More Info:
The remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. This default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server. ‘Remote access’ functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled. This recommendation is applicable to SQL Server database instances.Risk Level
LowAddress
Reliability, SecurityCompliance Standards
CISGCP, CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the “SQL Server Remove Access Flag Should Be Off” misconfiguration for GCP using the GCP console, you can follow these steps:
- Log in to the GCP console and select the project that contains the SQL Server instance.
- Navigate to the Cloud SQL instances page and select the instance that you want to remediate.
- Click on the “Edit” button to edit the instance configuration.
- Scroll down to the “Authorization” section and ensure that the “Allow only SSL connections” option is selected.
- Under the “Authorized networks” section, ensure that only the necessary IP addresses or ranges are listed.
- Scroll down to the “Flags” section and ensure that the “remove_access_flag” option is set to “off”.
- Click on the “Save” button to save the changes.
- Verify that the misconfiguration has been remediated by running a vulnerability scan or security audit on the SQL Server instance.
Using CLI
Using CLI
The SQL Server Remove Access Flag should be turned off to ensure that the data is not deleted accidentally. To remediate this issue in GCP using GCP CLI, follow these steps:Note: Replace [INSTANCE_NAME] with the name of the instance that has the Remove Access Flag turned on.Note: Replace [INSTANCE_NAME] with the name of the instance that has been updated.
- Open the Cloud Shell in the GCP Console.
- Run the following command to list all the SQL instances in the project:
- Identify the instance that has the Remove Access Flag turned on.
- Run the following command to update the instance configuration:
- Verify that the Remove Access Flag has been turned off by running the following command:
- Check the configuration settings to ensure that the Remove Access Flag is set to off.
Using Python
Using Python
To remediate the SQL Server Remove Access Flag Should Be Off misconfiguration for GCP using python, you can follow the below steps:In the above code, you need to replace the
- First, you need to authenticate to the GCP project using the Google Cloud SDK. You can use the below command to authenticate:
- Next, you need to install the
google-cloud-sql
python library. You can use the below command to install:
- Once the library is installed, you can use the below python code to remediate the misconfiguration:
project_id
, instance_id
, database_id
, and path/to/service_account.json
with the actual values for your GCP project, SQL instance, database, and service account file path respectively.This code will check if the remove_access_flag is set to true for the database and if it is, it will update the flag to false. If the flag is already false, it will print a message saying that the flag is already turned off.