Profile Applicability:
- Level 1
Description:
The remote access database flag for Cloud SQL SQL Server instances should be set to off. This flag controls whether stored procedures can be executed from local or remote servers on which SQL Server instances are running. Disabling this flag prevents remote servers from executing stored procedures on the local server and vice versa.
Rationale:
By default, the remote access flag is enabled (on), allowing the execution of:
Local stored procedures from remote servers
Remote stored procedures on the local server
This functionality can potentially be exploited to:
Offload query processing to another server, which may lead to resource abuse.
Launch Denial-of-Service (DoS) attacks on remote servers.
Disabling remote access ensures that stored procedure execution remains local to the server, enhancing security by preventing unauthorized or unintended remote interactions.
Impact:
Turning off remote access prevents cross-server stored procedure execution, which may impact applications relying on this feature.
Modifying this flag via the command line resets all other flags to default unless explicitly specified in the update. Plan changes carefully to avoid unintended disruptions.
This configuration change does not restart the SQL instance but should be applied during periods of low usage to minimize risks.
Default Value:
The default value for the remote access flag is on.
Audit Steps:
Using Google Cloud Console:
Navigate to the Cloud SQL Instances page.
Select the desired SQL Server instance to view its Instance Overview page.
Under the Database flags section, ensure the remote access flag is listed and set to off.
Using Google Cloud CLI:
Execute the following command for each SQL Server instance:
gcloud sql instances describe <INSTANCE_NAME> --format=json | jq '.settings.databaseFlags[] | select(.name=="remote access")|.value'Verify that the output shows the value as off.
Remediation Steps:
Using Google Cloud Console:
Navigate to the Cloud SQL Instances page.
Select the SQL Server instance where the remote access flag needs to be updated
Click Edit.
Scroll to the Flags section.
Add the remote access flag by clicking Add item, then set its value to off.
Save your changes by clicking Save.
Confirm that the remote access flag is set to off under the Flags section on the Overview page.
Using Google Cloud CLI:
Update the remote access flag for a specific SQL Server instance using the following command:
gcloud sql instances patch <INSTANCE_NAME> --database-flags "remote access"=offTo maintain other flag configurations, include all existing flags explicitly in the command, excluding the remote access flag.
Backout Plan:
Step 1: Revert the remote access Flag to on
If applications fail due to this change, re-enable remote access
gcloud sql instances patch <INSTANCE_NAME> --database-flags "remote access=on"
Ensure that only necessary services have access to remote stored procedures.
Step 2: Notify Stakeholders
- If rollback is required, inform database administrators and IT teams.
Step 3: Restore from Backup (If Necessary)
If configuration issues persist, restore the SQL instance from a backup.
Step 4: Validate Rollback Success
Run the audit steps again to confirm that the remote access flag is restored.
Ensure that applications function normally.
References:
Additional Information:
Modifying this flag does not restart the SQL Server instance.
Some flag changes may affect the instance’s stability or remove it from the Cloud SQL SLA. Review the Cloud SQL Operational Guidelines before making changes.
Ensure all necessary flags are explicitly specified in CLI commands to avoid resetting unintended configurations.
CIS Controls: