Control: 6.3.7 Ensure 'contained database authentication' Database Flag for Cloud SQL SQL Server Instance Is Set to 'off'

Description

A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended not to enable this flag. This recommendation is applicable to SQL Server database instances.

When contained databases are enabled, database users with the ALTER ANY USER permission, such as members of the db_owner and db_accessadmin database roles, can grant access to databases and by doing so, grant access to the instance of SQL Server. This means that control over access to the server is no longer limited to members of the sysadmin and securityadmin fixed server role, and logins with the server level CONTROL SERVER and ALTER ANY LOGIN permission.

It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance to off.

Remediation

From Google Cloud Console

Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
Select the SQL Server instance for which you want to enable to database flag.
Click Edit.
Scroll down to the Flags section.
If the flag contained database authentication is present and its value is set to 'on', then change it to 'off'.
Click Save.
Confirm the changes under Flags on the Overview page.

From Google Cloud CLI

If any Cloud SQL for SQL Server instance has the database flag contained database authentication set to 'on', then change it to 'off' using the below command:

gcloud sql instances patch <INSTANCE_NAME> --database-flags "contained database authentication=off"

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v400_6_3_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v400_6_3_7 --share

SQL

This control uses a named query:

select
  self_link resource,
  case
    when database_version not like 'SQLSERVER%' then 'skip'
    when database_flags @> '[{"name":"contained database authentication","value":"off"}]' then 'ok'
    else 'alarm'
  end as status,
  case
    when database_version not like 'SQLSERVER%'
      then title || ' not a SQL Server database.'
    when database_flags is null or not (database_flags @> '[{"name":"contained database authentication"}]')
      then title || ' ''contained database authentication'' not set.'
    when database_flags @> '[{"name":"contained database authentication","value":"off"}]'
      then title || ' ''contained database authentication'' database flag set to ''off''.'
    else title || ' ''contained database authentication'' database flag set to ''on''.'
  end as reason
  
  , location as location, project as project
from
  gcp_sql_database_instance;