xp_cmdshell: should it ever be used?
Turning off xp_CmdShell is a bit like putting a veil over rotting meat. It brings a false sense of security to the table and the flies can still get at the meat. Allow me to explain.
Who can use xp_CmdShell? That's right. Only people/app logins with "SA" privs or people that you made the horrible mistake of granting a proxy to can use it.
Next question. If you have xp_CmdShell turned off, who are the only people that can turn it back on? Correct again! Only people/apps with "SA" privs can turn it back on.
So, what's the real issue with xp_CmdShell being a security risk? The answer is xp_CmdShell is NOT a security risk. Poor security is the only security risk. If a hacker or an malicious internal user get's into the system with "SA" privs, then they can turn xp_CmdShell on in momements. Yeah, that action gets logged but that only provides documented testimony that security was grossly lacking to begin with.
Turning xp_CmdShell off does nothing for security except to provide a chance for that part of a hackers code to turn it back on to run.
I'll say it again. xp_CmdShell is not a security risk. Only bad security is a security risk. Fix your security and then turn on xp_CmdShell. It's a wonderful tool and you're missing out on it because of bad security practices and myth.
It is always a risk. It should always be reviewed. It can be properly mitigated.
There are legitimate uses, sometimes necessities, but watch your input closely!
I think "it should not be used" is probably pretty good advice. That's not a categorical "It's always insecure", but rather a recognition that xp_cmdshell is dangerous and any use of it is grounds for concern and careful scrutiny.
And even if you think you know how to avoid the security risks, xp_cmdshell is still probably not the best tool to use. Odds are that there is a better solution (one which also, fortuitously happens to be less risky).