Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Microsoft SQL Server 2005 Instance Security Technical Implementation Guide

  • Version/Release: V8R1.9
  • Published: 2015-06-16
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

The Microsoft SQL Server 2005 Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
a
Database executable and configuration files should be monitored for unauthorized modifications.
Low - V-2420 - SV-24121r1_rule
RMF Control
Severity
Low
CCI
Version
DG0010-SQLServer9
Vuln IDs
  • V-2420
Rule IDs
  • SV-24121r1_rule
Changes to files in the DBMS software directory including executable, configuration, script, or batch files can indicate malicious compromise of the software files. Changes to non-executable files, such as log files and data files, do not usually reflect unauthorized changes, but are modified by the DBMS as part of normal operation. These modifications can be ignored.Information Assurance OfficerDCSL-1
Checks: C-1792r1_chk

Ask the DBA to describe/demonstrate any software modification detection procedures in place and request documents of these procedures to review. If procedures exist that include review of the database software directories and database application directories, this is Not a Finding. Verify by reviewing reports for inclusion of the DBMS executable and configuration files: Sample Questions: What procedures/software do you have in place to detect unauthorized modification to application files? Are the database application software files including both the SQL Server and third party files scanned for modification? Do you scan for modifications to the configuration files?

Fix: F-20146r1_fix

Establish and implement procedures to monitor any changes made to the database software. Identify all database files and directories to be included in the host system or database backups and provide these to the person responsible for backups. For Windows systems, use the dir /s > filename.txt run weekly to store and compare file modification/creation dates and file sizes using the DOS fc command. This is not as comprehensive as some tools available, but may be enhanced by also checking checksum or file hashes.

b
The DBMS software installation account should be restricted to authorized users.
Medium - V-2422 - SV-24155r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0040-SQLServer9
Vuln IDs
  • V-2422
Rule IDs
  • SV-24155r1_rule
DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a greater impact on database security and operation. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them.Information Assurance OfficerECLP-1, ECPA-1
Checks: C-28673r1_chk

Review procedures for controlling and granting access to use of the DBMS software installation account. If access or use of this account is not restricted to the minimum number of personnel required or unauthorized access to the account has been granted, this is a Finding.

Fix: F-24498r1_fix

Develop and implement procedures to restrict use and require logging of use of the DBMS software installation account. Document authorized personnel and assignments in the System Security Plan.

b
Database software, applications and configuration files should be monitored to discover unauthorized changes.
Medium - V-2423 - SV-24079r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0050-SQLServer9
Vuln IDs
  • V-2423
Rule IDs
  • SV-24079r1_rule
Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.Database AdministratorDCSL-1, DCSW-1
Checks: C-28553r1_chk

Review monitoring procedures and implementation evidence to verify that monitoring of changes to database software libraries, related applications and configuration files is done. Verify that the list of files and directories being monitored is complete. If monitoring does not occur or is not complete, this is a Finding.

Fix: F-25723r1_fix

Develop, document and implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet this requirement. File hashes or checksums should be used for comparisons as file dates may be manipulated by malicious users.

b
All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.
Medium - V-2424 - SV-7382r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0060-SQLServer9
Vuln IDs
  • V-2424
Rule IDs
  • SV-7382r2_rule
Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual account ability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users.trueDatabase AdministratorInformation Assurance OfficerIAGA-1
Checks: C-24129r2_chk

Review a list of database usernames against those listed in the System Security Plan or authorized user list. From the query prompt: SELECT name FROM [master].sys.server_principals WHERE type IN ('S', 'U') AND sid <> 0x01 ORDER BY name Consult the IAO or DBA to make a final determination on whether accounts listed are shared accounts. If shared accounts are not documented and approved as shared accounts, this is a Finding.

Fix: F-20400r1_fix

Use accounts assigned to individual users where feasible. Design applications to provide individual accountability (audit logs) for actions performed under a single database account. Implement other DBMS automated procedures that provide individual accountability. Where appropriate, implement manual procedures to use manual logs and monitor entries against account usage to ensure procedures are followed.

b
C2 Audit mode should be enabled or custom audit traces defined.
Medium - V-2426 - SV-25417r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0510-SQLServer9
Vuln IDs
  • V-2426
Rule IDs
  • SV-25417r1_rule
The C2 audit mode uses a system-defined trace to collect audit information for MS SQL Server 2000 and higher. It utilizes all security event categories defined within SQL Server, not all of which are required by the Database STIG. Without required auditing, accountability and investigative support is limited.Database AdministratorECAT-1, ECAT-2
Checks: C-20376r1_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'c2 audit mode' If 1 is returned as the value for Config_Value, this is Not a Finding If the value 0 is returned for Config_Value, confirm that a valid audit trace is configured and implemented. See checks DG0029, DG0145 and DM5267. If there is not a valid audit trace, this is a Finding.

Fix: F-18336r1_fix

Configure and enable C2 auditing or confirm valid audit traces are set per checks DG0029, DG0145 and DM5267. Note: Setting the C2 audit mode enables auditing of more events than required by the STIG and may generate too many records to manage effectively. From the query prompt: EXEC SP_CONFIGURE 'c2 audit mode', 1 RECONFIGURE To create a custom audit, see instructions in check DG0145.

b
Fixed Server roles should have only authorized users or groups assigned as members.
Medium - V-2427 - SV-23758r2_rule
RMF Control
Severity
Medium
CCI
Version
DM0530-SQLServer9
Vuln IDs
  • V-2427
Rule IDs
  • SV-23758r2_rule
Fixed server roles provide a mechanism to grant groups of privileges to users. These privilege groupings are defined by the installation or upgrade of the SQL Server software at the discretion of Microsoft. Memberships in these roles granted to users should be strictly controlled and monitored. Privileges assigned to these roles should be reviewed for change after software upgrade or maintenance to ensure that the privileges continue to be appropriate to the assigned members.trueDatabase AdministratorECLP-1
Checks: C-20128r2_chk

From the query prompt: EXEC SP_HELPSRVROLEMEMBER 'bulkadmin' EXEC SP_HELPSRVROLEMEMBER 'dbcreator' EXEC SP_HELPSRVROLEMEMBER 'diskadmin' EXEC SP_HELPSRVROLEMEMBER 'processadmin' EXEC SP_HELPSRVROLEMEMBER 'securityadmin' EXEC SP_HELPSRVROLEMEMBER 'serveradmin' EXEC SP_HELPSRVROLEMEMBER 'setupadmin' EXEC SP_HELPSRVROLEMEMBER 'sysadmin' Verify authorization of each member listed in the System Security Plan. If any members are not authorized, this is a Finding.

Fix: F-14652r1_fix

Remove fixed server role assignments from unauthorized users. Grant fixed roles to authorized personnel only. Remove unauthorized accounts from assigned roles. From the query prompt: EXEC SP_DROPSRVROLEMEMBER '[account name]', '[fixed server role name]' Replace [account name] with the name of the account and [fixed server role name] with the name of the fixed server role.

b
MS SQL Server Instance name should not incude a SQL Server or other software version number.
Medium - V-2436 - SV-23762r2_rule
RMF Control
Severity
Medium
CCI
Version
DM0660-SQLServer9
Vuln IDs
  • V-2436
Rule IDs
  • SV-23762r2_rule
The use of version numbers within the database instance name restricts the use of the instance name from meaningful use in subsequent upgrades. Changing the database instance names on a production database causes unnecessary administrative overhead and compromise existing secure network configurations.trueDatabase AdministratorECAN-1
Checks: C-13603r2_chk

From the query prompt: SELECT RTRIM(CONVERT(CHAR(20), SERVERPROPERTY('instancename'))) If the instance name contains the SQL Server version number, this is a Finding.

Fix: F-23520r1_fix

Do not use version number references in instance names. The instance name cannot be changed on an existing instance. A new instance can be created with a compliant name and the databases moved.

c
Extended stored procedure xp_cmdshell should be restricted to authorized accounts.
High - V-2461 - SV-23794r2_rule
RMF Control
Severity
High
CCI
Version
DM1758-SQLServer9
Vuln IDs
  • V-2461
Rule IDs
  • SV-23794r2_rule
The xp_cmdshell extended stored procedure allows execution of host executables outside the controls of database access permissions. This access may be exploited by malicious users who have compromised the integrity of the SQL Server database process to control the host operating system to perpetrate additional malicious activity.trueDatabase AdministratorECLP-1
Checks: C-22811r2_chk

From the query prompt: SELECT u.name FROM [master].dbo.sysobjects o, [master].dbo.sysusers u, [master].dbo.sysprotects p WHERE p.uid = u.uid AND p.id = o.id AND o.name = 'xp_cmdshell' ORDER BY u.name If any accounts are returned, ensure the IAO has documented in the System Security Plan allowing its use. If there is no documentation or use is not authorized, this is a Finding. If any non-DBA accounts are listed, this is a Finding. From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'xp_cmdshell' If a value of 0 is returned for Config_Value, this is Not a Finding. If a value of 1 is returned for Config_Value, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding.

Fix: F-19735r1_fix

Authorize and document requirements for use of the xp_cmdshell option in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable or restrict its use. From the query prompt: USE master REVOKE EXECUTE ON xp_cmdshell FROM [user] Replace 'user' with the user account name. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'xp_cmdshell', 0 RECONFIGURE

b
Execute stored procedures at startup, if enabled, should have a custom audit trace defined.
Medium - V-2464 - SV-23884r1_rule
RMF Control
Severity
Medium
CCI
Version
DM1761-SQLServer9
Vuln IDs
  • V-2464
Rule IDs
  • SV-23884r1_rule
The DBMS startup process may be vulnerable to introduction of malicious or unauthorized actions. Any use of automated execution of custom procedures provides an opportunity to deploy unauthorized code. For some versions of SQL Server, audit requirements may only be met by audit procedures that are set to start automatically at system startup.Database AdministratorDCSS-1, DCSS-2
Checks: C-22860r1_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'scan for startup procs' If a value of 1 is returned for Config_Value and a custom audit trace is NOT in use (see Check DG0145: DBMS audit record content), this is a Finding. NOTE: Use of the sp_procoption to mark or unmark automatically run stored procedures will enable this option automatically. If operationally required, document this option as required in the System Security Plan.

Fix: F-19766r1_fix

Enable the ‘scan for startup procs’ configuration option if a custom audit trace is in use (see Check DG0145: DBMS audit record content) or if operationally required and documented in the System Security Plan: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'scan for startup procs', 1 RECONFIGURE Otherwise, disable its use: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'scan for startup procs', 0 RECONFIGURE

b
OLE Automation extended stored procedures should be restricted to sysadmin access.
Medium - V-2472 - SV-23814r2_rule
RMF Control
Severity
Medium
CCI
Version
DM2095-SQLServer9
Vuln IDs
  • V-2472
Rule IDs
  • SV-23814r2_rule
Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows account used by SQL Server to log on determines the security context used by extended stored procedures. Certain sensitive extended stored procedures should be closely monitored. These sensitive stored procedures include the OLE Automation stored procedures. OLE Automation stored procedures can be used to reconfigure the security of other services including IIS (Internet Information Server).trueDatabase AdministratorDCFA-1
Checks: C-22813r2_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'ole automation procedures' If a value of 0 is returned for Config_Value, this is Not a Finding. If a value of 1 is returned for Config_Value, verify with the IAO and the System Security Plan that OLE Automation Procedures as listed are required. If they are not, this is a Finding. If OLE Automation Procedures are documented and authorized by the IAO, check which users have access. From the query prompt: SELECT USER_NAME(p.grantee_principal_id) 'User', o.name 'Object', p.permission_name 'Perm' FROM [master].sys.system_objects o, [master].sys.database_permissions p WHERE o.object_id = p.major_id AND o.name like 'sp_OA%' ORDER BY USER_NAME(p.grantee_principal_id), o.name, p.permission_name If non-DBA users are granted access, verify with the IAO and the System Security Plan allowing the specific users listed as valid users of these procedures. If there is no documentation or IAO authorization, this is a Finding.

Fix: F-19737r1_fix

Disable OLE extended stored procedures where no needed or restrict access to SYSADMINs and authorized roles. Disable OLE extended stored procedures: From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'OLE Automation Procedures', 0 RECONFIGURE Note: SQL Server 2005 does not drop system extended stored procedures. Microsoft recommends denying EXEC permissions instead.

b
Registry extended stored procedures should be restricted to sysadmin access.
Medium - V-2473 - SV-23825r2_rule
RMF Control
Severity
Medium
CCI
Version
DM2119-SQLServer9
Vuln IDs
  • V-2473
Rule IDs
  • SV-23825r2_rule
Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows NT DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows NT account used by SQL Server to log on determines the security context used by extended stored procedures. Certain sensitive extended stored procedures should be closely monitored. These sensitive stored procedures include the registry editing stored procedures. Registry extended stored procedures can be used to read or change security information, including the NT password database, from the registry.trueDatabase AdministratorDCFA-1
Checks: C-22815r2_chk

From the query prompt: SELECT u.name AS [Principal], o.name AS [Extended Stored Procedure], u.type_desc AS [Type] FROM [master].sys.system_objects o JOIN [master].sys.database_permissions p ON o.object_id = p.major_id JOIN [master].sys.database_principals u ON p.grantee_principal_id = u.principal_id WHERE ( o.name LIKE 'xp_reg%' OR o.name LIKE 'xp_instance_reg%') AND p.type = 'EX' ORDER BY o.name, u.name If no results are displayed, this is Not a Finding. If non-DBA Principals are granted access (as listed in the query results), verify with the IAO and the System Security Plan allowing the specific Principals listed as valid users of these procedures. If there is no documentation or IAO authorization, this is a Finding. If permissions are assigned to Principal PUBLIC, this is a Finding. Note: By default, the public role is granted execute access to xp_regread. If this access is required, transfer the privilege assignment to an authorized custom database role.

Fix: F-19739r1_fix

Restrict access of Registry extended stored procedures to SYSADMINs and authorized roles as documented in the System Security Plan and authorized by the IAO. Note: SQL Server 2005 and later does not drop system extended stored procedures. Microsoft recommends denying EXEC permissions instead. Restrict and/or remove access to Registry extended stored procedures where not authorized: From the SQL Server Management Studio GUI: 1. Connect/expand SQL Server 2. Expand Databases 3. Expand System databases 4. Expand Master 5. Expand Programmability 6. Expand Extended Stored Procedures 7. Expand System Extended Stored Procedures 8. Locate and select each of the Registry extended stored procedures listed in the Check section 9. Right click on the extended stored procedure 10. Select Properties 11. Click on the Permissions page 12. Select each user or role and deselect the Grant (and With Grant if checked) permissions from all users, database roles and public except from SYSADMINs and authorized roles when permitted 13. Click OK Document access grants and restrictions in the System Security Plan and authorize with the IAO.

b
Remote access should be disabled if not authorized.
Medium - V-2485 - SV-25445r1_rule
RMF Control
Severity
Medium
CCI
Version
DM2142-SQLServer9
Vuln IDs
  • V-2485
Rule IDs
  • SV-25445r1_rule
The remote access option determines if connections to and from other Microsoft SQL Servers are allowed. Remote connections are used to support distributed queries and other data access and command executions across and between remote database hosts. The list of remote servers determines the servers that have defined for remote connections to and from the SQL Server instance. The list of remote logins determines which users on remote servers can connect to and from other SQL Servers. Remote servers and logins that are not properly secured can be used to compromise the server.Database AdministratorDCFA-1
Checks: C-23658r1_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'remote access' If a value of 1 is returned for Config_Value, remote access is enabled. If the use of linked servers is not documented and authorized in the System Security Plan and AIS Functional Architecture documentation, this is a Finding. If the use of linked servers is not approved by the IAO, this is a Finding. Note: See check DG0190 for authorized linked servers. If remote access is not documented in the System Security Plan and AIS Functional Architecture documentation regardless of authorization or use, this is a Finding.

Fix: F-2513r1_fix

Document remote access in the System Security Plan and AIS Functional Architecture documentation. If required and authorized, document the requirement and authorization in the System Security Plan and AIS Functional Architecture documentation. To enable remote access: From the query prompt: EXEC SP_CONFIGURE 'remote access', 1 RECONFIGURE If not required, disable remote access and document the requirement and authorization in the System Security Plan and AIS Functional Architecture documentation. To disable remote access: From the query prompt: EXEC SP_CONFIGURE 'remote access', 0 RECONFIGURE Follow procedures documented on Microsoft's website on how to configure a remote server setup. http://support.microsoft.com/kb/914277

b
SQL Server authentication mode should be set to Windows authentication mode or Mixed mode.
Medium - V-2487 - SV-25448r1_rule
RMF Control
Severity
Medium
CCI
Version
DM3566-SQLServer9
Vuln IDs
  • V-2487
Rule IDs
  • SV-25448r1_rule
SQL Server authentication does not provide a sufficiently robust password complexity and management capability to meet stringent security requirements. SQL Server allows use of Windows authentication, a more robust and security authentication service, to control access to the database.Database AdministratorIAIA-1, IAIA-2
Checks: C-1447r1_chk

From the query prompt: EXEC XP_LOGINCONFIG 'login mode' If a value of 'Windows Authentication' is returned for config_value, this is Not a Finding. If a value of 'Mixed' is returned for config_value, confirm in the System Security Plan that SQL Server authentication is required and authorized. If it is not, this is a Finding. Note: SQL Server authentication and the use of passwords are dependent on password management configured on the host platform. Sufficient password management is available only in SQL Server 2005 on Windows 2003 or later. Password authentication is discouraged and only authorized where Windows authentication is not possible. Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Fix: F-20268r1_fix

Configure the instance to accept Windows authentication. From the query prompt: EXEC XP_LOGINCONFIG 'login mode', 1 If SQL Server authentication is required and authorized, document the requirement with a justification in the System Security Plan. Configure the instance to accept SQL Server authentication. From the query prompt: EXEC XP_LOGINCONFIG 'login mode', 2

b
SQL Server Agent CmdExec or ActiveScripting jobs should be restricted to sysadmins.
Medium - V-2488 - SV-25451r1_rule
RMF Control
Severity
Medium
CCI
Version
DM3763-SQLServer9
Vuln IDs
  • V-2488
Rule IDs
  • SV-25451r1_rule
SQL Server Agent CmdExec and ActiveScripting subsystems allow the execution of code by the host operating system under the security context. Allow use of these features only to SYSADMINs and use only where necessary to limit risk of database exploit to the host operating system. Members of the SYSADMIN group have access to all proxies and subsystems by default. Additional assignments are not necessary and would be considered suspect.Database AdministratorDCFA-1, ECLP-1
Checks: C-23822r1_chk

From the query prompt: USE msdb EXEC SP_ENUM_PROXY_FOR_SUBSYSTEM @subsystem_name = 'ActiveScripting' EXEC SP_ENUM_PROXY_FOR_SUBSYSTEM @subsystem_name = 'CmdExec' If no records are returned, this is Not a Finding. For each proxy listed: EXEC SP_ENUM_LOGIN_FOR_PROXY @proxy_name = '[proxy name]' Replace [proxy name] with the proxy names returned above. Review the names listed in the return. If any names include users that are not SYSADMINs or list groups that contain members other than SYSADMIN, this is a Finding.

Fix: F-2516r1_fix

Members of the SYSADMIN role have access to all proxies by default. For any proxies defined for Active Scripting or CmdExec subsystems, remove all additional access privileges. Select based on returns from the SP_ENUM_PROXY_SUBSYSTEM results: From the query prompt: EXEC SP_REVOKE_LOGIN_FROM_PROXY '[login name]' @proxy_name = 'ActiveScripting' EXEC SP_REVOKE_LOGIN_FROM_PROXY '[login name]' @proxy_name = 'CmdExec' Replace [login name] with the name returned in the SP_ENUM_PROXY_FOR_SUBSYSTEM procedure.

b
Trace Rollover should be enabled for audit traces that have a maximum trace file size.
Medium - V-2500 - SV-23886r2_rule
RMF Control
Severity
Medium
CCI
Version
DM5267-SQLServer9
Vuln IDs
  • V-2500
Rule IDs
  • SV-23886r2_rule
The majority of Microsoft SQL Server security auditing is provided by the trace facility. Traces may be created using system stored procedures or with Microsoft SQL Profiler. The trace must be running in order for security event data to be collected for analysis. Traces can specify a maximum size for the trace file. An action may also be specified when a maximum file size is reached. The trace file rollover option for a defined trace causes the current trace file to close and a new one to be opened with no loss of data. If a maximum file size has been set and the rollover option is not set, the trace stops writing when the maximum file size is reached. If the trace file writes function stops, then auditing is disabled.Database AdministratorECRR-1
Checks: C-22720r2_chk

If C2 Auditing is enabled (See Check DM0510: C2 audit mode), this check is Not a Finding. Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), if auditing is not enabled or not configured completely to requirements, review the System Security Plan. If this is properly explained in the System Security Plan, this is Not a Finding. If this is not documented or documented poorly in the System Security Plan, this is a Finding. If value returned is 2 (Standard Edition) or 3 (Enterprise/Developer Edition), these findings apply. Determine if trace file rollover is enabled. From the query prompt: SELECT traceid 'TraceID' FROM ::FN_TRACE_GETINFO('0') WHERE property = 1 AND value = 2 If no trace is returned, this is a Finding. If the trace returned for Check DG0145 is not returned above, this is a Finding.

Fix: F-19685r1_fix

Re-create the trace and specify TRACE_FILE_ROLLOVER (option = 2) added to SHUTDOWN_ON_ERROR (option > 4). From the query prompt: EXEC SP_TRACE_CREATE [ @traceid = ] trace_id OUTPUT , [ @options = ] option_value , [ @tracefile = ] 'trace_file' [ , [ @maxfilesize = ] max_file_size ] [ , [ @stoptime = ] 'stop_time' ] [ , [ @filecount = ] 'max_rollover_files' ]

b
Audit trail data should be retained for one year.
Medium - V-2507 - SV-24149r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0030-SQLServer9
Vuln IDs
  • V-2507
Rule IDs
  • SV-24149r1_rule
Without preservation, a complete discovery of an attack or suspicious activity may not be determined. DBMS audit data also contributes to the complete investigation of unauthorized activity and needs to be included in audit retention plans and procedures.Database AdministratorECRR-1
Checks: C-23662r1_chk

Review and verify the implementation of an audit trail retention policy. Verify that audit data is maintained for a minimum of one year. If audit data is not maintained for a minimum of one year, this is a Finding.

Fix: F-24493r1_fix

Develop, document and implement an audit retention policy and procedures. It is recommended that the most recent thirty days of audit logs remain available online. After thirty days, the audit logs may be maintained offline. Online maintenance provides for a more timely capability and inclination to investigate suspicious activity.

b
Unauthorized user accounts should not exist.
Medium - V-2508 - SV-24088r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0070-SQLServer9
Vuln IDs
  • V-2508
Rule IDs
  • SV-24088r2_rule
Unauthorized user accounts provide unauthorized access to the database and may allow access to database objects. Only authorized users should be granted database accounts.trueDatabase AdministratorIAAC-1
Checks: C-24132r2_chk

Review procedures for ensuring authorization of new or re-assigned DBMS user accounts. Requests for user account access to the DBMS should include documented approval by an authorized requestor. Procedures should also include notification for a change in status, particularly cause for revocation of account access, to any DBMS accounts. Review the user accounts listed either in the script report or manually against the authorized user list. From the query prompt: SELECT name FROM sys.server_principals WHERE type IN ('S', 'U') AND principal_id <> 1 ORDER BY name If procedures for DBMS user account authorization are incomplete or not implemented, this is a Finding. If any accounts listed are not clearly authorized, this is a Finding.

Fix: F-20403r1_fix

Develop, document and implement procedures for authorizing creation and changes to user accounts. Monitor user accounts to verify that they remain authorized. Drop user accounts that are no longer authorized.

b
SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are required and enabled.
Medium - V-3335 - SV-23880r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0900-SQLServer9
Vuln IDs
  • V-3335
Rule IDs
  • SV-23880r1_rule
The SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are used by database applications to provide email messages to and from the database. This capability may easily be abused to send malicious messages to remote users or systems. Disabling its use helps to protect the database from generating or receiving malicious email notifications.Database AdministratorDCFA-1
Checks: C-22712r1_chk

Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), this check is Not Applicable. From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'sql mail xps' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, then confirm in the System Security Plan that email message traffic is required by the database applications. If it is not documented, and required this is a Finding. From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'database mail xps' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, then confirm in the System Security Plan that email message traffic is required by the database applications. If it is not documented, and required this is a Finding.

Fix: F-19732r1_fix

Ensure you properly document SQL Mail, SQL Mail XPs and Database Mail XPs configurations regardless of authorization or use in the System Security Plan. If not approved by the IAO and authorized for use, disable SQL Mail, SQL Mail XPs and Database Mail XPs. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'SQL Mail XPs', 0 RECONFIGURE From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'Database Mail XPs', 0 RECONFIGURE

b
SQL Server Agent email notification usage if enabled should be documented and approved by the IAO.
Medium - V-3336 - SV-23958r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0901-SQLServer9
Vuln IDs
  • V-3336
Rule IDs
  • SV-23958r1_rule
SQL Mail accepts incoming database commands via email. This can introduce malicious codes or viruses into the SQL server environment.Database AdministratorDCBP-1
Checks: C-22809r1_chk

Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), this check is Not Applicable. From the SQL Server Management Studio GUI: 1. Right click on SQL Server Agent 2. Select Properties 3. Select Alert System If the box next to "Enable mail profile" is checked, documentation for this function should exist with the IAO in the System Security Plan and AIS Functional Architecture documentation. If this function is not documented, this is a Finding.

