Skip to content

Ensure 'xp_cmdshell' Server Configuration Option is set to '0'

Description

The xp_cmdshell option controls whether the xp_cmdshell extended stored procedure can be used by an authenticated SQL Server user to execute operating-system command shell commands and return results as rows within the SQL client.

Rationale

The xp_cmdshell procedure is commonly used by attackers to read or write data to/from the underlying Operating System of a database server.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const { checkServerSetting } = module
/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if 'xp_cmdshell' is set to 0
 */
function validate(databaseSettings) {
    const success = checkServerSetting(databaseSettings, 'xp_cmdshell', "0")

    return {
        success,
    }
}

validate(databaseSettings)