STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Apr 2020:

Access to xp_cmdshell must be disabled, unless specifically required and approved.

DISA Rule

SV-82347r1_rule

Vulnerability Number

V-67857

Group Title

SRG-APP-000141-DB-000093

Rule Version

SQL4-00-017200

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

To disable the use of xp_cmdshell, from the query prompt:
EXEC sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
EXEC sp_configure 'xp_cmdshell', 0;
GO
RECONFIGURE;
GO

Check Contents

To determine if xp_cmdshell is enabled, execute the following commands:

EXEC SP_CONFIGURE 'show advanced options', '1';
RECONFIGURE WITH OVERRIDE;
EXEC SP_CONFIGURE 'xp_cmdshell';

If the value of config_value is 0, this is not a finding.

Review the system documentation to determine whether the use of xp_cmdshell is required and approved. If it is not approved, this is a finding.

Vulnerability Number

V-67857

Documentable

False

Rule Version

SQL4-00-017200

Severity Override Guidance

To determine if xp_cmdshell is enabled, execute the following commands:

EXEC SP_CONFIGURE 'show advanced options', '1';
RECONFIGURE WITH OVERRIDE;
EXEC SP_CONFIGURE 'xp_cmdshell';

If the value of config_value is 0, this is not a finding.

Review the system documentation to determine whether the use of xp_cmdshell is required and approved. If it is not approved, this is a finding.

Check Content Reference

M

Target Key

2639

Comments