UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Agent XPs option should be set to disabled if not required.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15210 DM6198-SQLServer9 SV-25500r1_rule DCFA-1 Medium
Description
The Agent XPs are extended stored procedures used by the SQL Server Agent that provide privileged actions that run externally to the DBMS under the security context of the SQL Server Agent service account. If these procedures are available from a database session, an exploit to the SQL Server instance could result in a compromise of the host system and external SQL Server resources. Access to these procedures should be disabled unless use of SQL Server Agent is required and authorized.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-13601r1_chk )
From the query prompt:

SELECT CAST(value AS INT) 'Config_Value'
FROM [master].sys.configurations
WHERE name = 'agent xps'

If the value of Config_Value is 1, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding.

Note: If you are using SQL Server Management Studio to administer the SQL Server DBMS, document, approve and enable this option in the System Security Plan.
Fix Text (F-14650r1_fix)
Authorize and document requirements for use of the Agent XPs option in the System Security Plan and AIS Functional Architecture documentation. Where not required and authorized, disable its use.

From the query prompt:

EXEC SP_CONFIGURE 'show advanced options', 1
EXEC SP_CONFIGURE 'Agent XPs', 0
RECONFIGURE