SQL Server database instance ‘contained database authentication’ database flag should be set to ‘off’

Description

The SQL Server database instance flag ‘contained database authentication’ controls whether a database is contained. Users can connect to a contained database without authenticating at the Database Engine level. Contained databases have some unique security threats mostly related with the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level. For this reason this flag should be set to off.

Remediation Steps

Google Cloud Console

• Navigate to Cloud SQL instances.

• Click on the Cloud SQL SQL Server database instance name to go to the Overview page.

• Click EDIT and scroll down to the Flags section.

• Select ADD FLAG, choose the contained database authentication flag, and set it off.

• Click DONE.

gcloud CLI

• Set the contained database authentication database flag to off for each Cloud SQL SQL Server database instance:

  • gcloud sql instances patch INSTANCE_NAME --database-flags "contained database authentication=off"

Documentation Links

Runtime

• SQL Server contained database authentication Server Configuration Option

• Cloud SQL configuring database flags

• CLI: gcloud sql instances patch