Google CloudOverview
It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.
Rationale
external scripts enabled enable the execution of scripts with certain remote language extensions. This property is off by default. When Advanced Analytics Services is installed, setup can optionally set this property to true. The External Scripts Enabled feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled. This recommendation is applicable to SQL Server database instances.
Impact
Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.
Remediation guidance
From Google Cloud Console
- Go to the
Cloud SQL Instancespage in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances - Select the SQL Server instance where the database flag needs to be enabled
- Click
Edit - Scroll down to the
Flagssection - To set a flag that has not been set on the instance before, click
Add item, choose the flagexternal scripts enabledfrom the drop-down menu, and set its value tooff - Click
Save - Confirm the changes under
Flagson theOverviewpage
Using Google Cloud CLI
Configure the external scripts enabled database flag for every Cloud SQL SQL Server database instance using the below command.
gcloud sql instances patch <instanceName> --database-flags "external scripts enabled=off"
Default Value
By default, external scripts enabled is set to off.
References
- https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15
- https://cloud.google.com/sql/docs/sqlserver/flags
- https://learn.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15
- https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347
Additional information
WARNING: This patch modifies database flag values, which may require the instance to be restarted. Check the list of supported flags https://cloud.google.com/sql/docs/sqlserver/flags - to see if your instance will be restarted when this patch is submitted.
Note: Configuring the above flag restarts the Cloud SQL instance.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "sqlserver"
cloudProvider: "gcp"
dbFlags_SOME: { name: "external scripts enabled",value: "on" }
}
) {
...AssetFragment
}
}
