More Info:

Microsoft SQL Trace Flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. 3625(trace log) Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using ’******’. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information, hence this is recommended to set this flag globally to off to prevent the flag having been left on, or turned on by bad actors. This recommendation is applicable to SQL Server database instances.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the SQL Server Trace Flag misconfiguration on GCP using the GCP Console, follow these steps:
  1. Log in to the GCP Console and navigate to the Cloud SQL instances page.
  2. Select the instance that you want to remediate.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “Flags” section.
  5. Look for the trace flag that needs to be turned off and click on the “X” icon to remove it.
  6. Click on the “Save” button at the bottom of the page to apply the changes.
Once the changes are saved, the SQL Server Trace Flag will be turned off, and the misconfiguration will be remediated.

To remediate the SQL Server Trace Flag misconfiguration on GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to authenticate and set the default project:
gcloud auth login
gcloud config set project [PROJECT_ID]
  1. Run the following command to list all the instances in your project:
gcloud compute instances list
  1. Identify the instance that has the SQL Server Trace Flag misconfiguration.
  2. SSH into the instance by running the following command:
gcloud compute ssh [INSTANCE_NAME]
  1. Once you are logged in to the instance, connect to the SQL Server instance and run the following command to turn off the Trace Flag:
DBCC TRACEOFF (trace#)
Note: Replace “trace#” with the number of the trace flag that needs to be turned off.
  1. Verify that the Trace Flag has been turned off by running the following command:
DBCC TRACESTATUS
  1. Exit the SQL Server instance and the SSH session by typing “exit” in the terminal.
  2. Verify that the misconfiguration has been remediated by running a security scan or by checking the compliance status of the instance.
Congratulations! You have successfully remediated the SQL Server Trace Flag misconfiguration on GCP using GCP CLI.
To remediate the SQL Server Trace Flag misconfiguration in GCP using Python, you can follow the below steps:Step 1: Connect to the SQL Server instance using the pyodbc library.
import pyodbc
server = '<your_server_name>.database.windows.net'
database = '<your_database_name>'
username = '<your_username>'
password = '<your_password>'
driver= '{ODBC Driver 17 for SQL Server}'
cnxn = pyodbc.connect('DRIVER='+driver+';SERVER='+server+';PORT=1433;DATABASE='+database+';UID='+username+';PWD='+ password)
Step 2: Check the current status of the Trace Flag using the below query:
cursor = cnxn.cursor()
cursor.execute("DBCC TRACESTATUS(-1)")
row = cursor.fetchone()
print("Trace Flag Status:", row[1])
Step 3: If the Trace Flag status is ‘1’, then it is enabled. To disable it, execute the below query:
cursor.execute("DBCC TRACEOFF(1222,-1)")
cnxn.commit()
Step 4: Finally, verify that the Trace Flag is disabled by running the query in Step 2 again.
cursor.execute("DBCC TRACESTATUS(-1)")
row = cursor.fetchone()
print("Trace Flag Status:", row[1])
This should remediate the SQL Server Trace Flag misconfiguration in GCP using Python.

Additional Reading: