Analysis Services user-defined COM functions should be disabled if not required.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15181 | DM6099-SQLServer9 | SV-25470r1_rule | DCFA-1 | Medium |
| Description |
|---|
| Allowing user-defined COM functions can allow unauthorized code access to the Analysis Services instance. Where not required as part of the operational design, allowing user-defined COM functions can expose the instance to unnecessary risk. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13797r1_chk ) |
|---|
| If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. If the System Security Plan indicates User-Defined COM Functions is required for operation, this check is Not a Finding. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ ComUdfEnabled If the value = 'true', this is a Finding. The User-Defined COM Functions value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [ComUdfEnabled] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory. |
| Fix Text (F-14817r1_fix) |
|---|
| If not documented as required and authorized by the IAO, set value for ComUdfEnabled to 'false'. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ ComUdfEnabled 5. Select value = 'false' 6. Click OK |