STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

Access to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved.

DISA Rule

SV-213959r617437_rule

Vulnerability Number

V-213959

Group Title

SRG-APP-000141-DB-000093

Rule Version

SQL6-D0-007400

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Remove any Non-Standard extended stored procedures that are not documented and approved.

sp_dropextendedproc 'proc name'

Check Contents

Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. Extended stored procedures run directly in the address space of an instance of SQL Server and are programmed by using the SQL Server Extended Stored Procedure API.

Non-Standard extended stored procedures can compromise the integrity of the SQL Server process. This feature will be removed in a future version of Microsoft SQL Server. Do not use this feature in new development work, and modify applications that currently use this feature as soon as possible.

To determine if non-standard extended stored procedures exist, run the following:

------------------------------------------------------------------------
USE [master]
GO
DECLARE @xplist AS TABLE
(
xp_name sysname,
source_dll nvarchar(255)
)
INSERT INTO @xplist
EXEC sp_helpextendedproc

SELECT X.xp_name, X.source_dll, O.is_ms_shipped FROM @xplist X JOIN sys.all_objects O ON X.xp_name = O.name WHERE O.is_ms_shipped = 0 ORDER BY X.xp_name
------------------------------------------------------------------------

If any records are returned, review the system documentation to determine whether the use of Non-Standard extended stored procedures are required and approved.

If it is not approved, this is a finding.

Vulnerability Number

V-213959

Documentable

False

Rule Version

SQL6-D0-007400

Severity Override Guidance

Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. Extended stored procedures run directly in the address space of an instance of SQL Server and are programmed by using the SQL Server Extended Stored Procedure API.

Non-Standard extended stored procedures can compromise the integrity of the SQL Server process. This feature will be removed in a future version of Microsoft SQL Server. Do not use this feature in new development work, and modify applications that currently use this feature as soon as possible.

To determine if non-standard extended stored procedures exist, run the following:

------------------------------------------------------------------------
USE [master]
GO
DECLARE @xplist AS TABLE
(
xp_name sysname,
source_dll nvarchar(255)
)
INSERT INTO @xplist
EXEC sp_helpextendedproc

SELECT X.xp_name, X.source_dll, O.is_ms_shipped FROM @xplist X JOIN sys.all_objects O ON X.xp_name = O.name WHERE O.is_ms_shipped = 0 ORDER BY X.xp_name
------------------------------------------------------------------------

If any records are returned, review the system documentation to determine whether the use of Non-Standard extended stored procedures are required and approved.

If it is not approved, this is a finding.

Check Content Reference

M

Target Key

3993

Comments