Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'

The remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. This default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server. 'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.

Risk Level: Medium
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.VLN.07
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql where databaseVersion like 'SQLSERVER%' should have settings.databaseFlags contain [ name like 'remote access' and value like 'off' ]

REMEDIATION

From Portal

  1. Navigate to the instance where the flag needs to be set: https://console.cloud.google.com/sql/instances
  2. Click Edit Configurations
  3. Under flags section, choose add flag, look for 'remote access' and choose value - off.
  4. Save and review your changes

From TF
Set the flag 'remote access' to 'off':

resource 'google_sql_database_instance' 'default' {
	...
	settings {
		database_flags {
			name  = 'remote access'
			value = 'off'
		}
	}
}

From Command Line

  1. First retrieve all existing flags values:
gcloud sql instances describe INSTANCE_NAME
  1. Add all existing flags and their value to the patch request - otherwise they will get set to their default value.
gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),'remote access'=off

References

  1. https://cloud.google.com/sql/docs/sqlserver/flags
  2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15
  3. https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5