SQL Server: Why xp_cmdshell is disabled by default?

What are the security reasons th开发者_StackOverflow社区at extended stored procedure xp_cmdshell is disabled by default?

You can find an explanation in the Permissions section of the SQL Server documentation, where it states that:

Because malicious users sometimes attempt to elevate their privileges by using xp_cmdshell, xp_cmdshell is disabled by default.

You can find a more detailed explanation in the SQL Server Security blog. A brief excerpt from the blog states:

In many cases, people enable xp_cmdshell and grant access to it to non-sysadmin principals in order to perform one or two operations on the system without realizing that the user with access to it can execute any arbitrary command, and in some cases, effectively escalate his/her privileges to sysadmin or even box administrator - obviously a situation that is less than desirable. Xp_cmdshell is really difficult to control effectively, and even auditing its usage may still allow the attacker to abuse its power for some time until the trail of this abuse is found, and at that point the damage may already be done.