Registry extended stored procedures should be restricted to sysadmin access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2473	DM2119-SQLServer9	SV-23825r2_rule	DCFA-1	Medium

Description
Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows NT DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows NT account used by SQL Server to log on determines the security context used by extended stored procedures. Certain sensitive extended stored procedures should be closely monitored. These sensitive stored procedures include the registry editing stored procedures. Registry extended stored procedures can be used to read or change security information, including the NT password database, from the registry.

Description

Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows NT DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows NT account used by SQL Server to log on determines the security context used by extended stored procedures. Certain sensitive extended stored procedures should be closely monitored. These sensitive stored procedures include the registry editing stored procedures. Registry extended stored procedures can be used to read or change security information, including the NT password database, from the registry.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-22815r2_chk )
From the query prompt: SELECT u.name AS [Principal], o.name AS [Extended Stored Procedure], u.type_desc AS [Type] FROM [master].sys.system_objects o JOIN [master].sys.database_permissions p ON o.object_id = p.major_id JOIN [master].sys.database_principals u ON p.grantee_principal_id = u.principal_id WHERE ( o.name LIKE 'xp_reg%' OR o.name LIKE 'xp_instance_reg%') AND p.type = 'EX' ORDER BY o.name, u.name If no results are displayed, this is Not a Finding. If non-DBA Principals are granted access (as listed in the query results), verify with the IAO and the System Security Plan allowing the specific Principals listed as valid users of these procedures. If there is no documentation or IAO authorization, this is a Finding. If permissions are assigned to Principal PUBLIC, this is a Finding. Note: By default, the public role is granted execute access to xp_regread. If this access is required, transfer the privilege assignment to an authorized custom database role.

Check Text ( C-22815r2_chk )

From the query prompt:

SELECT u.name AS [Principal], o.name AS [Extended Stored Procedure], u.type_desc AS [Type]
FROM [master].sys.system_objects o
JOIN [master].sys.database_permissions p ON o.object_id = p.major_id
JOIN [master].sys.database_principals u ON p.grantee_principal_id = u.principal_id
WHERE ( o.name LIKE 'xp_reg%' OR o.name LIKE 'xp_instance_reg%')
AND p.type = 'EX'
ORDER BY o.name, u.name

If no results are displayed, this is Not a Finding.

If non-DBA Principals are granted access (as listed in the query results), verify with the IAO and the System Security Plan allowing the specific Principals listed as valid users of these procedures.

If there is no documentation or IAO authorization, this is a Finding.

If permissions are assigned to Principal PUBLIC, this is a Finding.

Note: By default, the public role is granted execute access to xp_regread. If this access is required, transfer the privilege assignment to an authorized custom database role.

Fix Text (F-19739r1_fix)
Restrict access of Registry extended stored procedures to SYSADMINs and authorized roles as documented in the System Security Plan and authorized by the IAO. Note: SQL Server 2005 and later does not drop system extended stored procedures. Microsoft recommends denying EXEC permissions instead. Restrict and/or remove access to Registry extended stored procedures where not authorized: From the SQL Server Management Studio GUI: 1. Connect/expand SQL Server 2. Expand Databases 3. Expand System databases 4. Expand Master 5. Expand Programmability 6. Expand Extended Stored Procedures 7. Expand System Extended Stored Procedures 8. Locate and select each of the Registry extended stored procedures listed in the Check section 9. Right click on the extended stored procedure 10. Select Properties 11. Click on the Permissions page 12. Select each user or role and deselect the Grant (and With Grant if checked) permissions from all users, database roles and public except from SYSADMINs and authorized roles when permitted 13. Click OK Document access grants and restrictions in the System Security Plan and authorize with the IAO.

Fix Text (F-19739r1_fix)

Restrict access of Registry extended stored procedures to SYSADMINs and authorized roles as documented in the System Security Plan and authorized by the IAO.

Note: SQL Server 2005 and later does not drop system extended stored procedures. Microsoft recommends denying EXEC permissions instead.

Restrict and/or remove access to Registry extended stored procedures where not authorized:

From the SQL Server Management Studio GUI:

1. Connect/expand SQL Server
2. Expand Databases
3. Expand System databases
4. Expand Master
5. Expand Programmability
6. Expand Extended Stored Procedures
7. Expand System Extended Stored Procedures
8. Locate and select each of the Registry extended stored procedures listed in the Check section
9. Right click on the extended stored procedure
10. Select Properties
11. Click on the Permissions page
12. Select each user or role and deselect the Grant (and With Grant if checked) permissions from all users, database roles and public except from SYSADMINs and authorized roles when permitted
13. Click OK

Document access grants and restrictions in the System Security Plan and authorize with the IAO.