2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'

Information

The cross db ownership chaining option controls cross-database ownership chaining across all databases at the instance (or server) level.

When enabled, this option allows a member of the db_owner role in a database to gain access to objects owned by a login in any other database, causing an unnecessary information disclosure. When required, cross-database ownership chaining should only be enabled for the specific databases requiring it instead of at the instance level for all databases by using the ALTER DATABASE

<database_name>

SET DB_CHAINING ON command. This database option may not be changed on the master model or tempdb system databases.

Solution

For AWS RDS Instances, please refer to the documentation for using Parameter Groups here:

Working with parameter groups

Run the following T-SQL command:

EXECUTE sp_configure 'cross db ownership chaining', 0;
RECONFIGURE;
GO

See Also

https://workbench.cisecurity.org/benchmarks/14058

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: MS_SQLDB

Control ID: 7ca7f5327aa4783db6d93a9deef11f5cf34cdf944abd602a586f6e11e811149b