Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The SMO and DMO SPs option should be set to disabled if not required.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15211 | DM6199-SQLServer9 | SV-25501r1_rule | DCFA-1 | Medium |
| Description |
|---|
| The SMO and DMO XPs are management object extended stored procedures that provide highly privileged actions that run externally to the DBMS under the security context of the SQL Server service account. If these procedures are available from a database session, an exploit to the SQL Server instance could result in a compromise of the host system and external SQL Server resources including the SQL Server software, audit, log and data files. Access to these procedures should be disabled unless a clear requirement for their use is indicated and authorized. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13602r1_chk ) |
|---|
| From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'smo and dmo xps' If the value of Config_Value is 1, confirm in the System Security Plan and AIS Functional Architecture documentation that this option is documented and is required and approved by the IAO. If it is not documented, required and approved, this is a Finding. Note: If you are using SQL Server Management Studio to administer the SQL Server DBMS, document, approve and enable this option in the System Security Plan. |
| Fix Text (F-14651r1_fix) |
|---|
| Authorize and document requirements for use of the SMO and DMO XPs option in the System Security Plan and AIS Functional Architecture documentation. Where not required and authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'SMO and DMO XPs', 0 RECONFIGURE |