STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Apr 2020:

SQL Server must have the Filestream feature disabled if it is unused.

DISA Rule

SV-82339r1_rule

Vulnerability Number

V-67849

Group Title

SRG-APP-000141-DB-000091

Rule Version

SQL4-00-016855

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Either, in SQL Server Management Studio, Object Explorer, right-click on the SQL Server instance; select Properties; examine the Filestream section.

If Filestream is not required, set Filestream Access Level to "Disabled."

If Filestream is required only at the Transact-SQL query level, set Filestream Access Level to "Transact-SQL access enabled."

Restart the SQL Server instance.

Or, in a query tool, run this script, substituting the correct value for <Level>:
EXEC sys.sp_configure N'filestream access level', N'<Level>';
GO
RECONFIGURE WITH OVERRIDE;
GO

The <Level> values are:
0 - Disabled
1 - Transact-SQL access enabled
2 - Full access enabled

Check Contents

Determine whether Filestream is required to support the database(s) in this instance of SQL Server.

Either, in SQL Server Management Studio, Object Explorer, right-click on the SQL Server instance; select Properties; examine the Filestream section.

If Filestream Access Level is "Disabled", this is not a finding.

If Filestream Access Level is "Transact-SQL access enabled" or "Full access enabled," and Filestream is not required, this is a finding.

If Filestream Access Level is "Full access enabled," but only Transact-SQL access is required, this is a finding.

Or, in a query tool, run this code:
EXEC sys.sp_configure N'filestream access level';

Review the number in the config_value column. If it is 0, this is not a finding.

If config_value is 1 or 2, and Filestream is not required, this is a finding.

If config_value is 2, but only Transact-SQL access is required, this is a finding.

Vulnerability Number

V-67849

Documentable

False

Rule Version

SQL4-00-016855

Severity Override Guidance

Determine whether Filestream is required to support the database(s) in this instance of SQL Server.

Either, in SQL Server Management Studio, Object Explorer, right-click on the SQL Server instance; select Properties; examine the Filestream section.

If Filestream Access Level is "Disabled", this is not a finding.

If Filestream Access Level is "Transact-SQL access enabled" or "Full access enabled," and Filestream is not required, this is a finding.

If Filestream Access Level is "Full access enabled," but only Transact-SQL access is required, this is a finding.

Or, in a query tool, run this code:
EXEC sys.sp_configure N'filestream access level';

Review the number in the config_value column. If it is 0, this is not a finding.

If config_value is 1 or 2, and Filestream is not required, this is a finding.

If config_value is 2, but only Transact-SQL access is required, this is a finding.

Check Content Reference

M

Target Key

2639

Comments