Profile Applicability:

  • Level 1

Description:

It is recommended to set the 3625 (trace flag) database flag for Cloud SQL SQL Server instances to on.

Rationale:

Trace flags in Microsoft SQL Server are used to diagnose performance issues, debug procedures, or address workload-specific behaviors. The 3625 trace flag limits the amount of information returned to users who are not members of the sysadmin fixed server role by masking sensitive error message parameters with ******. Enabling this flag globally enhances security by obscuring sensitive information in error messages, thereby reducing the risk of data disclosure. Setting this flag ensures it cannot be inadvertently disabled or altered by unauthorized users.

Impact:

  • Modifying database flags may require the instance to restart, which could temporarily affect availability.

  • It is recommended to apply such changes during periods of low usage to minimize potential disruptions.

Default Value:

Trace flags, including 3625, are disabled by default in SQL Server.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

                   

  1. Select the SQL Server instance to open its Instance Overview page.

           

  1. Verify that the 3625 flag is listed under the Database flags section and is set to on.

         

Using Google Cloud CLI:

Run the following command for each SQL Server instance:

gcloud sql instances describe <INSTANCE_NAME> --format=json | jq '.settings.databaseFlags[] | select(.name=="3625")|.value'

  1. Confirm that the output shows the value as on.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

               

  1. Select the SQL Server instance where the 3625 flag needs to be enabled.

           

  1. Click Edit.

           

  1. Scroll down to the Flags section.

                 

  1. Add the 3625 flag by clicking Add item, then set its value to on.

                 

  1. Click Save to apply the changes.

                     

  1. Confirm that the 3625 flag is set to on under the Flags section on the Overview page.

               

Using Google Cloud CLI:

Enable the 3625 trace flag for the desired SQL Server instance using the following command

gcloud sql instances patch <INSTANCE_NAME> --database-flags "3625=on"

  1. If other flags are already set, include them in the command to avoid resetting them to default values.

Backout Plan:

Step 1: Revert to Previous Configuration

If enabling the 3625 flag causes issues, disable it by running:

gcloud sql instances patch <INSTANCE_NAME> --database-flags "3625=off"

Alternatively, use Cloud SQL Console to remove the flag.

Step 2: Restore from Backup (If Necessary)

  • If the issue persists, restore the Cloud SQL instance from a previously taken snapshot or backup.

Step 3: Validate Rollback Success

  • Run the audit steps again to confirm that 3625 is no longer enforced.

  • Ensure that applications are functioning normally.

Step 4: Document the Rollback

  • Update internal security policies and incident reports if necessary.

  • Schedule a follow-up test for enabling 3625 at a later time if security concerns persist.

References:

  1. Cloud SQL SQL Server Flags Documentation

  2. Microsoft Documentation: Trace Flag

Additional Information:

  • Configuring the 3625 flag will restart the SQL Server instance.

  • Some flag changes may affect instance stability or availability and may void the Cloud SQL SLA. Review Cloud SQL Operational Guidelines before making changes.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.1 Establish and Maintain a Secure Configuration Process

Establish and maintain secure configuration processes for enterprise assets and software, with annual reviews.

5.1 Establish Secure Configurations

Ensure documented, standardized security configurations are maintained for all operating systems and software.