Profile Applicability:
- Level 1
Description:
The cross db ownership chaining database flag should be set to off for Cloud SQL SQL Server instances. This flag is deprecated for all SQL Server versions in Google Cloud Platform (GCP). Future configurations will not allow its value to be set to on. If currently enabled, it should either be removed or set to off. For cross-database access, organizations are encouraged to follow Microsoft's guidelines for signing stored procedures with a certificate.
Rationale:
The cross db ownership chaining option configures ownership chaining across multiple databases hosted on a SQL Server instance. This feature can pose significant security risks, as enabling it allows permissions from one database to cascade to another. This is particularly concerning in multi-tenant environments where such behavior is generally undesired. Disabling this feature ensures tighter control over database access and permissions.
Impact:
Turning off this flag may disrupt cross-database references that rely on this feature. Organizations must ensure that any such references are reconfigured using alternative secure methods.
Updating flags may restart the database, temporarily affecting availability. To minimize disruptions, changes should be implemented during periods of low usage.
Default Value:
This flag is deprecated for all SQL Server versions and cannot be set to on going forward.
Audit Steps:
Using Google Cloud Console:
Open the Cloud SQL Instances page in Google Cloud Console.
Select the SQL Server instance to access its Instance Overview page.
Check the Flags section to confirm that the cross db ownership chaining flag is either:
Not present, or
Explicitly set to off.
Using Google Cloud CLI:
Run the following command for each SQL Server instance:
gcloud sql instances describe <INSTANCE_NAME> --format=json | jq '.settings.databaseFlags[] | select(.name=="cross db ownership chaining")|.value'
Verify that the returned value for the flag is off, or confirm its absence.
Remediation Steps:
Using Google Cloud Console:
Go to the Cloud SQL Instances page.
Select the SQL Server instance where the flag needs to be configured.
Click Edit.
Scroll down to the Flags section.
Add or modify the cross db ownership chaining flag, setting its value to off.
Click Save to apply the changes.
Confirm the updated configuration under the Flags section on the Overview page.
Using Google Cloud CLI:
Run the following command to configure the flag:
gcloud sql instances patch <INSTANCE_NAME> --database-flags "cross db ownership chaining"=off
Ensure that the instance reflects the updated configuration.
Backout Plan:
Step 1: Restore the cross db ownership chaining Flag If Needed
If disabling cross db ownership chaining breaks business-critical functionality, restore the flag:
gcloud sql instances patch <INSTANCE_NAME> --database-flags "cross db ownership chaining=on"
Step 2: Notify Security Teams
- Inform database security teams before making ownership chaining changes.
Step 3: Restore from Backup (If Necessary)
If modifying cross db ownership chaining causes failures, restore the SQL instance from a backup.
Step 4: Validate Rollback Success
- Run the audit steps again to confirm that the intended cross db ownership chaining setting is applied
References:
Additional Information:
Changes to database flags may require the instance to restart. Verify the list of flags that trigger a restart at Cloud SQL SQL Server Flags Documentation.
Configuring this flag improves security posture by preventing unintended cross-database access.
Ensure that alternative methods, such as signed stored procedures, are in place before disabling this flag.
CIS Controls: