From MS SQL Server 2016 Instance Security Technical Implementation Guide
Part of SRG-APP-000141-DB-000093
Associated with: CCI-000381
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. Extended stored procedures run directly in the address space of an instance of SQL Server and are programmed by using the SQL Server Extended Stored Procedure API. Non-Standard extended stored procedures can compromise the integrity of the SQL Server process. This feature will be removed in a future version of Microsoft SQL Server. Do not use this feature in new development work, and modify applications that currently use this feature as soon as possible. To determine if non-standard extended, stored procedures exist, run the following: SELECT * FROM sys.objects O LEFT OUTER JOIN sys.extended_properties E ON O.object_id = E.major_id WHERE O.name IS NOT NULL AND ISNULL(O.is_ms_shipped, 0) = 0 AND O.type_desc = 'SQL_STORED_PROCEDURE' ORDER BY O.name If any records are returned, review the system documentation to determine whether the use of Non-Standard extended stored procedures are required and approved. If it is not approved, this is a finding.
Remove any Non-Standard extended stored procedures that are not documented and approved. sp_dropextendedproc 'proc name'
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer