Only authorized XML Web Service endpoints should be configured on the server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15206	DM6126-SQLServer9	SV-23856r2_rule	DCFA-1	Medium

Description
XML Web Service endpoints expose the database its data to web service access. Where not carefully designed and implemented, web services can unnecessarily expose the database to additional exploit that compromises data confidentiality and integrity. Removing web service endpoints helps to protect the database from unauthorized web service access.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13811r2_chk )
From the query prompt: SELECT name FROM [master].sys.http_endpoints WHERE (is_integrated_auth_enabled = 0 AND is_kerberos_auth_enabled = 0 AND is_ntlm_auth_enabled = 0) AND state = 0 ORDER BY name Review the list of any endpoints returned. If no records are returned, this is Not a Finding. If any endpoints are returned and not listed as a required and authorized XML web service endpoint in the System Security Plan and AIS Functional Architecture documentation, this is a Finding. If listed endpoints are: 1. Not using integrated authentication (is_integrated_auth_enabled = 0) 2. Not using Kerberos authentication (is_kerberos_auth_enabled = 0) and 3. Not using NT LAN Manager (NTLM) authentication (is_ntlm_auth_enabled = 0) 4. Are STARTED, listening and processing requests (state = 0) this is a Finding. If listed endpoints are required to use SSL (is_ssl_port_enabled = 1 and is_clear_port_enabled = 0) and are not, this is a Finding. If listed endpoints are enabled to use anonymous access (is_anonymous_enabled = 1) and is not documented and authorized, this is a Finding.

Check Text ( C-13811r2_chk )

From the query prompt:

SELECT name
FROM [master].sys.http_endpoints
WHERE (is_integrated_auth_enabled = 0
AND is_kerberos_auth_enabled = 0
AND is_ntlm_auth_enabled = 0)
AND state = 0
ORDER BY name

Review the list of any endpoints returned. If no records are returned, this is Not a Finding.

If any endpoints are returned and not listed as a required and authorized XML web service endpoint in the System Security Plan and AIS Functional Architecture documentation, this is a Finding.

If listed endpoints are:

1. Not using integrated authentication (is_integrated_auth_enabled = 0)
2. Not using Kerberos authentication (is_kerberos_auth_enabled = 0) and
3. Not using NT LAN Manager (NTLM) authentication (is_ntlm_auth_enabled = 0)
4. Are STARTED, listening and processing requests (state = 0)

this is a Finding.

If listed endpoints are required to use SSL (is_ssl_port_enabled = 1 and is_clear_port_enabled = 0) and are not, this is a Finding.

If listed endpoints are enabled to use anonymous access (is_anonymous_enabled = 1) and is not documented and authorized, this is a Finding.

Fix Text (F-14831r1_fix)
Authorized and document XML web service endpoints in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, drop XML web service endpoints. From the query prompt: DROP ENDPOINT [endpoint name] Where documented and authorized, set each endpoint to use the appropriate authentication protocol, SSL if required and disable anonymous access if not authorized. If a clear port is also required and authorized, ensure the value for clear_port is set to a known value (i.e. HTTP port 80 or other IAO authorized port value).

Fix Text (F-14831r1_fix)

Authorized and document XML web service endpoints in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, drop XML web service endpoints.

From the query prompt:

DROP ENDPOINT [endpoint name]

Where documented and authorized, set each endpoint to use the appropriate authentication protocol, SSL if required and disable anonymous access if not authorized. If a clear port is also required and authorized, ensure the value for clear_port is set to a known value (i.e. HTTP port 80 or other IAO authorized port value).