Filestream must be disabled, unless specifically required and approved.

From MS SQL Server 2016 Instance Security Technical Implementation Guide

Part of SRG-APP-000141-DB-000093

Associated with: CCI-000381

SV-94035r1_rule Filestream must be disabled, unless specifically required and approved.

Vulnerability discussion

Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Applications must adhere to the principles of least functionality by providing only essential capabilities.The most significant potential for attacking an instance is through the use of features that expose an external interface or ad hoc execution capability. FILESTREAM integrates the SQL Server Database Engine with an NTFS file system by storing varbinary(max) binary large object (BLOB) data as files on the file system. Transact-SQL statements can insert, update, query, search, and back up FILESTREAM data.

Check content

Review the system documentation to see if FileStream is in use.  If in use authorized, this is not a finding.   If FileStream is not documented as being authorized, execute the following query. DECLARE @EnableLevel INT EXEC master.dbo.Xp_instance_regread  N'HKEY_LOCAL_MACHINE',  N'Software\Microsoft\MSSQLServer\MSSQLServer\Filestream',  N'EnableLevel',  @EnableLevel output SELECT CASE         WHEN @EnableLevel = 0 THEN 'No'   ELSE 'Yes'       END AS FileStreamEnabled; If the above query returns "Yes" in the "FileStreamEnabled" field, this is a finding. This rule checks that Filestream SQL specific option is disabled. SELECT CASE         WHEN EXISTS (SELECT *                      FROM sys.configurations                      WHERE Name = 'filestream access level'                             AND Cast(value AS INT) = 0) THEN 'No'         ELSE 'Yes'       END AS TSQLFileStreamAccess; If the above query returns "Yes" in the "FileStreamEnabled" field, this is a finding.

Fix text

Disable the use of Filestream. 1. Delete all FILESTREAM columns from all tables. ALTER TABLE DROP COLUMN 2. Disassociate tables from the FILESTREAM filegroups. ALTER TABLE SET (FILESTREAM_ON = 'NULL' 3. Remove all FILESTREAM data containers. ALTER DATABASE REMOVE FILE 4. Remove all FILESTREAM filegroups. ALTER DATABASE REMOVE FILEGROUP . 5. Disable FILESTREAM. EXEC sp_configure filestream_access_level, 0 RECONFIGURE 6. Restart the SQL Service

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer