Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Web Assistant procedures configuration option should be disabled if not required.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15198 | DM6130-SQLServer9 | SV-25488r1_rule | DCFA-1 | Medium |
| Description |
|---|
| The Web Assistant procedures are used by database applications to create web pages. This capability may easily be abused to send malicious messages to remote users or systems. Disabling its use helps to protect the database from generating or receiving malicious email notifications. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13813r1_chk ) |
|---|
| From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'web assistant procedures' If the value of Config_Value is 1, confirm in the System Security Plan and AIS Functional Architecture documentation that Web Assistant procedures are required and approved by the IAO. If it is not documented, required and approved, this is a Finding. |
| Fix Text (F-14833r1_fix) |
|---|
| Authorize and document requirements for use of Web Assistant Procedures in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable use of Web Assistant Procedures. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'Web Assistant procedures', 0 RECONFIGURE |