STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

Execution of startup stored procedures must be restricted to necessary cases only.

DISA Rule

SV-214030r617437_rule

Vulnerability Number

V-214030

Group Title

SRG-APP-000342-DB-000302

Rule Version

SQL6-D0-016400

Severity

CAT II

CCI(s)

• CCI-002233 - The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.

Weight

10

Fix Recommendation

To disable start up stored procedure(s), run the following in Master for each undocumented procedure:

sp_procoption @procname = '<procedure name>', @OptionName = 'Startup', @optionValue = 'Off'

Check Contents

Review the system documentation to obtain a listing of documented stored procedures used by SQL Server during start up. Execute the following query:

Select [name] as StoredProc
From sys.procedures
Where OBJECTPROPERTY(OBJECT_ID, 'ExecIsStartup') = 1

If any stored procedures are returned that are not documented, this is a finding.

Vulnerability Number

V-214030

Documentable

False

Rule Version

SQL6-D0-016400

Severity Override Guidance

Review the system documentation to obtain a listing of documented stored procedures used by SQL Server during start up. Execute the following query:

Select [name] as StoredProc
From sys.procedures
Where OBJECTPROPERTY(OBJECT_ID, 'ExecIsStartup') = 1

If any stored procedures are returned that are not documented, this is a finding.

Check Content Reference

M

Target Key

3993

Comments