SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved.

From MS SQL Server 2016 Instance Security Technical Implementation Guide

Part of SRG-APP-000141-DB-000093

Associated with: CCI-000381

SV-94033r1_rule SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved.

Vulnerability discussion

Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Applications must adhere to the principles of least functionality by providing only essential capabilities.SQL Server may spawn additional external processes to execute procedures that are defined in the SQL Server but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than SQL Server and provide unauthorized access to the host system.The registry contains sensitive information, including password hashes as well as clear text passwords. Registry extended stored procedures allow Microsoft SQL Server to access the machine's registry. The sensitivity of these procedures are exacerbated if Microsoft SQL Server is run under the Windows account LocalSystem. LocalSystem can read and write nearly all values in the registry, even those not accessible by the Administrator. Unlike the xp_cmdshell extended stored procedure, which runs under a separate context if executed by a login not in the sysadmin role, the registry extended stored procedures always execute under the security context of the MSSQLServer service. Because the sensitive information is stored in the registry, it is essential that access to that information be properly guarded.

Check content

Registry extended stored procedures allow Microsoft SQL Server to read, write, and enumerate values and keys in the registry. They are used by Enterprise Manager to configure the server. This rule checks that the permissions to execute registry extended stored procedures have been revoked from all users (other than dbo). SELECT OBJECT_NAME(major_id) AS [Stored Procedure] ,dpr.NAME AS [Principal] FROM sys.database_permissions AS dp INNER JOIN sys.database_principals AS dpr ON dp.grantee_principal_id = dpr.principal_id WHERE major_id IN (  OBJECT_ID('xp_regaddmultistring')  ,OBJECT_ID('xp_regdeletekey')  ,OBJECT_ID('xp_regdeletevalue')  ,OBJECT_ID('xp_regenumvalues')  ,OBJECT_ID('xp_regenumkeys')  ,OBJECT_ID('xp_regread')  ,OBJECT_ID('xp_regremovemultistring')  ,OBJECT_ID('xp_regwrite')  ,OBJECT_ID('xp_instance_regaddmultistring')  ,OBJECT_ID('xp_instance_regdeletekey')  ,OBJECT_ID('xp_instance_regdeletevalue')  ,OBJECT_ID('xp_instance_regenumkeys')  ,OBJECT_ID('xp_instance_regenumvalues')  ,OBJECT_ID('xp_instance_regread')  ,OBJECT_ID('xp_instance_regremovemultistring')  ,OBJECT_ID('xp_instance_regwrite')  ) AND dp.[type] = 'EX' ORDER BY dpr.NAME; If any records are returned, review the system documentation to determine whether the accessing of the registry via  extended stored procedures are required and authorized. If it is not authorized, this is a finding.

Fix text

Remove execute permissions to any registry extended stored procedure from all users (other than dbo). USE master GO REVOKE EXECUTE ON [xp_regread] FROM public GO

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer