UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Only authorized XML Web Service endpoints should be configured on the server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15206 DM6126-SQLServer9 SV-23856r1_rule DCFA-1 Medium
Description
XML Web Service endpoints expose the database its data to web service access. Where not carefully designed and implemented, web services can unnecessarily expose the database to additional exploit that compromises data confidentiality and integrity. Removing web service endpoints helps to protect the database from unauthorized web service access.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-04-03

Details

Check Text ( None )
None
Fix Text (F-14831r1_fix)
Authorized and document XML web service endpoints in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, drop XML web service endpoints.

From the query prompt:

DROP ENDPOINT [endpoint name]

Where documented and authorized, set each endpoint to use the appropriate authentication protocol, SSL if required and disable anonymous access if not authorized. If a clear port is also required and authorized, ensure the value for clear_port is set to a known value (i.e. HTTP port 80 or other IAO authorized port value).