OLE Automation extended stored procedures should be restricted to sysadmin access.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2472 | DM2095-SQLServer9 | SV-23814r1_rule | DCFA-1 | Medium |
| Description |
|---|
| Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows account used by SQL Server to log on determines the security context used by extended stored procedures. Certain sensitive extended stored procedures should be closely monitored. These sensitive stored procedures include the OLE Automation stored procedures. OLE Automation stored procedures can be used to reconfigure the security of other services including IIS (Internet Information Server). |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-04-03 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (F-19737r1_fix) |
|---|
| Disable OLE extended stored procedures where no needed or restrict access to SYSADMINs and authorized roles. Disable OLE extended stored procedures: From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'OLE Automation Procedures', 0 RECONFIGURE Note: SQL Server 2005 does not drop system extended stored procedures. Microsoft recommends denying EXEC permissions instead. |