Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-255317 | ASQL-00-002900 | SV-255317r871077_rule | Medium |
Description |
---|
In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. Privilege elevation by "Execute As" must be utilized only where necessary and protected from misuse. |
STIG | Date |
---|---|
Microsoft Azure SQL Database Security Technical Implementation Guide | 2022-11-16 |
Check Text ( C-58990r871075_chk ) |
---|
Review the system documentation to obtain a listing of stored procedures and functions that utilize impersonation. Execute the following query: SELECT S.name AS schema_name, O.name AS module_name, USER_NAME(CASE M.execute_as_principal_id WHEN -2 THEN COALESCE(O.principal_id, S.principal_id) ELSE M.execute_as_principal_id END) AS execute_as FROM sys.sql_modules M JOIN sys.objects O ON M.object_id = O.object_id JOIN sys.schemas S ON O.schema_id = S.schema_id WHERE execute_as_principal_id IS NOT NULL ORDER BY schema_name, module_name If any procedures or functions are returned that are not documented, this is a finding. |
Fix Text (F-58934r871076_fix) |
---|
Alter stored procedures and functions to remove the "EXECUTE AS" statement. |