Fix: F-14799r1_fix

Ensure you properly document Agent Email Alert configurations regardless of authorization or use in the System Security Plan. Where not required and authorized for use, disable Email notification for SQL Server Agent.

a
Configuration management procedures should be defined and implemented for database software modifications.
Low - V-3726 - SV-24123r1_rule
RMF Control
Severity
Low
CCI
Version
DG0011-SQLServer9
Vuln IDs
  • V-3726
Rule IDs
  • SV-24123r1_rule
Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All changes to software libraries related to the database and its use need to be reviewed, considered, and the responsibility for CM assigned. CM responsibilities may appear to cross boundaries. It is important, however, for the boundaries of CM responsibility to be clearly defined and assigned to ensure no libraries or configurations are left unaddressed. Related database application libraries may include third-party DBMS management tools, DBMS stored procedures, or other end-user applications.Information Assurance OfficerDCPR-1
Checks: C-20366r1_chk

Interview the IAO and review documentation to determine if a configuration management (CM) process is implemented for the DBMS system that includes requirements for: (1) Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation; (2) A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems; (3) A testing process to verify proposed configuration changes prior to implementation in the operational environment; and (4) A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted. If documented evidence for procedures or processes outlined above are not present or are incomplete, this is a Finding.

Fix: F-24661r1_fix

Develop, document and implement configuration management procedures or processes. Ensure the 4 major requirements listed in the check are documented at a minimum. Assign responsibilities for oversight and approval for any and all changes made to DBMS software and configuration.

a
Unused database components, database application software and database objects should be removed from the DBMS system.
Low - V-3728 - SV-24131r1_rule
RMF Control
Severity
Low
CCI
Version
DG0016-SQLServer9
Vuln IDs
  • V-3728
Rule IDs
  • SV-24131r1_rule
Unused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.Database AdministratorDCFA-1
Checks: C-13738r1_chk

Review the list of components or optional features installed with the database. This may be most clearly displayed using the DBMS product installation tool, but may require review of the product installation documentation. If no optional features or components are installed, this is Not a Finding. If optional components or features are installed, then review the System Security Plan to verify that they are documented and authorized. If any are not documented and authorized, this is a Finding.

Fix: F-14784r1_fix

Review the list of optional features or components available for the DBMS product. If any are required for operation of applications that will be accessing the DBMS, then include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, then uninstall them and remove any database objects and applications that are installed to support them.

b
A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations.
Medium - V-3803 - SV-24133r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0017-SQLServer9
Vuln IDs
  • V-3803
Rule IDs
  • SV-24133r1_rule
Production, development and other non-production DBMS installations have different access and security requirements. Shared production/non-production DBMS installations secured at a production-level can impede development efforts whereas production/non-production DBMS installations secured at a development-level can lead to exploitation of production-level installations. Production DBMS installations should be kept separate from development, QA, TEST and other non-production DBMS systems.Database AdministratorInformation Assurance OfficerECSD-1, ECSD-2
Checks: C-28485r1_chk

Review the System Security Plan and interview the DBA and IAO to determine if the DBMS host contains production and non-production DBMS installations. If the DBMS host contains both production and non-production DBMS installations or the production DBMS installation is being used for non-production efforts, determine if this allowance is documented in the System Security Plan and authorized by the IAO. If not documented and authorized, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Fix: F-19767r1_fix

Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.

a
Application software should be owned by a Software Application account.
Low - V-3805 - SV-24135r1_rule
RMF Control
Severity
Low
CCI
Version
DG0019-SQLServer9
Vuln IDs
  • V-3805
Rule IDs
  • SV-24135r1_rule
File and directory ownership imparts full privileges to the owner. These privileges should be restricted to a single, dedicated account to preserve proper chains of ownership and privilege assignment management.Database AdministratorDCSL-1, ECSD-1, ECSD-2
Checks: C-13742r1_chk

Review the ownership of all DBMS and dependent application software and configuration files. If the owner is other than the software installation account or the designated owner account for the file, this is a Finding. Some configuration and log files may be owned by a service or process account. Ownership of these files should be recorded and verified accordingly.

Fix: F-14810r1_fix

Assign DBMS file and directory ownership to the software installation and maintenance account. Use the software owner account to install and maintain the DBMS software libraries and configuration files.

b
A baseline of database application software should be documented and maintained.
Medium - V-3806 - SV-24142r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0021-SQLServer9
Vuln IDs
  • V-3806
Rule IDs
  • SV-24142r1_rule
Without maintenance of a baseline of current DBMS application software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to the DBMS executables could be the result of intentional or unintentional actions.Database AdministratorInformation Assurance OfficerDCSW-1
Checks: C-20401r1_chk

Have the DBA and/or IAO provide the DBMS software baseline procedures, implementation evidence, and a list of files and directories included in the baseline procedure for completeness. If baseline procedures do not exist, not implemented reliably or not complete, this is a Finding. Software and configuration directories are under: [drive] \Program Files\Microsoft SQL Server The exact directory is specified in the registry key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ 90 \ VerSpecificRootDir For each instance, the directory and all contents specified under the registry key below where [#] is the assigned instance number: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ Setup \ SQLProgramDir

Fix: F-24636r1_fix

Develop, document and implement baseline procedures that include all DBMS software files and directories. Update the baseline after new installations, upgrades or maintenance activities that include changes to the software baseline.

b
All applications that access the database should be logged in the audit trail.
Medium - V-3807 - SV-24174r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0052-SQLServer9
Vuln IDs
  • V-3807
Rule IDs
  • SV-24174r1_rule
Protections and privileges are designed within the database to correspond to access via authorized software. Use of unauthorized software to access the database could indicate an attempt to bypass established permissions. Reviewing the use of application software to the database can lead to discovery of unauthorized access attempts.Database AdministratorECAT-1, ECAT-2
Checks: C-23493r1_chk

Review the DBMS audit trail to determine if the names [or unique identifiers] of applications used to connect to the database are included. If an alternate method other than DBMS logging is authorized and implemented, review the audit trail to determine if the names [or unique identifiers] of applications used to connect to the database are included. If application access to the DBMS is not being audited, this is a Finding. If auditing does not capture the name [or unique identifier] of applications accessing the DBMS at a minimum, this is a Finding.

Fix: F-20269r1_fix

Modify auditing to ensure audit records include identification of applications used to access the DBMS. Ensure auditing captures the name [or unique identifier] of applications accessing the DBMS at a minimum. Develop or procure a 3rd-party solution where native DBMS logging is not employed or does not capture required information.

b
Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions.
Medium - V-3808 - SV-24081r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0051-SQLServer9
Vuln IDs
  • V-3808
Rule IDs
  • SV-24081r2_rule
Unauthorized users may bypass security mechanisms by submitting jobs to job queues managed by the database to be run under a more privileged security context of the database or host system. These queues should be monitored regularly to detect any such unauthorized job submissions.trueDatabase AdministratorECLP-1
Checks: C-20410r2_chk

1. Review jobs scheduled to start automatically at system startup. From the query prompt: SELECT name FROM [master].sys.procedures WHERE is_auto_executed = 1 If any jobs listed are not documented as authorized, this part of the check is a Finding. 2. Review SQL Server job history From the query prompt: SELECT DISTINCT j.name FROM [msdb].dbo.sysjobhistory h, [msdb].dbo.sysjobs j WHERE h.job_id = j.job_id If no data is listed and no jobs are listed, this part of the check is Not a Finding. If any jobs listed are not documented as authorized, this part of the check is a Finding. Review monitoring procedures for job queues and evidence of implementation. If procedures for monitoring job queues are not documented are not complete or are not implemented, this is a Finding. If any part of this check results in a Finding, this is a Finding for the entire check.

Fix: F-22511r1_fix

Establish and implement procedures to monitor the database job queue and job history for unauthorized job submissions. Include or note documented policy and procedures in the System Security Plan.

b
DBMS authentication should require use of a DoD PKI certificate.
Medium - V-3810 - SV-24086r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0065-SQLServer9
Vuln IDs
  • V-3810
Rule IDs
  • SV-24086r1_rule
In a properly configured DBMS, access controls defined for data access and DBMS management actions are assigned based on the user identity and job function. Unauthenticated or falsely authenticated access leads directly to the potential unauthorized access, misuse, and lost accountability of data and activities within the DMBS. Use of PKI certificates for authentication to the DBMS provides a robust mechanism to ensure identity to authorize access to the DBMS.Information Assurance OfficerIATS-1, IATS-2
Checks: C-23840r1_chk

If user access to the DBMS is via a portal or mid-tier system or product and PKI-authentication occurs at the portal/mid-tier, this check is Not a Finding. Review the list of all DBMS accounts and their authentication methods. This list is usually available from a system view or table and is easily gained from a simple SQL query. If any accounts are listed with an authentication method other than a PKI certificate, this is a Finding. For MAC 3 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 certificate and hardware security token (when available) at minimum, this is a Finding. For MAC 1 and 2 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum, this is a Finding.

Fix: F-24527r1_fix

Implement PKI authentication for all accounts defined within the database where applicable. Applications may use host system (server) certificates to authenticate. For MAC 3 systems, use of the DoD PKI Class 3 certificate and hardware security token (when available) at minimum is required. For MAC 1 and 2 systems, use of the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum is required.

b
Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.
Medium - V-3811 - SV-24193r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0066-SQLServer9
Vuln IDs
  • V-3811
Rule IDs
  • SV-24193r1_rule
New accounts authenticated by passwords that are created without a password or with an easily guessed password are vulnerable to unauthorized access. Procedures for creating new accounts with passwords should include the required assignment of a temporary password to be modified by the user upon first use.Database AdministratorIAIA-1, IAIA-2
Checks: C-28588r1_chk

If all DBMS accounts are configured to authenticate using certificates or other credential besides passwords, this check is Not a Finding. Where accounts are authenticated using passwords, review procedures and implementation evidence for creation of temporary passwords. If the procedures or evidence do not exist or do not enforce passwords to meet DoD password requirements, this is a Finding.

Fix: F-26574r1_fix

Develop, document and implement procedures for assigning temporary passwords to user accounts. Procedures should include instruction to meet current DoD password length and complexity requirements and provide a secure method to relay the temporary password to the user. Temporary passwords should also be short-lived and require immediate update by the user upon first login.

c
Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.
High - V-3812 - SV-24197r1_rule
RMF Control
Severity
High
CCI
Version
DG0067-SQLServer9
Vuln IDs
  • V-3812
Rule IDs
  • SV-24197r1_rule
Database passwords stored in clear text are vulnerable to unauthorized disclosure. Database passwords should always be encoded or encrypted when stored internally or externally to the DBMS.Database AdministratorIAIA-1, IAIA-2
Checks: C-22668r1_chk

This check applies specifically to the Oracle DBMS installation and its associated files, scripts and environments. This check does not apply to compiled, encoded or encrypted application source code and batch job code covered in Check DG0130. Ask the DBA to review the list of DBMS database objects, database configuration files, associated scripts and applications defined within and external to the DBMS that access the database. The list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Ask the DBA and/or IAO to determine if any DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are encoded or encrypted. If any passwords are stored in clear text, this is a Finding. If a list of DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings is not maintained in the System Security Plan, this is a Finding.

Fix: F-19676r1_fix

Develop, document and maintain a list of DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings in the System Security Plan. Record whether they do or do not contain DBMS passwords. If passwords are present, ensure they are encoded or encrypted and protected by host system security. Consider using vendor or 3rd party tools to support external authentication.

b
DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.
Medium - V-3813 - SV-24215r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0068-SQLServer9
Vuln IDs
  • V-3813
Rule IDs
  • SV-24215r1_rule
Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if possible, by the application. If it cannot be disabled, users should be strictly instructed not to use this feature. Typically, the application will prompt for this information and accept it without echoing it on the users computer screen.Database AdministratorIAIA-1, IAIA-2
Checks: C-28572r1_chk

Interview the DBA to determine if any applications that access the database (such as sqlcmd, etc.) allow for entry of the account name and password on the command line. If any applications exist and are in use, ask the DBA if users have been instructed not to include passwords on the command line and if these applications are monitored for compliance. If documentation of instruction and monitoring are not being performed, this is a Finding.

