Profile Applicability:

  • Level 1

Description:

The external scripts enabled flag allows execution of external scripts, such as those using R or Python. This functionality, though useful in some scenarios, introduces potential security vulnerabilities. It is recommended to disable this flag unless explicitly required.

Rationale:

Disabling the external scripts enabled flag prevents the execution of scripts that could adversely impact the security of the system by accessing external libraries or files. This reduces the risk of unauthorized access or exploitation through external scripting features.

Impact:

  • Disabling this flag might restrict certain advanced analytics or machine learning tasks that depend on external scripts.

  • Applying this change via CLI will overwrite previously set flags unless re-applied during configuration.

  • The instance will require a restart to apply the updated configuration.

Default Value:

By default, the external scripts enabled flag is set to off.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

                     

  1. Select the SQL Server instance.

       

  1. Verify under the Flags section that the external scripts enabled flag is set to off.

             

Using Google Cloud CLI:

Run the following command:

gcloud sql instances describe [INSTANCE_NAME] --format=json | jq '.settings.databaseFlags[] | select(.name=="external scripts enabled")|.value'

  1. Confirm that the returned value is off.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to Cloud SQL Instances.

             

  1. Select the SQL Server instance to edit.

       

  1. Click Edit.

       

  1. Scroll down to the Flags section.

       

  1. Add or modify the external scripts enabled flag to set its value to off.

         

  1. Click Save to apply changes.

         

  1. Restart the instance to activate the updated configuration.

         

Using Google Cloud CLI:

Run the following command:

gcloud sql instances patch [INSTANCE_NAME] --database-flags "external scripts enabled"=off

  1. Restart the instance for the changes to take effect.

Backout Plan:

Step 1: Restore the external scripts enabled Flag If Needed

If disabling external scripts enabled breaks business-critical functionality, restore the flag:

gcloud sql instances patch <INSTANCE_NAME> --database-flags "external scripts enabled=on"

Restart the instance to apply changes

gcloud sql instances restart <INSTANCE_NAME>

Step 2: Notify Security Teams

  • Inform database security teams before making script execution changes.

Step 3: Restore from Backup (If Necessary)

  • If modifying external scripts enabled causes failures, restore the SQL instance from a backup.

Step 4: Validate Rollback Success

  • Run the audit steps again to confirm that the intended external scripts enabled setting is applied.

References:

  1. Microsoft SQL Server: External Scripts Enabled Documentation

  2. Cloud SQL Flags for SQL Server

  3. Microsoft SQL Server Security Concepts

  4. Microsoft Tutorial on Signed Stored Procedures

Additional Information:

  • Both flags (external scripts enabled and cross db ownership chaining) require a restart of the SQL Server instance for the changes to take effect.

  • Setting these flags improves the overall security posture of SQL Server instances by mitigating risks associated with unnecessary or outdated features.

CIS Controls:


Control

Description

IG 1

IG 2

IG 3

2.7 Allowlist Authorized Scripts

Allow only authorized and signed scripts to execute.



2.9 Application Whitelisting

Ensure application whitelisting restricts unauthorized scripts from executing.