More Info:

Microsoft SQL Trace Flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. 3625(trace log) Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using ’******’. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information, hence this is recommended to set this flag globally to off to prevent the flag having been left on, or turned on by bad actors. This recommendation is applicable to SQL Server database instances.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

To remediate the SQL Server Trace Flag misconfiguration on GCP using the GCP Console, follow these steps:

  1. Log in to the GCP Console and navigate to the Cloud SQL instances page.
  2. Select the instance that you want to remediate.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “Flags” section.
  5. Look for the trace flag that needs to be turned off and click on the “X” icon to remove it.
  6. Click on the “Save” button at the bottom of the page to apply the changes.

Once the changes are saved, the SQL Server Trace Flag will be turned off, and the misconfiguration will be remediated.

Additional Reading: