Command shell setting


Job details

Name: Command shell setting
Platform: Sqlserver
Category: Security
Premium package: Security and compliance package
Description: Checks if the xp_cmdshell is enabled, as a security best practice it is recommended to only enable it for the duration of the actual task that requires it.
Long description: checks if the xp_cmdshell is enabled, as a security best practice it is recommended to only enable it for the duration of the actual task that requires it.
Version: 1.2
Default schedule: 5 1 1 *
Requires engine install: Yes
Compatibility tag: .[type=‘instance’ & databasetype=‘sqlserver’]/instance[maj_version > ‘2005′ & hasengine=‘YES’ & eng_inst_priv = 0 & (engine_edition = ‘Microsoft SQL Server’ engine_edition = ‘Azure SQL Managed Instance’)]

Parameters

Name Default value Description
return status 1 Return status value (ALARM – 2, WARNING – 1, or OK – 0) when the “xp_cmdshell” parameter is enabled.
disable cmd shell setting NO If set to “YES“ the alert will disable “xp_cmdshell” (if it is enabled) by running sp_configure stored procedure.
history threshold 365 The maximum number of days to keep statistics for in the historic tables.

Job Summary

SELECT value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell'

Job Details

Dependencies

The job ensures certain required dependencies are in place with clean-up on failure:

Implementation

The job implementation involves:

Report Templates

The report consists of various parts:

The output in these reports includes whether ‘xp_cmdshell’ was enabled or disabled, frequency of checks, and the respective dates and times these parameters were recorded.

Security and Compliance

Upgrade and Maintenance