STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

Filestream must be disabled, unless specifically required and approved.

DISA Rule

SV-214034r617437_rule

Vulnerability Number

V-214034

Group Title

SRG-APP-000141-DB-000093

Rule Version

SQL6-D0-016800

Severity

CAT II

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Disable the use of Filestream.

1. Delete all FILESTREAM columns from all tables. ALTER TABLE <name> DROP COLUMN <column name>
2. Disassociate tables from the FILESTREAM filegroups. ALTER TABLE <name> SET (FILESTREAM_ON = 'NULL'
3. Remove all FILESTREAM data containers. ALTER DATABASE <name> REMOVE FILE <file name>
4. Remove all FILESTREAM filegroups. ALTER DATABASE <name> REMOVE FILEGROUP <file name>.
5. Disable FILESTREAM.
EXEC sp_configure filestream_access_level, 0
RECONFIGURE
6. Restart the SQL Service

Check Contents

Review the system documentation to see if FileStream is in use. If in use authorized, this is not a finding.

If FileStream is not documented as being authorized, execute the following query.
EXEC sp_configure 'filestream access level'

If "run_value" is greater than "0", this is a finding.

This rule checks that Filestream SQL specific option is disabled.

SELECT CASE
WHEN EXISTS (SELECT *
FROM sys.configurations
WHERE Name = 'filestream access level'
AND Cast(value AS INT) = 0) THEN 'No'
ELSE 'Yes'
END AS TSQLFileStreamAccess;

If the above query returns "Yes" in the "FileStreamEnabled" field, this is a finding.

Filestream must be disabled, unless specifically required and approved.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments