STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Microsoft SQL Server 2022 Instance Security Technical Implementation Guide

V-274452

CAT II (Medium)

The SQL Server User Options feature must be disabled unless specifically required and approved.

Rule ID

SV-274452r1111123_rule

STIG

Microsoft SQL Server 2022 Instance Security Technical Implementation Guide

Version

V1R4

CCIs

CCI-000381

Discussion

SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary, and enabling them could adversely affect system security. The "user options" option specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The "user options" option enables changing the default values of the SET options (if the server's default settings are not appropriate).

Check Content

To determine if "User Options" option is enabled, execute the following query:
EXEC SP_CONFIGURE 'show advanced options', '1'; 
RECONFIGURE WITH OVERRIDE; 
EXEC SP_CONFIGURE 'user options'; 

If the value of "config_value" is "0", this is not a finding. 

If the value of "config_value" is "1", review the system documentation to determine whether the use of "user options" is required and authorized. If it is not authorized, this is a finding.

Fix Text

Disable use of or remove any external application executable object definitions that are not authorized. To disable the use of the "User Options" option, from the query prompt:
sp_configure 'show advanced options', 1;  
GO  
RECONFIGURE;  
GO  
sp_configure 'user options', 0;  
GO  
RECONFIGURE;  
GO