2.8 Ensure 'Scan for Startup Procs' Server Configuration Option is set to '0'

Information

The scan for startup procs option, if enabled, causes SQL Server to scan for and automatically run all stored procedures that are set to execute upon service startup.

Rationale:

Enforcing this control reduces the threat of an entity leveraging these facilities for malicious purposes.

Solution

Run the following T-SQL command:

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'scan for startup procs', 0;
RECONFIGURE;
GO
EXECUTE sp_configure 'show advanced options', 0;
RECONFIGURE;

Restart the Database Engine.


Impact:

Setting Scan for Startup Procedures to 0 will prevent certain audit traces and other commonly used monitoring SPs from re-starting on start up. Additionally, replication requires this setting to be enabled (1) and will automatically change this setting if needed.

Default Value:

By default, this option is disabled (0).

References:

https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-scan-for-startup-procs-server-configuration-option

See Also

https://workbench.cisecurity.org/files/2837

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|18, CSCv7|5.1

Plugin: MS_SQLDB

Control ID: fbbc277bbea10a7d63e9d1d2433ff206d7d1d838393efbbe103d969d5a5f9916