Analysis Services user-defined COM functions should be disabled if not required.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15181	DM6099-SQLServer9	SV-25470r1_rule	DCFA-1	Medium

Description
Allowing user-defined COM functions can allow unauthorized code access to the Analysis Services instance. Where not required as part of the operational design, allowing user-defined COM functions can expose the instance to unnecessary risk.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-04-03

Details

Check Text ( C-13797r1_chk )
If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. If the System Security Plan indicates User-Defined COM Functions is required for operation, this check is Not a Finding. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ ComUdfEnabled If the value = 'true', this is a Finding. The User-Defined COM Functions value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [ComUdfEnabled] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.

Check Text ( C-13797r1_chk )

If Analysis Services is not deployed on the local host, this check is Not a Finding.

Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host.

If the System Security Plan indicates User-Defined COM Functions is required for operation, this check is Not a Finding.

From the SQL Server Management Studio GUI:

1. Connect to the Analysis Services instance
2. Right click on the Analysis Services instance
3. Select Properties
4. View the value listed for Feature \ ComUdfEnabled

If the value = 'true', this is a Finding.

The User-Defined COM Functions value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag:

[ComUdfEnabled]

The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.

Fix Text (F-14817r1_fix)
If not documented as required and authorized by the IAO, set value for ComUdfEnabled to 'false'. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ ComUdfEnabled 5. Select value = 'false' 6. Click OK