2.6 Ensure 'Remote Access' Server Configuration Option is set to '0'

Information

The remote access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server.

Rationale:

Functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target.

Impact:

Per Microsoft: This feature may be removed in a future version of Microsoft SQL Server. Do not use this feature in new development work, and modify applications that currently use this feature as soon as possible. Use sp_addlinkedserver instead.

Solution

For AWS RDS Instances, please refer to the documentation for using Parameter Groups here:
Working with parameter groups
Otherwise, run the following T-SQL command:

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'remote access', 0;
RECONFIGURE;
GO
EXECUTE sp_configure 'show advanced options', 0;
RECONFIGURE;

Restart the Database Engine.

Default Value:

By default, this option is enabled (1).

See Also

https://workbench.cisecurity.org/benchmarks/12777

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.2

Plugin: MS_SQLDB

Control ID: 18adb4436c51116ebe17432f0b067b81f9866d0e101399efee68d899938cf085