT team is afraid of xp_cmdshell, they’re afraid of what someone else could do with xp_cmdshell enabled…not what Minion itself will do. With xp_cmdshell, someone could access the OS layer and do all kinds of things under the SQL service account credentials. This is why it’s important to lock down the service account!
So, to lock down security regarding xp_cmdshell:
- Make sure the service account is not a local administrator.
- Make sure each of your SQL Server instances’ service accounts are unique to the server.
- If you need the service account to do something else, then grant only those permissions.
For much more on this topic, see our article xp_cmdshell isn’t evil and Security Theater.
Questions? Contact support.