Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Agent XPs option should be set to disabled if not required.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15210 | DM6198-SQLServer9 | SV-25500r1_rule | DCFA-1 | Medium |
| Description |
|---|
| The Agent XPs are extended stored procedures used by the SQL Server Agent that provide privileged actions that run externally to the DBMS under the security context of the SQL Server Agent service account. If these procedures are available from a database session, an exploit to the SQL Server instance could result in a compromise of the host system and external SQL Server resources. Access to these procedures should be disabled unless use of SQL Server Agent is required and authorized. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-04-03 |
Details
| Check Text ( C-13601r1_chk ) |
|---|
| From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'agent xps' If the value of Config_Value is 1, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding. Note: If you are using SQL Server Management Studio to administer the SQL Server DBMS, document, approve and enable this option in the System Security Plan. |
| Fix Text (F-14650r1_fix) |
|---|
| Authorize and document requirements for use of the Agent XPs option in the System Security Plan and AIS Functional Architecture documentation. Where not required and authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'Agent XPs', 0 RECONFIGURE |