Skip to main content

πŸ“ Google Cloud SQL Server Instance remote access Database Flag is not set to off 🟒

  • Contextual name: πŸ“ SQL Server Instance remote access Database Flag is not set to off 🟒
  • ID: /ce/ca/google/sql/sqlserver-instance-remote-access-flag
  • Located in: πŸ“ Google Cloud SQL

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.

Rationale​

The remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. This default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server. 'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled. This recommendation is applicable to SQL Server database instances.

Impact​

Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the SQL Server instance for which you want to enable to database flag.
  3. Click Edit.
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag remote access from the drop-down menu, and set its value to off.
  6. Click Save to save your changes.
  7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI​

  1. Configure the remote access database flag for every Cloud SQL SQL Server database instance using the below command

         gcloud sql instances patch <INSTANCE_NAME> --database-flags "remote access"=off

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access53
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)212
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31833
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)29
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)112
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)333
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.9 Configuration management12
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-6 Configuration Settings412
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-7 Least Functionality923
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.3
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.3
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.11
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.3
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.11
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.3
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.11
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-1 Restricts Access1619
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-3 Requires Additional Authentication or Credentials46
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-4 Implements Boundary Protection Systems4