Ensure that "contained database authentication" database flag is disabled for your Google Cloud SQL Server database instances.
Setting "contained database authentication" SQL Server engine flag to Off will prevent any databases on the server from being contained. This is important because the users within a contained database that have the ALTER ANY USER permission can grant access to the database without the knowledge or permission of the SQL Server administrator. Misconfigured contained databases are also prone to Denial of Service (DoS) attacks.
Note: Some database flag settings can affect instance availability and/or stability, and eventually remove the SQL Server instance from the Google Cloud SQL Service Level Agreement (SLA).
To determine if "contained database authentication" flag is disabled for your Cloud SQL Server database instances, perform the following actions:
Remediation / Resolution
To turn off the "contained database authentication" database flag for your Google Cloud Platform (GCP) SQL Server database instances, perform the following actions:
- Google Cloud Platform (GCP) Documentation
- Cloud SQL for SQL Server
- Configuring database flags
- Editing instances
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- SQL Server Database Documentation
- contained database authentication Server Configuration Option
- Security Best Practices with Contained Databases
- Authorize database access to SQL Database, SQL Managed Instance, and Azure Synapse Analytics
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Disable "Contained Database Authentication" Flag for SQL Server Database Instances
Risk level: Medium