2.15 Ensure 'xp_cmdshell' Server Configuration Option is set to '0'

Information

The xp_cmdshell option controls whether the xp_cmdshell extended stored procedure can be used by an authenticated SQL Server user to execute operating-system command shell commands and return results as rows within the SQL client.

Rationale:

The xp_cmdshell procedure is commonly used by attackers to read or write data to/from the underlying Operating System of a database server.

Solution

Run the following T-SQL command:

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 0;
RECONFIGURE;
GO
EXECUTE sp_configure 'show advanced options', 0;
RECONFIGURE;

Default Value:

By default, this option is disabled (0).

See Also

https://workbench.cisecurity.org/benchmarks/7202

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.2

Plugin: MS_SQLDB

Control ID: 7bc48b9c70f6080e9d2f6e157477810ffc562eae24d9a27d7102fff32b99fbce