SQL Server must configure Customer Feedback and Error Reporting.

From MS SQL Server 2016 Instance Security Technical Implementation Guide

Part of SRG-APP-000516-DB-000363

Associated with: CCI-000366

SV-94019r1_rule SQL Server must configure Customer Feedback and Error Reporting.

Vulnerability discussion

By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program collects information about how its customers are using the product. Specifically, SQL Server collects information about the installation experience, feature usage, and performance. This information helps Microsoft improve the product to better meet customer needs.

Check content

Launch "Registry Editor" Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\[InstanceId]\CPE Review the following values: CustomerFeedback, EnableErrorReporting Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\130 Review the following values: CustomerFeedback, EnableErrorReporting If this is a classified system, and any of the above values are not zero (0), this is a finding. If this is an unclassified system, review the server documentation to determine whether CEIP participation is authorized. If CEIP participation is not authorized, and any of the above values are one (1), this is a finding.

Fix text

To disable participation in the CEIP program, change the value of the following registry keys to zero (0). To enable participation in the CEIP program, change the value of the following registry keys to one (1). HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\[InstanceId]\CPE\CustomerFeedback HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\[InstanceId]\CPE\EnableErrorReporting HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\130\CustomerFeedback HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\130\EnableErrorReporting

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer