Security Audit requires turning Remote Access off on all SQL 2005 and SQL 2008 Servers

  • The Remote Access configuration in sys configurations defaults to 1 (enabled). Unfortunately, not every servers was built with this configuration disabled. Due to an audit, we are not charged with disabling this option on all SQL servers OR leaving it enabled where needed and creating an exception rule stating the functionality that the server needs this option turned on for.

    So here is the question: Does anyone concretely know exactly which commands to trace for on a server to see if remote access is officially needed, or is there another way to find this out? Again: Find out IF Remote Access is needed and IF it IS needed on a server, what functionalities.

    I have also checked BOL but the actual descriptions of what this is need or not needed for is lacking substance. We have to disable this on production systems based on regulatory audits, so simply disabling Remote Access and waiting see who screams is not and option (nor should it ever be). All the posts on here and other forums state that this messes with RPC calls, but that is not the case on the servers we did already disable this on. I have also seen that this option needs to remain enabled on servers working as the subscriber or publisher in replication.

    This is a great option for the experts, so that is why I am humbly posting this to the forum and the many experts here.

    Thank you all for any help or guidance.

  • Are you talking about the ability to RDP to a server or SQL Server being able to accept remote connections (like from an application)?

  • No. I am talking about SQL System Configurations (e.g. SP_CONFIGURE 'REMOTE ACCESS'). Default value is 1 (on) and we now need to set it to 0 (off).

  • tpalmer (6/14/2012)


    No. I am talking about SQL System Configurations (e.g. SP_CONFIGURE 'REMOTE ACCESS'). Default value is 1 (on) and we now need to set it to 0 (off).

    Dumb question, what good is SQL Server if noone can access/update the data stored in the databases?

  • Lynn Pettis (6/14/2012)


    tpalmer (6/14/2012)


    No. I am talking about SQL System Configurations (e.g. SP_CONFIGURE 'REMOTE ACCESS'). Default value is 1 (on) and we now need to set it to 0 (off).

    Dumb question, what good is SQL Server if noone can access/update the data stored in the databases?

    Okay, little more research and Remote Access refers to this:

    Use the remote access option to control the execution of stored procedures from local or remote servers on which instances of Microsoft SQL Server are running. Set remote access to 1 (default) to grant permission to run local stored procedures from remote servers or remote stored procedures from the local server. Set the option to 0 to prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server.

  • This is off for all of our new servers. This is on for all servers that we either acquired or were built prior to policy to set the option to OFF by default. Turning this option off does not disable RPC, but it does limit other types of remote calls (from what I can find this restricts remote execution of stored procedures that are not using linked servers). This entire option is for backward compatibility and will not be part of future SQL Server builds.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply