When you install a SQL Server instance, any feature that is not necessary for the core engine to run has been disabled by default. xp_cmdshell
is a significant security risk because it allows a compromised SQL Server to elevate the attack to the operating system itself, and from there to the entire network.
You can enable or disable features within your instance by executing the system stored procedure sp_configure with the xp_cmdshell option.
When the xp_cmdshell feature is disabled you will see the following message when it is executed:
Msg 15281, Level 16, State 1, Procedure xp_cmdshell, Line 1
SQL Server blocked access to procedure ‘sys.xp_cmdshell’ of component ‘xp_cmdshell’ because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of ‘xp_cmdshell’ by using sp_configure. For more information about enabling ‘xp_cmdshell’, see “Surface Area Configuration” in SQL Server Books Online.
You can verify that the xp_cmdshell feature featured is disabled by executing the following query:
1 2 3 |
SELECT value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell' |
If the results of the query is 0 then the feature is disabled; if 1 then it is enabled.
In order to enable xp_cmdshell execute the following:
1 2 3 4 5 6 7 8 9 10 11 12 |
-- To allow advanced options to be changed. EXEC sp_configure 'show advanced options', 1 GO -- To update the currently configured value for advanced options. RECONFIGURE GO -- To enable the feature. EXEC sp_configure 'xp_cmdshell', 1 GO -- To update the currently configured value for this feature. RECONFIGURE GO |