SQL6-D0-007400 - Access to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved.

Information

Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).

It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives.

Applications must adhere to the principles of least functionality by providing only essential capabilities.

SQL Server may spawn additional external processes to execute procedures that are defined in the SQL Server but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than SQL Server and provide unauthorized access to the host system.

Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. Extended stored procedures run directly in the address space of an instance of SQL Server and are programmed by using the SQL Server Extended Stored Procedure API. Non-Standard extended stored procedures can compromise the integrity of the SQL Server process. This feature will be removed in a future version of Microsoft SQL Server. Do not use this feature in new development work, and modify applications that currently use this feature as soon as possible.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remove any Non-Standard extended stored procedures that are not documented and approved.

sp_dropextendedproc 'proc name'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2016_Y24M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-213959r960963_rule, STIG-ID|SQL6-D0-007400, STIG-Legacy|SV-93887, STIG-Legacy|V-79181, Vuln-ID|V-213959

Plugin: MS_SQLDB

Control ID: 76f948fb4ea47724b3dd3e6a90fe9a7930b391c51b99c2e418597db998e04b0f