6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'

Information

It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off

Rationale:

external scripts enabled enable the execution of scripts with certain remote language extensions. This property is OFF by default. When Advanced Analytics Services is installed, setup can optionally set this property to true. As the External Scripts Enabled feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled. This recommendation is applicable to SQL Server database instances.

Impact:

Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.

Solution

From Google Cloud Console

Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.

Select the SQL Server instance for which you want to enable to database flag.

Click Edit.

Scroll down to the Flags section.

To set a flag that has not been set on the instance before, click Add item, choose the flag external scripts enabled from the drop-down menu, and set its value to off.

Click Save to save your changes.

Confirm your changes under Flags on the Overview page.

From Google Cloud CLI

Configure the external scripts enabled database flag for every Cloud SQL SQL Server database instance using the below command.

gcloud sql instances patch <INSTANCE_NAME> --database-flags 'external scripts enabled'=off

Note:
This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ('=').

Default Value:

By default external scripts enabled is off

See Also

https://workbench.cisecurity.org/benchmarks/11843

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1), CSCv7|2.9

Plugin: GCP

Control ID: 993b2bedb3ccfd59fd3e4473f0bae0fc14b35aa736ec795cf7ca088f71887320