Only authorized XML Web Service endpoints should be configured on the server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15206	DM6126-SQLServer9	SV-23856r1_rule	DCFA-1	Medium

Description
XML Web Service endpoints expose the database its data to web service access. Where not carefully designed and implemented, web services can unnecessarily expose the database to additional exploit that compromises data confidentiality and integrity. Removing web service endpoints helps to protect the database from unauthorized web service access.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-04-03

Details

Check Text ( None )
None

Fix Text (F-14831r1_fix)
Authorized and document XML web service endpoints in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, drop XML web service endpoints. From the query prompt: DROP ENDPOINT [endpoint name] Where documented and authorized, set each endpoint to use the appropriate authentication protocol, SSL if required and disable anonymous access if not authorized. If a clear port is also required and authorized, ensure the value for clear_port is set to a known value (i.e. HTTP port 80 or other IAO authorized port value).

Fix Text (F-14831r1_fix)

Authorized and document XML web service endpoints in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, drop XML web service endpoints.

From the query prompt:

DROP ENDPOINT [endpoint name]

Where documented and authorized, set each endpoint to use the appropriate authentication protocol, SSL if required and disable anonymous access if not authorized. If a clear port is also required and authorized, ensure the value for clear_port is set to a known value (i.e. HTTP port 80 or other IAO authorized port value).