2.15 Ensure 'xp_cmdshell' Server Configuration Option is set to '0'

Information

The xp_cmdshell option controls whether the xp_cmdshell extended stored procedure can be used by an authenticated SQL Server user to execute operating-system command shell commands and return results as rows within the SQL client.

Rationale:

The xp_cmdshell procedure is commonly used by attackers to read or write data to/from the underlying Operating System of a database server.

Solution

Run the following T-SQL command:

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 0;
RECONFIGURE;
GO
EXECUTE sp_configure 'show advanced options', 0;
RECONFIGURE;

Default Value:

By default, this option is disabled (0).

See Also

https://workbench.cisecurity.org/benchmarks/7201

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.2

Plugin: MS_SQLDB

Control ID: 2cac3da42555e26cba864dea987949f9bb1ce4bed29831efb806d67509ae72ae