🛡️ Google Cloud SQL Server Instance remote access Database Flag is not set to off🟢

• Contextual name: 🛡️ SQL Server Instance remote access Database Flag is not set to off🟢
• ID: /ce/ca/google/sql/sqlserver-instance-remote-access-flag
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Disable 'remote access' Flag for SQL Server Database Instances

Description

Open File

Description

It is recommended to set the remote access database flag for a Cloud SQL SQL Server instance to off.

Rationale

The remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on the local server. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled. This recommendation is applicable to SQL Server database instances.

Impact

Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the SQL Server instance for which you want to enable the database flag.
3. Click Edit.
4. Scroll down to the Flags section.
5. To set a flag that has not been set on the instance before, click Add item, choose the flag remote access from the drop-down menu, and set its value to off.
6. Click Save to save your changes.
7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI

1. Configure the remote access database flag for every Cloud SQL SQL Server database instance using the following command.

   gcloud sql instances patch {{instance-name}} \
       --database-flags "remote access"=off

   Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Network Exposure			132		no data
💼 FedRAMP High Security Controls → 💼 CM-6 Configuration Settings (L)(M)(H)	2		12		no data
💼 FedRAMP High Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3	18	33		no data
💼 FedRAMP Low Security Controls → 💼 CM-6 Configuration Settings (L)(M)(H)			11		no data
💼 FedRAMP Low Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)			29		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-6 Configuration Settings (L)(M)(H)	1		12		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3		33		no data
💼 ISO/IEC 27001:2022 → 💼 8.9 Configuration management			12		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-6 Configuration Settings	4		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-7 Least Functionality	9		23		no data
💼 PCI DSS v3.2.1 → 💼 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.		1	27		no data
💼 PCI DSS v3.2.1 → 💼 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.			3		no data
💼 PCI DSS v3.2.1 → 💼 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.			3		no data
💼 PCI DSS v3.2.1 → 💼 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.			11		no data
💼 PCI DSS v4.0.1 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.			27		no data
💼 PCI DSS v4.0.1 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.			27		no data
💼 PCI DSS v4.0.1 → 💼 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.			3		no data
💼 PCI DSS v4.0.1 → 💼 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.			11		no data
💼 PCI DSS v4.0 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.		15	27		no data
💼 PCI DSS v4.0 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.		6	27		no data
💼 PCI DSS v4.0 → 💼 2.2.4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.			3		no data
💼 PCI DSS v4.0 → 💼 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.			11		no data
💼 SOC 2 → 💼 CC6.6-1 Restricts Access		16	19		no data
💼 SOC 2 → 💼 CC6.6-3 Requires Additional Authentication or Credentials		4	6		no data
💼 SOC 2 → 💼 CC6.6-4 Implements Boundary Protection Systems			4		no data