OLE Automation extended stored procedures should be restricted to sysadmin access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2472	DM2095-SQLServer9	SV-23814r2_rule	DCFA-1	Medium

Description
Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows account used by SQL Server to log on determines the security context used by extended stored procedures. Certain sensitive extended stored procedures should be closely monitored. These sensitive stored procedures include the OLE Automation stored procedures. OLE Automation stored procedures can be used to reconfigure the security of other services including IIS (Internet Information Server).

Description

Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows account used by SQL Server to log on determines the security context used by extended stored procedures. Certain sensitive extended stored procedures should be closely monitored. These sensitive stored procedures include the OLE Automation stored procedures. OLE Automation stored procedures can be used to reconfigure the security of other services including IIS (Internet Information Server).

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-22813r2_chk )
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'ole automation procedures' If a value of 0 is returned for Config_Value, this is Not a Finding. If a value of 1 is returned for Config_Value, verify with the IAO and the System Security Plan that OLE Automation Procedures as listed are required. If they are not, this is a Finding. If OLE Automation Procedures are documented and authorized by the IAO, check which users have access. From the query prompt: SELECT USER_NAME(p.grantee_principal_id) 'User', o.name 'Object', p.permission_name 'Perm' FROM [master].sys.system_objects o, [master].sys.database_permissions p WHERE o.object_id = p.major_id AND o.name like 'sp_OA%' ORDER BY USER_NAME(p.grantee_principal_id), o.name, p.permission_name If non-DBA users are granted access, verify with the IAO and the System Security Plan allowing the specific users listed as valid users of these procedures. If there is no documentation or IAO authorization, this is a Finding.

Check Text ( C-22813r2_chk )

From the query prompt:

SELECT CAST(value AS INT) 'Config_Value'
FROM [master].sys.configurations
WHERE name = 'ole automation procedures'

If a value of 0 is returned for Config_Value, this is Not a Finding.

If a value of 1 is returned for Config_Value, verify with the IAO and the System Security Plan that OLE Automation Procedures as listed are required. If they are not, this is a Finding.

If OLE Automation Procedures are documented and authorized by the IAO, check which users have access.

From the query prompt:

SELECT USER_NAME(p.grantee_principal_id) 'User', o.name 'Object', p.permission_name 'Perm'
FROM [master].sys.system_objects o, [master].sys.database_permissions p
WHERE o.object_id = p.major_id
AND o.name like 'sp_OA%'
ORDER BY USER_NAME(p.grantee_principal_id), o.name, p.permission_name

If non-DBA users are granted access, verify with the IAO and the System Security Plan allowing the specific users listed as valid users of these procedures. If there is no documentation or IAO authorization, this is a Finding.

Fix Text (F-19737r1_fix)
Disable OLE extended stored procedures where no needed or restrict access to SYSADMINs and authorized roles. Disable OLE extended stored procedures: From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'OLE Automation Procedures', 0 RECONFIGURE Note: SQL Server 2005 does not drop system extended stored procedures. Microsoft recommends denying EXEC permissions instead.

Fix Text (F-19737r1_fix)

Disable OLE extended stored procedures where no needed or restrict access to SYSADMINs and authorized roles.

Disable OLE extended stored procedures:

From the query prompt:

EXEC SP_CONFIGURE 'show advanced options', 1
EXEC SP_CONFIGURE 'OLE Automation Procedures', 0
RECONFIGURE

Note: SQL Server 2005 does not drop system extended stored procedures. Microsoft recommends denying EXEC permissions instead.