Fix: F-24465r1_fix

Configure or modify applications to prohibit display of passwords in clear text on the command line if possible. Implement policy and train users to prohibit entry of passwords on the command line for applications that cannot be modified or configured to deny this. Remove any applications that can access the database if they are not being used or cannot be monitored.

b
New passwords should be required to differ from old passwords by more than four characters.
Medium - V-3815 - SV-24220r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0071-SQLServer9
Vuln IDs
  • V-3815
Rule IDs
  • SV-24220r1_rule
Changing passwords frequently can thwart password-guessing attempts or re-establish protection of a compromised DBMS account. Minor changes to passwords may not accomplish this as password guessing may be able to continue to build on previous guesses or the new password may be easily guessed using the old password.Database AdministratorIAIA-1, IAIA-2
Checks: C-13747r1_chk

If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. If the DBMS supports this functionality, review the settings and function logic or have the DBA demonstrate a password change to ensure that the function requires new passwords to differ from old passwords by more than four characters. If the review or the demonstration reveals that passwords are not checked for a difference of more than four characters, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Fix: F-14850r1_fix

Define, configure and test a password verify feature or function that authenticates passwords on change to ensure that new password differs from old password by more than four characters.

b
Unauthorized database links should not be defined and active.
Medium - V-3818 - SV-24090r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0075-SQLServer9
Vuln IDs
  • V-3818
Rule IDs
  • SV-24090r2_rule
DBMS links provide a communication and data transfer path definition between two databases that may be used by malicious users to discover and obtain unauthorized access to remote systems. Database links between production and development DBMSs provide a means for developers to access production data not authorized for their access or to introduce untested or unauthorized applications to the production database. Only protected, controlled, and authorized downloads of any production data to use for development should be allowed. Only applications that have completed the configuration management process should be introduced by the application object owner account to the production system.trueDatabase AdministratorDCFA-1
Checks: C-20339r2_chk

If this is not a production database, this check is Not Applicable. Note: SQL Server check DG0190 addresses authorization of all defined remote and linked databases. Review documentation for definitions of authorized external interfaces. The documentation should include: 1. Any remote access to the database 2. The purpose or function of the remote connection, 3. Any access to data or procedures stored externally to the local DBMS 4. Any network ports or protocols used by remote connections 5. Whether the remote connection is to a production, test, or development system 6. Any security accounts used by DBMS to access remote resources or objects To view remote and linked servers: SELECT name FROM [master].sys.servers WHERE server_id <> 0 ORDER BY name If any database links are defined between the production database and any test or development databases, this is a Finding. If the documentation for remote interfaces does not exist or is incomplete in the System Security Plan and AIS Functional Architecture documentation, this is a Finding.

Fix: F-24627r1_fix

Document all remote or external interfaces used by the DBMS to connect to or allow connections from remote or external sources in the System Security Plan and AIS Functional Architecture documentation. Include with the documentation as appropriate, any network ports or protocols, security accounts, and the sensitivity of any data exchanged. Do not define or configure database links between production databases and test or development databases. Delete any links or remote server definitions between production and test or development databases.

b
Sensitive information from production database exports should be modified after import to a development database.
Medium - V-3819 - SV-24226r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0076-SQLServer9
Vuln IDs
  • V-3819
Rule IDs
  • SV-24226r1_rule
Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure. See DODD 8500.1 section E2.1.41 for a definition of Sensitive Information.Database AdministratorECAN-1
Checks: C-23836r1_chk

If the database is not a production database, this check is Not Applicable. Review procedures or restrictions for data exports from the production database. If data exports are allowed, then review procedures for protecting any sensitive data included in the exports. If sensitive data is included in the exports and no protections are taken to remove or modify the data to render it not sensitive when provided to unauthorized users, this is a Finding.

Fix: F-19659r1_fix

Document procedures and restrictions for production data export. Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of the export restrictions. Restrict permissions allowing use or access to database export procedures or functions to authorized users.

b
Production databases should be protected from unauthorized access by developers on shared production/development host systems.
Medium - V-3820 - SV-24228r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0077-SQLServer9
Vuln IDs
  • V-3820
Rule IDs
  • SV-24228r1_rule
Developers granted elevated database and operating system privileges on systems that support both development and production databases can affect the operation and/or security of the production database system. Operating system and database privileges assigned to developers on shared development and production systems should be restricted.Database AdministratorECLP-1
Checks: C-28573r1_chk

Review the list of instances and databases installed on the host system with the DBA. Ask which databases are production databases and which are for development. If only development or only production databases exist on this host, this is Not a Finding. Otherwise, ask the DBA to confirm that policy and procedures are in place for the IAO to review database and operating system privileges on the system. If none are in place, this is a Finding. Ask the DBA/SA if developer host accounts have been granted privileges to production database directories, files or resources. If they have been, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Fix: F-24629r1_fix

Develop, document and implement procedures to review and maintain privileges granted to developers on shared production and development host systems and databases. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.

b
Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
Medium - V-3821 - SV-24232r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0080-SQLServer9
Vuln IDs
  • V-3821
Rule IDs
  • SV-24232r1_rule
Users granted privileges not required to perform their assigned functions are able to make unauthorized modifications to the production data or database. Monthly or more frequent periodic review of privilege assignments assures that organizational and/or functional changes are reflected appropriately.Database AdministratorECLP-1
Checks: C-24309r1_chk

Review procedures and implementation evidence to determine if procedures are in place for periodic review of user privileges by the IAO. Evidence may consist of email or other correspondence that acknowledges receipt of periodic reports and notification of review between the DBA and IAO or other auditors as assigned. If the procedures are incomplete or no evidence of implementation exists, this is a Finding.

Fix: F-20110r1_fix

Develop, document and implement procedures for periodic review of application user database privilege assignments. Include methods to provide evidence of review in the procedures to verify reviews occur in accordance with the procedures.

b
Remote adminstrative connections to the database should be encrypted.
Medium - V-3825 - SV-24248r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0093-SQLServer9
Vuln IDs
  • V-3825
Rule IDs
  • SV-24248r1_rule
Communications between a client and database service across the network may contain sensitive information including passwords. Encryption of remote administrative connections to the database ensures confidentiality.Database AdministratorECCT-1, ECCT-2
Checks: C-23684r1_chk

If no administration accounts are accessed remotely, this check is Not a Finding. Ask the DBA if access to the administration accounts is: 1. Made using remote access through a local host account 2. Made directly to the database from a remote database client If access is via a local host account, review procedures, policy, and/or evidence that remote administrative account access is performed only via an encrypted connection protocol such as SSH, Remote Desktop Connection (properly configured, of course), etc., to connect to the host. If it is not, this is a Finding. If access is via direct connection to the DBMS from a DBMS client, confirm that a dedicated database listener exists on the DBMS server and configured to encrypt communications for remote administrative connections. If it is not, this is a Finding. If there are any listeners on the DBMS host that are configured to accept unencrypted traffic, determine through review of policy and training evidence that DBAs know to use the encrypted listener for remote access to administrative accounts. If no such policy exists, the DBAs have not been instructed to use or do not use an encrypted connection, this is a Finding. Interview DBAs to confirm they use the encrypted listener for remote DBA access. If any DBAs do not, this is a Finding. Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.

Fix: F-26087r1_fix

Do not administer DBMS systems remotely if possible. If this is not possible, ensure that all connections to the DBMS for administrative purposes utilize encryption at all possible levels [i.e. Network (VPN), Host (SSH/RDP), and Database (Client/ODBC/listener)]. Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.

b
Audit trail data should be reviewed daily or more frequently.
Medium - V-3827 - SV-24250r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0095-SQLServer9
Vuln IDs
  • V-3827
Rule IDs
  • SV-24250r1_rule
Review of audit trail data provides a means for detection of unauthorized access or attempted access. Frequent and regularly scheduled reviews ensures that such access is discovered in a timely manner.Information Assurance OfficerECAT-1
Checks: C-23452r1_chk

Review policy, procedures and implementation evidence for daily audit trail monitoring. For SQL Server, the audit trail data is found in audit traces, the system error logs (ERRORLOG.*) files, and the system and application event logs. If the policy, procedures and evidence are not present or complete, this is a Finding.

Fix: F-19759r1_fix

Develop, document and implement policy and procedures to monitor audit trail data daily.

b
A Windows OS DBA group should exist.
Medium - V-3832 - SV-25423r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0920-SQLServer9
Vuln IDs
  • V-3832
Rule IDs
  • SV-25423r1_rule
The DBA job function differs from the host system administrator job function. Without a separate host OS group to assign necessary privileges on the operating system, separation of duties is not achieved and excess privileges for the job function are assigned.Information Assurance OfficerECPA-1
Checks: C-17013r1_chk

For Windows 2000: 1. Right click on My Computer 2. Select Manage 3. Expand Local Users 4. Expand Groups For Windows 2003: 1. Click Start 2. Select All Programs 3. Select Administrative Tools 4. Click Computer Management 5. Expand System Tools 6. Expand Local Users and Groups 7. Select Groups View the list of groups defined. Verify the OS DBA group as specified in the System Security Plan exists. If the OS DBA windows group specified in the System Security Plan does not exist, this is a Finding.

Fix: F-23506r1_fix

Follow the steps outlined in the Check procedure above. Create a Windows OS group to use for SQL Server DBA privilege and permission assignment as documented in the System Security Plan.

b
Windows OS DBA group should contain only authorized users.
Medium - V-3833 - SV-25426r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0921-SQLServer9
Vuln IDs
  • V-3833
Rule IDs
  • SV-25426r1_rule
The host DBA group is assigned permissions to the DBMS system libraries and may also be used to assign DBA privileges within the database. Unauthorized DBA privilege assignment leaves the DBMS data and operations vulnerable to complete compromise.Information Assurance OfficerECPA-1
Checks: C-20415r1_chk

For Windows 2000: 1. Right click on My Computer 2. Select Manage 3. Expand Local Users 4. Expand Groups 5. Select the OS DBA Group 6. Right click on the OS DBA Group 7. Select Properties For Windows 2003: 1. Click Start 2. Select All Programs 3. Select Administrative Tools 4. Click Computer Management 5. Expand System Tools 6. Expand Local Users and Groups 7. Select Groups 8. Select the OS DBA Group 9. Right click on the OS DBA Group 10. Select Properties Review the list of accounts assigned to the OS DBA group. Review the list of accounts assigned to the SYSADMIN role: For SQL Server: From the query prompt: exec sp_helpsrvrolemember 'sysadmin' If any accounts assigned OS DBA group membership or SYSADMIN privileges that are not DBAs as authorized and documented in the System Security Plan, this is a Finding. If the OS DBA group is not defined, this is a Finding.

Fix: F-23508r1_fix

Remove any OS DBA group membership assignments and assignments to the SYSADMIN role from accounts not authorized and documented in the System Security Plan by the IAO. Authorize and document in the System Security Plan all DBA accounts and assignments to the SYSADMIN role prior to assigning DBA group membership and privileges.

b
The SQL Server service should use a least-privileged local or domain user account.
Medium - V-3835 - SV-25429r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0924-SQLServer9
Vuln IDs
  • V-3835
Rule IDs
  • SV-25429r1_rule
The Windows builtin Administrators group and LocalSystem account are assigned full privileges to the Windows operating system. These privileges are not required by the SQL Server service accounts for operation and, if assigned, could allow a successful attack of the SQL Server service to lead to a full compromise of the host system.System AdministratorDatabase AdministratorDCFA-1
Checks: C-20490r1_chk

Check for Service Account used: For Windows 2003 (Windows 2000 is similar): 1. Click Start 2. Right click on My Computer 3. Click on Manage, 4. Expand Services and Applications 5. Select Services 6. Locate the SQL Server ([instance name]) services 7. Examine the account listed in the ‘Log On As’ column If the account listed is a builtin account (LocalSystem, Local Service, Network Service, etc.), this is a Finding. Exceptions are: 1. SQL Server Active Directory Helper (Network Service) 2. SQL Server Integration Services (Network Service) 3. SQL Server VSS Writer (Local System) If the account listed is a domain user account (does not begin with ".\" or the host computer name), then confirm that the service requires access to remote systems including for the provision of email services as documented in the System Security Plan. If network resource access is not required, use of domain account is a Finding. If the account listed is a local or domain user account, then review group membership privileges. See below for Administrator group privilege check. Note any other group membership assignments for future check analysis. For Windows 2000: 1. Right click on My Computer 2. Select Manage 3. Expand Local Users 4. Expand Groups 5. Select the Administrators Group 6. Right click on the Administrators Group 7. Select Properties For Windows 2003: 1. Click Start 2. Select All Programs 3. Select Administrative Tools 4. Click Computer Management 5. Expand System Tools 6. Expand Local Users and Groups 7. Select Groups 8. Select the Administrators Group 9. Right click on the Administrators Group 10. Select Properties If the service account is listed as a member of the Administrators group, this is a Finding. Note: SQL Server Agent cannot be configured for autorestart without assignment to the Administrator Group. SQL Server Agent must be manually restarted after the service has been interrupted. If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.

Fix: F-14804r1_fix

Create a local custom account for the SQL Server service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed. Assign the service accounts to the SQL Server groups created at installation (SQL Server 2005) if available. Assign the SQL Server accounts to the appropriate OS SQL Service group. Do not assign the SQL Server accounts to the OS DBA group. Note: Each service identified with an ([Instance Name]) should have its own, separate local user/domain user account. Do not add the SQL Server Agent user/domain account to the local or domain Administrators groups.

b
SQL Server registry keys should be properly secured.
Medium - V-3838 - SV-25432r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0927-SQLServer9
Vuln IDs
  • V-3838
Rule IDs
  • SV-25432r1_rule
Registry keys contain configuration data for the SQL Server services and applications. Unrestricted access or access unnecessary for operation can lead to a compromise of the application or disclosure of information that may lead to a successful attack or compromise of data.Database AdministratorECAN-1
Checks: C-1385r1_chk

Use regedit.exe (Windows 2003) or regedt32.exe (Windows XP, Windows 2000) to review registry permissions To review registry permissions using regedit.exe, navigate to the registry key indicated, right-click on the key, and select Permissions. Select the users and groups permissions and view the assigned Permissions in the Permissions box. To view Special Permissions (From the Permissions window for the key): 1. Click on the Advanced button 2. Select the Effective Permissions tab 3. Click the Select button 4. Select the User or Group name to review 5. To see the list of users or groups: a. Click on the Advanced button b. Click on the Find Now button c. Select a user or group account d. Click OK View registry permissions for the following registry keys and sub-keys under: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server If Full Control permissions are granted to other than Administrators, the DBA group, Creator Owner, System or the SQL Server service group with the following exceptions, this is a Finding. 1. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ RS \ = Full Control to key to local group account SQLServer2005ReportServerUser$[instance name] 2. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ MSSearch \ = Full Control to keys and Subkeys to local group account SQLServer2005MSFTEUser$[instance name] 3. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ SQLServerAgent \ = Full Control to key to local group account SQLServer2005SQLAgentUser$[instance name] 4. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ SQLServerAgent \ = Full Control to key to local group account SQLServer2005SQLServerADHelperUser$[instance name] 5. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ RS \ = Read to keys and Subkeys to local group account Remote Desktop Users If other than Read permissions are granted to the custom SQL Server Users group or members of that group, this is a Finding. Note: During SQL Server 2005 installation, service group memberships are granted Read access to specific registry keys. If this Read access duplicates the custom SQL Server Users group access, this would not be a Finding. The DBA, Creator Owner, System, Administrators and SQL Server service groups should be granted Full Control.

Fix: F-14806r1_fix

Review permissions assigned to the SQL Server registry keys and Subkeys. Revoke Full Control permissions to accounts or groups other than DBAs, Administrators, System and Creator Owner except for keys and Subkeys listed in the check procedures. Revoke all Read permissions from any custom SQL Server users group and specific other groups as listed in the check procedures.

b
Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications.
Medium - V-4754 - SV-24125r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0012-SQLServer9
Vuln IDs
  • V-4754
Rule IDs
  • SV-24125r1_rule
Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directoriies both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to the other application’s database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.Database AdministratorDCPA-1
Checks: C-20393r1_chk

Review the SQL Server software library directory. The SQL Server software library is defined in the registry key: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[ #] \ Setup \ SQLProgramDir Note any custom subdirectories within the SQL Server software library directory. If any directories or files not installed with the SQL Server software exist with the SQL Server software directory, this is a Finding. Only applications that are required for the functioning and administration, not use, of the DBMS should be located on the same disk directory as the DBMS software libraries.

Fix: F-19758r1_fix

Install SQL Server DBMS software using directories separate from the OS and other application software library directories. Re-locate any directories or re-install other application software that currently shares the DBMS software library directory to separate directories. Recommend dedicating a separate partition for the DBMS software libraries where supported by the DBMS.

b
An upgrade/migration plan should be developed to address an unsupported DBMS software version.
Medium - V-4758 - SV-24115r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0002-SQLServer9
Vuln IDs
  • V-4758
Rule IDs
  • SV-24115r1_rule
Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Developing and implementing an upgrade plan prior to a lapse in support helps to protect against published vulnerabilities.Information Assurance OfficerVIVM-1
Checks: C-17419r1_chk

If the check for unsupported version (DG0001) returns an unsupported version or the installed version is within 6 mos. of a desupport notice, ask if migration plans are in progress to upgrade to a supported version. If plans are not in progress, this is a Finding. To check version for SQL Server: From the query prompt: SELECT CONVERT(CHAR(13), SERVERPROPERTY('ProductVersion')) Where format is in major.minor.build and we only concern ourselves with the major version: 9 = SQL Server 2005 From the query prompt: SELECT CONVERT(CHAR(3), SERVERPROPERTY('ProductLevel')) Where value: RTM = Original release version (no service packs installed) SPn = Service Pack Level View version and service pack level. If the DBMS is not at the service pack level listed for the version below and no update plan exists, this is a Finding. Product Release (as of 1 May 2009) Mainstream Support Retired Extended Support Retired Service Pack SQL Server 9 (2005) 04/12/2011 04/12/2016 SP3

Fix: F-24544r1_fix

Apply the latest service pack (after testing) for the supported DBMS version. Create an upgrade plan for obsolete or expiring vendor products. As soon as an expiration date is published for the product, prepare to upgrade it. The cost of the upgrade should be budgeted including any additional testing and development required supporting the upgrade. A plan for testing the upgrade should also be scheduled. Any other steps for upgrade should be included in the plan and the plan for upgrade should be scheduled for completion prior to expiration of the current product or product support contract.

c
Vendor supported software is evaluated and patched against newly found vulnerabilities.
High - V-5658 - SV-24113r2_rule
RMF Control
Severity
High
CCI
Version
DG0001-SQLServer9
Vuln IDs
  • V-5658
Rule IDs
  • SV-24113r2_rule
The version of MS SQL Server must be listed by Microsoft as a supported version. Microsoft discontinues fixes for unsupported versions on reported dates. In order to maintain a secure environment, the installed version must continue to receive fixes for reported vulnerabilities.Information Assurance OfficerVIVM-1
Checks: C-26056r2_chk

From the SQL Server Enterprise Manager or SQL Server Management Studio GUI: Right-click on SQL server name, select General tab or pate, review Product Version or Version. OR From the query prompt: SELECT CONVERT(CHAR(13), SERVERPROPERTY('ProductVersion')) Where format is in major.minor.build and we only concern ourselves with the major version: 9 = SQL Server 2005 If the major version listed is not under Mainstream or Extended support from Microsoft as listed in the table below, this is a Finding. You can verify support for SQL Server at the following website: http://support.microsoft.com/gp/lifepolicy Product Release Mainstream Support Retired Extended Support Retired SQL Server 9 (2005) 04/12/2011 04/12/2016 The reviewer may want to record the version number for other checks in this review. Service patch level and HOTFIX updates are reviewed in separate checks. IAVM compliance is reviewed in Windows OS checks.

Fix: F-16108r1_fix

Protect the SQL Server installation from published vulnerabilities by upgrading to a supported version and installing all service packs and HOTFIXes as they become available (after testing).

b
The latest security patches should be installed.
Medium - V-5659 - SV-24117r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0003-SQLServer9
Vuln IDs
  • V-5659
Rule IDs
  • SV-24117r2_rule
Maintaining the currency of the software version protects the database from known vulnerabilities.If any update has been released that is deemed by Microsoft to be a critical update, this check should be assigned a Severity Category of I.Database AdministratorVIVM-1
Checks: C-19492r2_chk

From the query prompt: SELECT CONVERT(CHAR(13), SERVERPROPERTY('ProductVersion')) Where format is in major.minor.build From the query prompt: SELECT CONVERT(CHAR(3), SERVERPROPERTY('ProductLevel')) Where value: RTM = Original release version (no service packs installed) SPn = Service Pack Level Note: HOTFIXes are generated and applied to specific Service Packs and are reflected in the Product Version build segment as an incremental version. Product Release Service Pack Product Version SQL Server 9 (2005) SP3 9.00.4230 For any product listed above, if the Product Version is the same or numerically higher than what is listed above, this is Not a Finding. If the Product Version is numerically lower, this is a Finding. Note: If any update has been released that is deemed by Microsoft to be a critical update, this check should be assigned a Severity Category of I. Supported versions and Service Packs are listed on the Microsoft web sites: http://support.microsoft.com/gp/lifeselectserv http://support.microsoft.com/kb/321185/en-us (lists version numbers)

Fix: F-19563r1_fix

Upgrade to the latest SQL Server Service Pack. Apply all applicable Microsoft SQL Server critical updates and HOTFIXes.

b
Required auditing parameters for database auditing should be set.
Medium - V-5685 - SV-24075r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0029-SQLServer9
Vuln IDs
  • V-5685
Rule IDs
  • SV-24075r1_rule
Auditing provides accountability for changes made to the DBMS configuration or its objects and data. It provides a means to discover suspicious activity and unauthorized changes. Without auditing, a compromise may go undetected and without a means to determine accountability.Database AdministratorECAR-1, ECAR-2, ECAR-3
Checks: C-23499r1_chk

If C2 Auditing is enabled (See Check DM0510: C2 audit mode), this check is Not a Finding. Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), if auditing is not enabled or not configured completely to requirements, review the System Security Plan. If this is properly explained in the System Security Plan, this is Not a Finding. If this is not documented or documented poorly in the System Security Plan, this is a Finding. If value returned is 2 (Standard Edition) or 3 (Enterprise/Developer Edition), these findings apply. Determine if trace is enabled. From the query prompt: SELECT traceid 'TraceID' FROM ::FN_TRACE_GETINFO('0') WHERE traceid <> 1 – Do not count default trace in SQL Server 2005 AND property = 5 AND value = 1 If no trace is returned, this is a Finding. If the trace returned for Check DG0145 is not returned above, this is a Finding.

Fix: F-23532r1_fix

Enable the trace created in Check DG0145. From the query prompt: EXEC SP_TRACE_SETSTATUS [TraceID], 1 Replace [TraceID] with the ID of the trace created for the DG0145 audit trace requirement.

b
Audit records should be restricted to authorized individuals.
Medium - V-5686 - SV-24077r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0032-SQLServer9
Vuln IDs
  • V-5686
Rule IDs
  • SV-24077r2_rule
Audit data is frequently targeted by malicious users as it can provide a means to detect their activity. The protection of the audit trail data is of special concern and requires restrictions to allow only the auditor and DBMS backup, recovery, and maintenance users access to it.trueDatabase AdministratorECTP-1
Checks: C-22722r2_chk

Review the file permissions to all files located in the DBMS audit log directory. If any allow access to users not authorized as DBAs or auditors, this is a Finding. Review database object access permissions to any audit log data stored in the database. If permissions are granted to users not authorized as DBAs or auditors, this is a Finding. Review the directory and file permissions to all files in the directory listed and in the registry entries below: C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\LogFiles HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.3\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultLog HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\ErrorLogFile Review permissions to the sysprotects and/or sys.dm_exec_sessions view in the Master database: SELECT u.name AS [User], o.name AS [Object], p.permission_name AS [Permission] FROM [master].sys.all_objects o, [master].sys.database_principals u, [master].sys.database_permissions p WHERE p.grantee_principal_id = u.principal_id AND o.object_id = p.major_id AND (o.name = 'dm_exec_sessions' OR o.name = 'sysprotects') ORDER BY u.name, o.name, p.permission_name If any allow access to users not authorized as DBAs or auditors, this is a Finding.

Fix: F-19535r1_fix

Grant audit file and database audit object access to authorized DBAs and auditors. Revoke audit file and database audit object access from unauthorized database and OS accounts.

b
Only necessary privileges to the host system should be granted to DBA OS accounts.
Medium - V-6756 - SV-24119r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0005-SQLServer9
Vuln IDs
  • V-6756
Rule IDs
  • SV-24119r1_rule
Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system.System AdministratorDatabase AdministratorECLP-1
Checks: C-1422r1_chk

Review host system privileges assigned to the DBA accounts. If any are granted host system administrator privileges or other system privileges not required for DBMS administration, this is a Finding. The DBA should have only the OS Users group, custom SQLServer DBA group, SQL Server service groups and custom SQL Server Users groups assigned. The custom SQL Server groups should have only the Log on Locally user right assigned.

