SQL6-D0-017800 - The SQL Server Browser service must be disabled unless specifically required and approved.

Information

The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexist on the same computer. It avoids the need to hard-assign port numbers to the instances and to set and maintain those port numbers in client systems. It enables administrators and authorized users to discover database management system instances, and the databases they support, over the network. SQL Server uses the SQL Server Browser service to enumerate instances of the Database Engine installed on the computer. This enables client applications to browse for a server, and helps clients distinguish between multiple instances of the Database Engine on the same computer.

This convenience also presents the possibility of unauthorized individuals gaining knowledge of the available SQL Server resources. Therefore, it is necessary to consider whether the SQL Server Browser is needed. Typically, if only a single instance is installed, using the default name (MSSQLSERVER) and port assignment (1433), the Browser is not adding any value. The more complex the installation, the more likely SQL Server Browser is to be helpful.

This requirement is not intended to prohibit use of the Browser service in any circumstances. It calls for administrators and management to consider whether the benefits of its use outweigh the potential negative consequences of it being used by an attacker to browse the current infrastructure and retrieve a list of running SQL Server instances.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If SQL Server Browser is needed, document the justification and obtain the appropriate authorization.

Where SQL Server Browser is judged unnecessary, the Service can be disabled.

To disable, in the Services tool, double-click 'SQL Server Browser'. Set 'Startup Type' to 'Disabled'. If 'Service Status' is 'Running', click on 'Stop'. Click on 'OK'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2016_Y24M04_STIG.zip

Item Details

References: CAT|III, CCI|CCI-000366, Rule-ID|SV-214042r879887_rule, STIG-ID|SQL6-D0-017800, STIG-Legacy|SV-94055, STIG-Legacy|V-79349, Vuln-ID|V-214042

Plugin: Windows

Control ID: 5c61942e2614bb0ec60fb760b52f2f816989bb5b64ad8644e93dc9ede4b07e57