π Google Cloud SQL Server Instance remote access Database Flag is not set to off π’
- Contextual name: π SQL Server Instance remote access Database Flag is not set to off π’
- ID:
/ce/ca/google/sql/sqlserver-instance-remote-access-flag - Located in: π Google Cloud SQL
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
It is recommended to set
remote accessdatabase flag for Cloud SQL SQL Server instance tooff.Rationaleβ
The
remote accessoption controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. This default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server. 'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled. This recommendation is applicable to SQL Server database instances.Impactβ
Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.
... see more
Remediationβ
Remediationβ
From Google Cloud Consoleβ
- Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
- Select the SQL Server instance for which you want to enable to database flag.
- Click
Edit.- Scroll down to the
Flagssection.- To set a flag that has not been set on the instance before, click
Add item, choose the flagremote accessfrom the drop-down menu, and set its value tooff.- Click
Saveto save your changes.- Confirm your changes under
Flagson the Overview page.From Google Cloud CLIβ
Configure the
remote accessdatabase flag for every Cloud SQL SQL Server database instance using the below commandgcloud sql instances patch <INSTANCE_NAME> --database-flags "remote access"=offNote: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 43 |