Skip to content

Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'

Description

The cross db ownership chaining option controls cross-database ownership chaining across all databases at the instance (or server) level.

Rationale

When enabled, this option allows a member of the db_owner role in a database to gain access to objects owned by a login in any other database, causing an unnecessary information disclosure. When required, cross-database ownership chaining should only be enabled for the specific databases requiring it instead of at the instance level for all databases by using the ALTER DATABASE <database_name> SET DB_CHAINING ON command. This database option may not be changed on the master, model, or tempdb system databases.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const { checkServerSetting } = module
/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if 'cross db ownership chaining' is set to 0
 */
function validate(databaseSettings) {
    const success = checkServerSetting(databaseSettings, 'cross db ownership chaining', "0")

    return {
        success,
    }
}

validate(databaseSettings)