Access to external DBMS executables should be disabled or restricted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15618	DG0099-SQLServer9	SV-24096r2_rule	DCFA-1	Medium

Description
DBMS’s may spawn additional external processes to execute procedures that are defined in the DBMS, but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than the DBMS and provide unauthorized access to the host system.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-22807r2_chk )
From the query prompt: SELECT o.name AS [External Procedure Name] FROM master.sys.all_objects o LEFT JOIN master.sys.database_permissions p ON p.major_id = o.object_id LEFT JOIN master.sys.database_principals u ON p.grantee_principal_id = u.principal_id WHERE o.type = 'X' AND u.name IS NULL ORDER BY o.name Review the list of extended stored procedures returned. Verify that any extended stored procedures listed are documented in the System Security Plan as required for current or future operation and authorized by the IAO. If any extended stored procedures listed are not documented and authorized, this is a Finding.

Check Text ( C-22807r2_chk )

From the query prompt:

SELECT o.name AS [External Procedure Name]
FROM master.sys.all_objects o
LEFT JOIN master.sys.database_permissions p ON p.major_id = o.object_id
LEFT JOIN master.sys.database_principals u ON p.grantee_principal_id = u.principal_id
WHERE o.type = 'X' AND u.name IS NULL
ORDER BY o.name

Review the list of extended stored procedures returned.

Verify that any extended stored procedures listed are documented in the System Security Plan as required for current or future operation and authorized by the IAO.

If any extended stored procedures listed are not documented and authorized, this is a Finding.

Fix Text (F-19731r1_fix)
Document extended stored procedures in the System Security Plan and authorize with the IAO. Restrict access of extended stored procedures to SYSADMINs and application owner accounts where authorized for use. Note: Use of some extended stored procedures is required for common use and removal may affect SQL Server operations. The requirement differs based on SQL Server usage. To determine required extended stored procedures for a specific SQL Server installation, enable auditing on execute of the procedures. Review the audit data after a sufficient period to capture all operational usage, and then restrict access to unused extended stored procedures. If no operational issues arise after a sufficient time (you should double the period used before), remove the unused extended stored procedures where supported by the DBMS vendor. By default, the public role is granted execute access to many system-supplied extended stored procedures. It is recommended these execute privileges to extended stored procedures (the ones being retained for system use) be transferred from the public role and re-assigned to a custom all-user group. Redesign applications to use CLR integration.

Fix Text (F-19731r1_fix)

Document extended stored procedures in the System Security Plan and authorize with the IAO.

Restrict access of extended stored procedures to SYSADMINs and application owner accounts where authorized for use.

Note: Use of some extended stored procedures is required for common use and removal may affect SQL Server operations. The requirement differs based on SQL Server usage. To determine required extended stored procedures for a specific SQL Server installation, enable auditing on execute of the procedures. Review the audit data after a sufficient period to capture all operational usage, and then restrict access to unused extended stored procedures. If no operational issues arise after a sufficient time (you should double the period used before), remove the unused extended stored procedures where supported by the DBMS vendor.

By default, the public role is granted execute access to many system-supplied extended stored procedures. It is recommended these execute privileges to extended stored procedures (the ones being retained for system use) be transferred from the public role and re-assigned to a custom all-user group.

Redesign applications to use CLR integration.