UCF STIG Viewer Logo

The SMO and DMO SPs option should be set to disabled if not required.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15211 DM6199-SQLServer9 SV-25501r1_rule DCFA-1 Medium
Description
The SMO and DMO XPs are management object extended stored procedures that provide highly privileged actions that run externally to the DBMS under the security context of the SQL Server service account. If these procedures are available from a database session, an exploit to the SQL Server instance could result in a compromise of the host system and external SQL Server resources including the SQL Server software, audit, log and data files. Access to these procedures should be disabled unless a clear requirement for their use is indicated and authorized.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-13602r1_chk )
From the query prompt:

SELECT CAST(value AS INT) 'Config_Value'
FROM [master].sys.configurations
WHERE name = 'smo and dmo xps'

If the value of Config_Value is 1, confirm in the System Security Plan and AIS Functional Architecture documentation that this option is documented and is required and approved by the IAO. If it is not documented, required and approved, this is a Finding.

Note: If you are using SQL Server Management Studio to administer the SQL Server DBMS, document, approve and enable this option in the System Security Plan.
Fix Text (F-14651r1_fix)
Authorize and document requirements for use of the SMO and DMO XPs option in the System Security Plan and AIS Functional Architecture documentation. Where not required and authorized, disable its use.

From the query prompt:

EXEC SP_CONFIGURE 'show advanced options', 1
EXEC SP_CONFIGURE 'SMO and DMO XPs', 0
RECONFIGURE