SQL Server Trace Flag Should Be Off
More Info:
Microsoft SQL Trace Flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. 3625(trace log) Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using ’******’. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information, hence this is recommended to set this flag globally to off to prevent the flag having been left on, or turned on by bad actors. This recommendation is applicable to SQL Server database instances.Risk Level
LowAddress
Reliability, SecurityCompliance Standards
CISGCP, CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the SQL Server Trace Flag misconfiguration on GCP using the GCP Console, follow these steps:
- Log in to the GCP Console and navigate to the Cloud SQL instances page.
- Select the instance that you want to remediate.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Flags” section.
- Look for the trace flag that needs to be turned off and click on the “X” icon to remove it.
- Click on the “Save” button at the bottom of the page to apply the changes.
Using CLI
Using CLI
To remediate the SQL Server Trace Flag misconfiguration on GCP using GCP CLI, follow these steps:Note: Replace “trace#” with the number of the trace flag that needs to be turned off.
- Open the Cloud Shell in the GCP Console.
- Run the following command to authenticate and set the default project:
- Run the following command to list all the instances in your project:
- Identify the instance that has the SQL Server Trace Flag misconfiguration.
- SSH into the instance by running the following command:
- Once you are logged in to the instance, connect to the SQL Server instance and run the following command to turn off the Trace Flag:
- Verify that the Trace Flag has been turned off by running the following command:
- Exit the SQL Server instance and the SSH session by typing “exit” in the terminal.
- Verify that the misconfiguration has been remediated by running a security scan or by checking the compliance status of the instance.
Using Python
Using Python
To remediate the SQL Server Trace Flag misconfiguration in GCP using Python, you can follow the below steps:Step 1: Connect to the SQL Server instance using the pyodbc library.Step 2: Check the current status of the Trace Flag using the below query:Step 3: If the Trace Flag status is ‘1’, then it is enabled. To disable it, execute the below query:Step 4: Finally, verify that the Trace Flag is disabled by running the query in Step 2 again.This should remediate the SQL Server Trace Flag misconfiguration in GCP using Python.