000033344 - Hardening SQL Server – which extended stored procedures (xp) are safe to disable in RSA ECAT?

Document created by RSA Customer Support Employee on Aug 4, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033344
Applies ToRSA Product Set: ECAT
RSA Product/Service Type: ECAT
RSA Version/Condition: 4.1.x
Platform: Windows
Platform (Other): MSSQL Server
Product Name: ECAT
 
IssueIn certain environments it is requested that any extended stored procedures should be disabled.
Web link resources for more information:
Extended Stored Procedures should not be enabled as good practice. In Centre for Internet Security (CIS) Benchmark for SQL Server 2008r2 and 2012, for the Extended Stored Procedures listed, the recommendation is for those stored procedures to be disabled.
Source: https://labs.portcullis.co.uk/blog/ms-sql-server-audit-extended-stored-procedures-table-privileges/

An extended stored procedure (xp) is a dynamic link library that runs directly in the address space of SQL Server. You can run extended stored procedures as normal stored procedures. Extended stored procedures are used to extend the capabilities of SQL Server. You can take advantage of the many extended stored procedures that come with SQL Server, or you can write your own.
Source: http://www.sswug.org/alexanderchigrik/sql-server/undocumented-sql-server-2012-extended-stored-procedures-part-2/
A specific question regarding the stored procedure called:
 xp_cmdshell extended

 
Resolution

There are two types of stored procedures.
Extended Stored Procedures (external DLL loading)
https://technet.microsoft.com/en-us/library/ms175200(v=sql.105).aspx
and CRL integration.
ECAT does not use the former, however it does use CRL integration.
Which should not be disabled.
So the former can be disabled. (including the xp_cmdshell extended store procedure) without any effect on ECAT.

Attachments

    Outcomes