Fix: F-20097r1_fix

Revoke any host system privileges from DBA accounts not required DBMS administration. Revoke any OS group memberships that assign excess privileges to DBA accounts. Remove any directly applied permissions or user rights from the DBA account.

b
The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.
Medium - V-6767 - SV-30746r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0007-SQLServer9
Vuln IDs
  • V-6767
Rule IDs
  • SV-30746r1_rule
DBMS systems that do not follow DoD, vendor and/or public best security practices are vulnerable to related published vulnerabilities. A DoD reference document such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT products that require use of the product's IA capabilities.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-31156r1_chk

Review security and administration documentation maintained for the DBMS system for indications that security guidance has been applied to the DBMS system. If DoD security guidance is not available, the following are acceptable in descending order as available: (1) Commercially accepted practices (e.g., SANS); (2) Independent testing results (e.g., ICSA); or (3) Vendor literature If the DBMS system has not been secured using available security guidance as listed above, this is a Finding.

Fix: F-27650r1_fix

Apply available security guidance to the DBMS system. If DoD security guidance is not available, the following are acceptable in descending order as available: (1) Commercially accepted practices (e.g., SANS); (2) Independent testing results (e.g., ICSA); or (3) Vendor literature

b
Automated notification of suspicious activity detected in the audit trail should be implemented.
Medium - V-15102 - SV-24234r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0083-SQLServer9
Vuln IDs
  • V-15102
Rule IDs
  • SV-24234r1_rule
Audit record collection may quickly overwhelm storage resources and an auditor's ability to review it in a productive manner. Automated tools can provide the means to manage the audit data collected as well as present it to an auditor in an efficient way.Information Assurance OfficerECRG-1
Checks: C-17014r1_chk

Review automated tool usage for reporting of audit trail data. If automated tools are not used, this is a Finding. Automated DBMS jobs and/or procedures may be used to produce the periodic reports where supported by the DBMS.

Fix: F-24522r1_fix

Develop, document and implement database or host system procedures to report audit trail data in a form usable to detect unauthorized access to or usage of DBMS privileges, procedures or data.

b
An automated tool that monitors audit data and immediately reports suspicious activity should be employed for the DBMS.
Medium - V-15103 - SV-25393r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0161-SQLServer9
Vuln IDs
  • V-15103
Rule IDs
  • SV-25393r1_rule
Audit logs only capture information on suspicious events. Without an automated monitoring and alerting tool, malicious activity may go undetected and without response until compromise of the database or data is severe.Information Assurance OfficerECAT-2
Checks: C-28253r1_chk

Review evidence or operation of an automated, continuous on-line monitoring and audit trail creation capability for the DBMS is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user-configurable capability to automatically disable the system if serious IA violations are detected. If the requirements listed above are not fully met, this is a Finding.

Fix: F-23482r1_fix

Develop or procure, document and implement an automated, continuous on-line monitoring and audit trail creation capability for the DBMS is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user-configurable capability to automatically disable the system if serious IA violations are detected.

c
Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.
High - V-15104 - SV-25395r1_rule
RMF Control
Severity
High
CCI
Version
DG0167-SQLServer9
Vuln IDs
  • V-15104
Rule IDs
  • SV-25395r1_rule
Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review.Database AdministratorECCT-1, ECCT-2
Checks: C-23850r1_chk

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. If encryption requirements are listed and specify configuration at the host system or network device level, review evidence that the configuration meets the specification with the DBA. It may be necessary to review network device configuration evidence or host communications configuration evidence with a Network and/or System Administrator. If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding. For SQL Server 2005: If encryption for sensitive data in transit is required by SQL Server configuration, then review the setting for the instance parameter ForceEncryption: From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Right-click on Protocols for [instance name] 3. Select Properties 4. Select the Flags tab 5. View the value for ForceEncryption OR From the Registry Editor: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ MSSQLServer \ SuperSocketNetLib \ ForceEncryption If the value of ForceEncryption does not equal yes or 1, this is a Finding.

Fix: F-20163r1_fix

Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. For SQL Server 2005: Also, see Microsoft KB article for information on using SQL Server in FIPS 140-2 compliant mode: http://support.microsoft.com/kb/920995/ To configure encryption using SQL Server features: From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Right-click on Protocols for [instance name] 3. Select Properties 4. Select the Flags tab 5. Select Yes for ForceEncryption from the pull-down options

b
Unauthorized access to external database objects should be removed from application user roles.
Medium - V-15105 - SV-24104r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0120-SQLServer9
Vuln IDs
  • V-15105
Rule IDs
  • SV-24104r2_rule
Access to objects stored and/or executed outside of the DBMS security context may provide an avenue of attack to host system resources not controlled by the DBMS. Any access to external resources from the DBMS can lead to a compromise of the host system or its resources.trueDatabase AdministratorECLP-1
Checks: C-20470r2_chk

View access permissions granted to external stored procedures: From the query prompt: SELECT name AS [Database Name] FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [Database Name] SELECT u.name AS [Principal], o.name AS [External Procedure Name], p.permission_name AS [Permission], p.state_desc AS [State] FROM master.sys.all_objects o JOIN master.sys.database_permissions p ON p.major_id = o.object_id JOIN master.sys.database_principals u ON p.grantee_principal_id = u.principal_id WHERE o.type = 'X' ORDER BY o.name, u.name If no results are listed, this is Not a Finding. Review results returned. If any Principal names returned are not listed as authorized in the System Security Plan, this is a Finding.

Fix: F-18420r1_fix

Evaluate the associated risk in allowing access to external objects. Consider the security context under which the object is accessed or whether the privileges required to access the object are available for assignment based on job function. Where feasible, modify the application to use only objects stored internally to the database. Where not feasible, note the risk assessment and acceptance in the System Security Plan for access to external objects. Document required access permissions in the System Security Plan and authorize with the IAO.

b
DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.
Medium - V-15106 - SV-24238r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0086-SQLServer9
Vuln IDs
  • V-15106
Rule IDs
  • SV-24238r1_rule
Excess privilege assignment can lead to intentional or unintentional unauthorized actions. Such actions may compromise the operation or integrity of the DBMS and its data.Information Assurance OfficerECLP-1
Checks: C-23846r1_chk

Review procedures and implementation evidence of DBA role privilege monitoring. If procedures are incomplete or not implemented, this is a Finding. If monitoring does not occur every 30 days or more often, this is a Finding.

Fix: F-25702r1_fix

Design, document and implement procedures for monitoring DBA role privilege assignments.

b
DBMS privileges to restore database data or other DBMS configurations, features or objects should be restricted to authorized DBMS accounts.
Medium - V-15107 - SV-24084r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0063-SQLServer9
Vuln IDs
  • V-15107
Rule IDs
  • SV-24084r2_rule
Unauthorized restoration of database data, objects, or other configuration or features can result in a loss of data integrity, unauthorized configuration, or other DBMS interruption or compromise.trueDatabase AdministratorECLP-1
Checks: C-23507r2_chk

Review DBMS roles and accounts granted the CREATE DATABASE permission, sysadmin or dbcreator fixed server roles, and the member of each database db_owner role: 1. Accounts granted CREATE DATABASE permission or DBCREATOR server role. From the query prompt: SELECT p.name 'User', r.name 'Role' FROM [master].sys.server_principals p, [master].sys.server_principals r, [master].sys.server_role_members m WHERE p.principal_id = m.member_principal_id AND r.principal_id = m.role_principal_id AND m.role_principal_id = 9 AND m.member_principal_id <> 1 ORDER BY r.name, p.name 2. Accounts granted SYSADMIN permission or SYSADMIN server role. From the query prompt: SELECT p.name 'User', r.name 'Role' FROM [master].sys.server_principals p, [master].sys.server_principals r, [master].sys.server_role_members m WHERE p.principal_id = m.member_principal_id AND r.principal_id = m.role_principal_id AND m.role_principal_id = 3 AND m.member_principal_id <> 1 ORDER BY r.name, p.name 3. Accounts granted CREATE DATABASE permissions or granted DB_OWNER database role. From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT p.name 'User', r.name 'Role' FROM sys.database_principals p, sys.database_principals r, sys.database_role_members m WHERE p.principal_id = m.member_principal_id AND r.principal_id = m.role_principal_id AND m.role_principal_id = 16384 ORDER BY r.name, p.name If any are not authorized for RESTORE permissions, this is a Finding. The 'sa' account (SID = 0x01) and the database owner account are authorized accounts. These accounts do not require explicit authorization and do not count as a Finding.

Fix: F-24468r1_fix

Define DBMS roles that are authorized for database restore functions, restrict assignment of restore privileges to those roles, and assign those roles only to authorized DBMS accounts.

b
Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes.
Medium - V-15108 - SV-25411r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0194-SQLServer9
Vuln IDs
  • V-15108
Rule IDs
  • SV-25411r1_rule
The developer role does not require Need-to-Know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise of database operations.Information Assurance OfficerECPC-1, ECPC-2
Checks: C-23501r1_chk

If the DBMS or DBMS host is not shared by production and development activities, this check is Not a Finding. Review policy, monitoring procedures and evidence of developer privileges on shared development and production DBMS and DBMS host systems with the IAO. If developer privileges are not monitored every three months or more frequently, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Fix: F-23490r1_fix

Develop, document and implement policy and procedures to monitor DBMS and DBMS host privileges assigned to developers on shared production and development systems to detect unauthorized assignments every three months or more often. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.

b
DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems.
Medium - V-15109 - SV-25413r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0195-SQLServer9
Vuln IDs
  • V-15109
Rule IDs
  • SV-25413r1_rule
Developer roles should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production and development DBA and developer roles help protect the production system from unauthorized, malicious or unintentional interruption due to development activities.System AdministratorDatabase AdministratorECPC-1, ECPC-2
Checks: C-28496r1_chk

If the DBMS host does not support both production and development operations, this check is Not a Finding. Review the list of OS DBA group membership with the SA and DBA. Compare to the list in the System Security Plan. If any accounts not identified in the System Security Plan for the production DBMS have been assigned DBA privileges (to include developer accounts), this is a Finding. If OS DBA group membership is not included in the System Security Plan, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Fix: F-23492r1_fix

Create separate DBMS host OS groups for developer and production DBAs. Do not assign production DBA accounts to development OS groups. Do not assign development DBA accounts to production OS groups. Remove any unauthorized accounts from both production and development OS groups. Document in the System Security Plan. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.

b
Use of the DBMS installation account should be logged.
Medium - V-15110 - SV-24157r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0041-SQLServer9
Vuln IDs
  • V-15110
Rule IDs
  • SV-24157r1_rule
The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost.Information Assurance OfficerECLP-1
Checks: C-28453r1_chk

Review and verify implementation of logging procedures defined for use of the DBMS software installation account. If procedures for logging access to the DBMS are not present or are not being followed, this is a Finding. Host system audit logs should be echoed or matched in the DBMS installation account usage log along with an indication of the person who accessed the account and an explanation for the access.

Fix: F-20086r1_fix

Develop and implement a logging procedure for use of the DBMS software installation account that provides accountability to individuals for any actions taken by the account.

b
Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.
Medium - V-15111 - SV-24167r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0042-SQLServer9
Vuln IDs
  • V-15111
Rule IDs
  • SV-24167r1_rule
The DBMS software installation account is granted privileges not required for DBA or other functions. Use of accounts configured with excess privileges may result in unauthorized or unintentional compromise of the DBMS.Information Assurance OfficerECLP-1
Checks: C-29508r1_chk

Review the logs for usage of the DBMS software installation account. Interview personnel authorized to access the DBMS software installation account to ask how the account is used. If any usage of the account is to support daily operations or DBA responsibilities, this is a Finding.

Fix: F-24638r1_fix

Develop, document and implement policy and procedures and train authorized users to restrict usage of the DBMS software installation account for DBMS software installation, upgrade and maintenance actions only.

a
The DBMS should be periodically tested for vulnerability management and IA compliance.
Low - V-15112 - SV-24240r1_rule
RMF Control
Severity
Low
CCI
Version
DG0088-SQLServer9
Vuln IDs
  • V-15112
Rule IDs
  • SV-24240r1_rule
The DBMS security configuration may be altered either intentionally or unintentionally over time. The DBMS may also be the subject of published vulnerabilities that require the installation of a security patch or a reconfiguration to mitigate the vulnerability. If the DBMS is not monitored for required or unintentional changes that render it not compliant with requirements, it can be vulnerable to attack or compromise.Information Assurance OfficerECMT-1, ECMT-2
Checks: C-22857r1_chk

Review procedures and evidence of implementation for DBMS IA and vulnerability management compliance. This should include periodic, unannounced, in-depth monitoring and provide for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled and conducted. Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities. The results for Classified systems are required to be independently validated. If the requirments listed above are not being met, this is a Finding.

Fix: F-24495r1_fix

Develop, document and implement procedures for periodic testing of the DBMS for current vulnerability management and security configuration compliance as stated in the check. Coordinate 3rd-party validation testing for Classified systems.

b
SQL Server replications agents should be run under separate and dedicated OS accounts.
Medium - V-15113 - SV-23852r2_rule
RMF Control
Severity
Medium
CCI
Version
DM6065-SQLServer9
Vuln IDs
  • V-15113
Rule IDs
  • SV-23852r2_rule
Use of shared accounts used by replication agents require that all permissions required to support each of the separate replication agent roles (snapshot publication, distribution, log reading, merge publication, queue reading, and replication maintenance) be assigned to the shared account. This translates to excess privilege assignment to the account to perform a specific job task and an exploit to the single account means a compromise to all replication elements accessed by the shared account. Separation of duties by use of separate and dedicated accounts reduces the risk to the entire replication implementation.trueDatabase AdministratorDCFA-1
Checks: C-22821r2_chk

From the query prompt: SELECT c.credential_identity, p.name FROM [master].sys.credentials c, [msdb].dbo.sysproxies p, [msdb].dbo.sysproxysubsystem s WHERE c.credential_id = p.credential_id AND s.proxy_id = p.proxy_id AND s.subsystem_id > 3 AND s.subsystem_id < 9 ORDER BY c.credential_identity, p.name If any proxies are not assigned unique credential identities, this is a Finding.

Fix: F-19743r1_fix

Create individual Windows accounts for each replication agent. Specify the Windows account created for the replication agent, in the Replication Agent Security settings in SQL Server. From the SQL Server Management Studio GUI: 1. Expand instance 2. Expand Replication 3. Expand Local Publications 4. For each Local Publication: a. Right-click on the publication b. Select Properties c. Select Agent Security page d. Click on Security Settings button e. Enter the dedicated Windows account for the Snapshot Agent f. Select Connect to the Publisher - By impersonating the process account g. Click OK h. Click OK

a
Developers should not be assigned excessive privileges on production databases.
Low - V-15114 - SV-24242r1_rule
RMF Control
Severity
Low
CCI
Version
DG0089-SQLServer9
Vuln IDs
  • V-15114
Rule IDs
  • SV-24242r1_rule
Developers play a unique role and represent a specific type of threat to the security of the DBMS. Where restricted resources prevent the required separation of production and development DBMS installations, developers granted elevated privileges to create and manage new database objects must also be prevented from actions that can threaten the production operation.Database AdministratorECPC-1, ECPC-2
Checks: C-13761r1_chk

If the database is not a production database, this check is Not Applicable. Review privileges assigned to developers: 1. Identify login name of developer DBMS accounts from the System Security Plan and/or DBA. 2. For each developer account, display the username SID and the databases where the user is defined: EXEC SP_HELPLOGINS '[login name]' 3. Display all fixed server role membership assignments: EXEC SP_HELPSRVROLEMEMBER If developers are assigned privileges that allow change or alteration of database objects in any production databases, this is a Finding. If developers are assigned membership to any DBMS server roles, this is a Finding.

Fix: F-24667r1_fix

Revoke DBA privileges assigned to developers on production DBMS unless required and authorized. Revoke database or other production object administrative privileges from developers unless required and authorized. Restrict developer privileges to production objects to those granted to application users only where such privileges are required and authorized.

b
The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements.
Medium - V-15116 - SV-25400r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0175-SQLServer9
Vuln IDs
  • V-15116
Rule IDs
  • SV-25400r1_rule
The security of the data stored in the DBMS is also vulnerable to attacks against the host platform, calling applications, and other application or optional components.Information Assurance OfficerECSC-1
Checks: C-13831r1_chk

Review evidence of security hardening and auditing of the DBMS host platform with the IAO. If the DBMS host platform has not been hardened and received a security audit, this is a Finding. Review evidence of security hardening and auditing for all application(s) that store data in the database and all other separately configured components that access the database including web servers, application servers, report servers, etc. If any have not been hardened and received a security audit, this is a Finding. Review evidence of security hardening and auditing for all application(s) installed on the local DBMS host where security hardening and auditing guidance exists. If any have not been hardened and received a security audit, this is a Finding.

Fix: F-23484r1_fix

Configure all related application components and the DBMS host platform in accordance with the applicable DOD STIG. Regularly audit the security configuration of related applications and the host platform to confirm continued compliance with security requirements.

b
The DBMS audit logs should be included in backup operations.
Medium - V-15117 - SV-25402r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0176-SQLServer9
Vuln IDs
  • V-15117
Rule IDs
  • SV-25402r1_rule
DBMS audit logs are essential to the investigation and prosecution of unauthorized access to the DBMS data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data.Database AdministratorECTB-1
Checks: C-20487r1_chk

Audit events are logged by SQL Server to error logs, Windows event logs, and to SQL Profiler trace files. Review evidence of backups that include the default directory for SQL Server error logs and trace files. The default directory for SQL Server error logs and trace files is stored in the Windows registry under: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultLog Where [#] is the sequential number assigned to each instance. This directory is referred to below as [instance logpath]: SQL Server error logs: [instance logpath]ERRORLOG.[#] Audit trace (*.trc) files: Default is [instance logpath], but may be directed to any accessible directory. Log files of other components, e.g. SQLAGENT.[#]: [instance logpath] Audit trace results may also be directed to SQL Server tables. SQL Server data backups are addressed in a separate check; therefore, do not include audit results stored in database tables. If evidence of inclusion of audit log files in regular DBMS or host backups does not exist, this is a Finding.

Fix: F-23486r1_fix

Configure and ensure SQL Server audit trace files, instance and other error log files are included in regular backups.

b
Remote administrative access to the database should be monitored by the IAO or IAM.
Medium - V-15118 - SV-25391r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0159-SQLServer9
Vuln IDs
  • V-15118
Rule IDs
  • SV-25391r1_rule
Remote administrative access to systems provides a path for access to and exploit of DBA privileges. Where the risk has been accepted to allow remote administrative access, it is imperative to instate increased monitoring of this access to detect any abuse or compromise.Information Assurance OfficerInformation Assurance ManagerEBRP-1
Checks: C-23552r1_chk

If remote administrative access to the database is disabled, this check is Not a Finding. Review policy, procedures and implementation evidence of monitoring of remote administrative access to the database with the IAO or IAM. If policy and procedures for monitoring remote administrative access do not exist or not implemented, this is a Finding.

Fix: F-23480r1_fix

Develop, document and implement policy and procedures to monitor remote DBA access to the DBMS. The automated generation of a log report with automatic dissemination to the IAO and/or IAM may be used. Require and store an acknowledgement of receipt and confirmation of review for the log report.

b
DBMS files critical for DBMS recovery should be stored on RAID or other high-availability storage devices.
Medium - V-15119 - SV-24100r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0114-SQLServer9
Vuln IDs
  • V-15119
Rule IDs
  • SV-24100r2_rule
DBMS recovery can be adversely affected by hardware storage failure. Impediments to DBMS recovery can have a significant impact on operations.trueSystem AdministratorDatabase AdministratorCOBR-1
Checks: C-20466r2_chk

Interview the System Administrator to determine if Failover Clustering is employed on the DBMS host and that SQL Server is using Failover Clustering. If the SQL Server instance employs Failover Clustering, this check is Not a Finding. If the instance employs other high-availability redundancy host or DBMS clustering, this check is Not a Finding. Failover clustering requires configuration of Microsoft Cluster Services (MSCS) to be running on the host (if available). View Services on the host to verify the service is active. Further, verify the Failover Cluster configuration by confirming that the MSCS service account has SYSADMIN privileges in the SQL Server instance. Review the file and disk storage specification for the SQL Server databases. From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: USE [database name] SELECT physical_name FROM sys.database_files WHERE type_desc = 'LOG' Review the host disk system configuration. 1. Start / Administrative Tools / Computer Management 2. Expand Storage 3. Select Disk Management If the Layout column for the identified volume does not display type "mirror" or "RAID-5", this is a Finding.

Fix: F-25725r1_fix

Place SQL Server critical files including data, transaction and audit log files on fault-tolerant storage devices or employ SQL Server DBMS or OS clustering where supported by the DBMS.

b
DBMS backup and restoration files should be protected from unauthorized access.
Medium - V-15120 - SV-24189r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0064-SQLServer9
Vuln IDs
  • V-15120
Rule IDs
  • SV-24189r1_rule
Lost or compromised DBMS backup and restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. Backup files need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss. Most DBMSs maintain online copies of critical control files to provide transparent or easy recovery from hard disk loss or other interruptions to database operation.Database AdministratorCOBR-1
Checks: C-20367r1_chk

Review file protections assigned to online backup and restoration files. Review access protections and procedures for offline backup and restoration files. If backup or restoration files are subject to unauthorized access, this is a Finding. It may be necessary to review backup and restoration procedures to determine ownership and access during all phases of backup and recovery. In addition to physical and host system protections, consider other methods including password protection to the files.

Fix: F-24535r1_fix

Develop, document and implement protection for backup and restoration files. Document personnel and the level of access authorized for each to the backup and restoration files in the System Security Plan.

b
DBMS software libraries should be periodically backed up.
Medium - V-15121 - SV-25409r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0187-SQLServer9
Vuln IDs
  • V-15121
Rule IDs
  • SV-25409r1_rule
The DBMS application depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of DBMS operations.Database AdministratorCOSW-1
Checks: C-20491r1_chk

Review evidence of SQL Server and dependent application files and directories. The SQL Server software directory is specified in the registry value: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ Setup \ SqlBinRoot Other SQL Server software including, but not limited to SQL Server tools and utilities, are found in the directory and subdirectories under: [drive] \ Program Files \ Microsoft SQL Server This directory is specified in the registry under: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ 90 \ Tools \ Setup \ SQLPath Other executables may be installed under the same Microsoft SQL Server path. Third-party applications may be located in other directory structures. Review the System Security Plan for a list of all DBMS application software libraries to be included in software library backups. If any software library files are not included in regular backups, this is a Finding.

Fix: F-20089r1_fix

Configure backups to include all DBMS application and third-party database application software libraries.

b
The database should not be directly accessible from public or unauthorized networks.
Medium - V-15122 - SV-25407r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0186-SQLServer9
Vuln IDs
  • V-15122
Rule IDs
  • SV-25407r1_rule
Databases often store critical and/or sensitive information used by the organization. For this reason, databases are targeted for attacks by malicious users. Additional protections provided by network defenses that limit accessibility help protect the database and its data from unnecessary exposure and risk.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3
Checks: C-24310r1_chk

Review the System Security Plan to determine if the DBMS serves data to users or applications outside the local enclave. If the DBMS is not accessed outside of the local enclave, this check is Not a Finding. If the DBMS serves applications available from a public network (e.g. the Internet), then confirm that the application servers are located in a DMZ. If the DBMS is located inside the local enclave and is directly accessible to public users, this is a Finding. If the DBMS serves public-facing applications and is not protected from direct client connections and unauthorized networks, this is a Finding. If the DBMS serves public-facing applications and contains sensitive or classified information, this is a Finding.

Fix: F-23488r1_fix

Do not allow direct connections from users originating from the Internet or other public network to the DBMS. Include in the System Security Plan for the system whether the DBMS serves public-facing applications or applications serving users from other untrusted networks. Do not store sensitive or classified data on a DBMS server that serves public-facing applications.

b
The Named Pipes network protocol should be documented and approved if enabled.
Medium - V-15124 - SV-25457r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6015-SQLServer9
Vuln IDs
  • V-15124
Rule IDs
  • SV-25457r1_rule
The named pipes network protocol requires more ports to be opened on firewalls than TCP/IP. Managing and administering multiple network protocols may unnecessarily complicate network controls.Database AdministratorDCFA-1
Checks: C-23566r1_chk

From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Repeat for each instance: a. Select Protocols for [instance name]. b. View in the right pane, the status for Named Pipes If Named Pipes is enabled, this is a Finding.

Fix: F-18455r1_fix

If Named Pipes is required, document its use in the System Security Plan. Disable Named Pipes if not required and documented in the System Security Plan. From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Repeat for each instance: a. Select Protocols for [instance name] b. Double-click Named Pipes. c. Select No as the value for Enabled. d. Click OK 3. Click OK (acknowledge change won't take place until next restart) 4. Exit the SQL Server Configuration Manager GUI

b
Only authorized users should be assigned permissions to SQL Server Agent proxies.
Medium - V-15125 - SV-23851r2_rule
RMF Control
Severity
Medium
CCI
Version
DM6045-SQLServer9
Vuln IDs
  • V-15125
Rule IDs
  • SV-23851r2_rule
Database accounts granted access to SQL Server Agent proxies are granted permissions to create and submit specific function job steps to be executed by SQL Server Agent. Unauthorized users may use access to proxies to execute unauthorized functions against the SQL Server instance or host operating system.trueDatabase AdministratorECAN-1
Checks: C-13789r2_chk

Note: Access to ActiveScripting and CmdExec proxies is covered in check DM3763 From the query prompt: USE msdb EXEC SP_ENUM_PROXY_FOR_SUBSYSTEM If no records are returned, this is Not a Finding. For each proxy listed that is not for CmdExec or ActiveScripting subsystems (checked under DM3763): From the query prompt: EXEC SP_ENUM_LOGIN_FOR_PROXY @proxy_name = '[proxy name]' Replace [proxy name] with the proxy name returned above. Review the names listed in the return. Verify in the System Security Plan that any accounts or groups listed are authorized to access the proxy listed. If any are not, this is a Finding.

Fix: F-14809r1_fix

Note: SYSADMINs have access to all proxies by default. For each user or group granted unauthorized access to a proxy (select based on returns from the SP_ENUM_PROXY_FOR_SUBSYSTEM results): From the query prompt: EXEC SP_REVOKE_LOGIN_FROM_PROXY '[login name]' @proxy_name = '[proxy name]' Replace [proxy name] with the name of the proxy and replace [login name] with the name returned in the SP_ENUM_PROXY_FOR_SUBSYSTEM procedure.

b
Database backup procedures should be defined, documented and implemented.
Medium - V-15126 - SV-30771r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0013-SQLServer9
Vuln IDs
  • V-15126
Rule IDs
  • SV-30771r1_rule
Database backups provide the required means to restore databases after compromise or loss. Backups help reduce the vulnerability to unauthorized access or hardware loss.System AdministratorDatabase AdministratorCODB-1, CODB-2, CODB-3
Checks: C-31188r1_chk

Review the database backup procedures and implementation evidence. Evidence of implementation includes records of backup events and physical review of backup media. Evidence should match the backup plan as recorded in the System Security Plan. If backup procedures do not exist or not implemented in accordance with the procedures, this is a Finding. If backups are not performed weekly or more often, this is a Finding.

Fix: F-27682r1_fix

Develop, document and implement database backup procedures. Include weekly backup procedures and offline backup data storage.

b
The IAM should review changes to DBA role assignments.
Medium - V-15127 - SV-24302r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0118-SQLServer9
Vuln IDs
  • V-15127
Rule IDs
  • SV-24302r1_rule
Unauthorized assignment of DBA privileges can lead to a compromise of DBMS integrity. Providing oversight to the authorization and assignment of privileges provides the separation of duty to support sufficient oversight.Information Assurance ManagerECPA-1
Checks: C-20483r1_chk

Review the policy, procedures and implementation evidence for monitoring changes to DBA role assignments and procedures for notifying the IAM of the changes for review. If policy, procedures and implementation evidence do not exist, this is a Finding.

Fix: F-19756r1_fix

Develop, document and implement policy and procedures to monitor changes to DBA role assignments. Develop, document and implement policy and procedures to notify the IAM of changes to DBA role assignments. Include methods in the procedures that provide evidence of monitoring and notification.

b
Backup and recovery procedures should be developed, documented, implemented and periodically tested.
Medium - V-15129 - SV-24139r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0020-SQLServer9
Vuln IDs
  • V-15129
Rule IDs
  • SV-24139r1_rule
Problems with backup procedures or backup media may not be discovered until after a recovery is needed. Testing and verification of procedures provides the opportunity to discover oversights, conflicts, or other issues in the backup procedures or use of media designed to be used.Database AdministratorCODP-1, CODP-2, CODP-3
Checks: C-20371r1_chk

Review the testing and verification procedures documented in the System Security Plan. Review evidence of implementation of testing and verification procedures by reviewing logs from backup and recovery implementation. Logs may be in electronic or hardcopy and may include email or other notification. If testing and verification of backup and recovery procedures are not documented in the System Security Plan, this is a Finding. If evidence of testing and verification of backup and recovery procedures does not exist, this is a Finding.

Fix: F-22801r1_fix

Develop, document and implement testing and verification procedures for database backup and recovery. Include requirements for documenting database backup and recovery testing and verification activities in the procedures.

b
Unapproved inactive or expired database accounts should not be found on the database.
Medium - V-15130 - SV-24224r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0074-SQLServer9
Vuln IDs
  • V-15130
Rule IDs
  • SV-24224r2_rule
Unused or expired DBMS accounts provide a means for undetected, unauthorized access to the database.trueDatabase AdministratorIAAC-1
Checks: C-20337r2_chk

Review procedures and implementation for monitoring the DBMS accounts for expiration or inactivity. Note: SQL Server does not maintain login statistics within the DBMS so account inactivity has to be determined manually. Review login accounts defined for the instance: SELECT SUBSTRING(name, 1, 30) AS [LoginName], CASE is_disabled WHEN 1 THEN 'true' ELSE 'false' END AS [IsDisabled], CASE CAST(LoginProperty(name, 'IsExpired') AS int) WHEN 1 THEN 'true' ELSE 'false' END AS [IsExpired], CASE CAST(LoginProperty(name, 'IsLocked') AS int) WHEN 1 THEN 'true' ELSE 'false' END AS [IsLocked] FROM [master].sys.server_principals WHERE type = 'S' AND (is_disabled <> 1 AND CAST(LoginProperty(name, 'IsExpired') AS int) = 1 OR CAST(LoginProperty(name, 'IsLocked') AS int) = 1) ORDER BY name Review the output from the command above and compare the accounts against audit records to determine account activity. Verify all accounts listed that are expired or locked are documented in the System Security Plan and authorized to remain. If any listed accounts are not documented or authorized, this is a Finding. Listed expired/locked accounts that are documented and authorized are still reported at OPEN findings, but are Documentable in VMS.

Fix: F-20162r1_fix

Develop, document and implement procedures to monitor database accounts for inactivity and expiration. Investigate, document and authorize if appropriate any accounts that are expired or locked or have been inactive for more than 30 days. Where appropriate, protect authorized expired or inactive accounts by disabling them or applying some other similar protection: ALTER LOGIN [NAME] DISABLE Note: DBMS accounts using Windows Authentication or linked to certificates can be monitored or managed by the host or through Active Directory for domain accounts. Ensure DBA and SA coordinate host/domain account management and host/domain account management meets host/domain-level STIG requirements.

b
Sensitive information stored in the database should be protected by encryption.
Medium - V-15131 - SV-24244r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0090-SQLServer9
Vuln IDs
  • V-15131
Rule IDs
  • SV-24244r1_rule
Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing.Database AdministratorInformation Assurance OfficerECCR-1, ECCR-2, ECCR-3
Checks: C-13762r1_chk

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. Have your DBA use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan and/or AIS Functional Architecture documentation. If any sensitive data is human readable by unauthorized users, this is a Finding. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information. If a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave. Note: The result for this check may be marked as Not a Finding and the requirement of encryption in the database waived where the database has only database administrative accounts and application accounts that have a need-to-know to the data. This waiver does not preclude any requirement for encryption of the associated database data file (see DG0092).

Fix: F-18433r1_fix

Use third-party tools or native DBMS features to encrypt sensitive or classified data stored in the database. Use only NIST-certified or NSA-approved cryptography to provide encryption. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. Developers should consider using a record-specific encryption method to protect individual records. For example, by employing the session username or other individualized element as part of the encryption key, then decryption of a data element is only possible by that user or other data accessible only by that user. Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by users (with and/or without Need-to-Know).

b
Database data files containing sensitive information should be encrypted.
Medium - V-15132 - SV-24246r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0092-SQLServer9
Vuln IDs
  • V-15132
Rule IDs
  • SV-24246r1_rule
Where access controls do not provide complete protection of sensitive or classified data, encryption can help to close the gap. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to view the data that is stored in files outside of the database. Data encryption also provides a level of protection where database controls cannot restrict access to single rows and columns of data.Database AdministratorECCR-1, ECCR-2, ECCR-3
Checks: C-13773r1_chk

Review the System Security Plan and/or the AIS Functional Architecture documentation to discover sensitive or classified data identified by the Information Owner that requires encryption. If no sensitive or classified data is identified as requiring encryption by the Information Owner, this check is Not a Finding. Have the DBA use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan and/or AIS Functional Architecture documentation. If all sensitive data as identified is encrypted within the database objects, encryption of the DBMS data files is optional and Not a Finding. If all sensitive data is not encrypted within database objects, review encryption applied to the DBMS host data files. If no encryption is applied, this is a Finding. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information. If a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave. Determine which DBMS data files contain sensitive data. Not all DBMS data files will require encryption.

Fix: F-18457r1_fix

Use third-party tools or native DBMS features to encrypt sensitive or classified data stored in the database. Use only NIST-certified or NSA-approved cryptography to provide encryption. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. To lessen the impact on system performance, separate sensitive data where file encryption is required into dedicated DBMS data files. Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by users (with and/or without Need-to-Know).

b
Transaction logs should be periodically reviewed for unauthorized modification of data.
Medium - V-15133 - SV-28974r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0031-SQLServer9
Vuln IDs
  • V-15133
Rule IDs
  • SV-28974r1_rule
Unauthorized or malicious changes to data compromise the integrity and usefulness of the data. Auditing changes to data supports accountability and non-repudiation. Auditing changes to data may be provided by the application accessing the DBMS or may depend upon the DBMS auditing functions. When DBMS auditing is used, the DBA is responsible for ensuring the auditing configuration meets the application design requirements.Database AdministratorECCD-1, ECCD-2
Checks: C-13763r1_chk

If the application does not require auditing using DBMS features, this check is Not Applicable. Review the application System Security Plan for requirements for database configuration for auditing changes to application data. If the application requires DBMS auditing for changes to data, review the database audit configuration against the application requirement. If the auditing does not comply with the requirement, this is a Finding.

Fix: F-14802r1_fix

Configure database data auditing to comply with the requirements of the application. Document auditing requirements in the System Security Plan.

b
The Integration Services service account should not be assigned excess host system privileges.
Medium - V-15134 - SV-25436r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0929-SQLServer9
Vuln IDs
  • V-15134
Rule IDs
  • SV-25436r1_rule
Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the Integration Service is compromised, the attack can lead to use of the privileges assigned to the service account. Administrative and other unnecessary privileges assigned to the service account can be used for an attack on the host system and/or SQL Server database.System AdministratorDatabase AdministratorDCFA-1
Checks: C-13780r1_chk

Check User Rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment View the Security Settings to see user rights assigned to the service account or group. For SQL Server Integration Services service account: If any user rights are assigned to the service account other than the following, this is a Finding: 1. Log on as a service (SeServiceLogonRight) 2. Permission to write to application event log 3. Bypass traverse checking (SeChangeNotifyPrivilege) 4. Create global objects (SeCreateGlobalPrivilege) 5. Impersonate a client after authentication (SeImpersonatePrivilege) If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.

Fix: F-14801r1_fix

Assign the Network Services Account the privileges as listed in the Check procedures where authorized by the System Administrator. Confirm that removal of any user rights from the Network Services Account do not conflict with OS or Application STIG requirements or affect operation of the DBMS server. Document any changes made in the System Security Plan.

b
Error log retention shoud be set to meet log retention policy.
Medium - V-15137 - SV-25454r1_rule
RMF Control
Severity
Medium
CCI
Version
DM3930-SQLServer9
Vuln IDs
  • V-15137
Rule IDs
  • SV-25454r1_rule
For SQL Server, error logs are used to store system event and system error information. In addition to assisting in correcting system failures or issues that could affect system availability and operation, log information may also be useful in discovering evidence of malicious intent. Management of the error logs requires consideration and planning to prevent loss of security data and maintaining system operation.Database AdministratorECCR-1, ECCR-2, ECCR-3
Checks: C-13785r1_chk

Review the registry key value: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.# \ MSSQLServer \ NumErrorLogs where [#] indicates the sequence number assigned to the SQL Server instance. Sequence number assignments to instances may be viewed at: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ Instance Names \ SQL \[instance name] Review the number assigned for the maximum number of error logs. Confirm this is the number documented in the System Security Plan. If the number is not documented in the System Security Plan or the assigned value does not match the System Security Plan specification, this is a Finding. Review evidence that error log retention is maintained for a minimum of one year. Error logs should be moved offline after 30 days or less depending on system storage capacity.

Fix: F-19682r1_fix

Review the SQL Server error log usage and determine a strategy for maintenance. The strategy should provide for the longest online retention that is considered meaningful and useful. This is determined over a period for operation and depends upon the amount of log data generated. Error logs must be maintained for a minimum of one year (DG0030). Error logs should be moved offline to satisfy this retention requirement. Design the provision for evidence of retention and allow restoration (for review) of the error logs in the System Security Plan. For SQL Server 2005: From the SQL Server Management Studio GUI: 1. Connect to and expand the SQL Server instance 2. Expand Management 3. Right-click on SQL Server Logs 4. Select Configure 5. Under the General Page, select or deselect Limit the number of error logs before they are recycled 6. Enter the number of error log files determined for the SQL Server instance 7. Click OK

a
The DBMS IA policies and procedures should be reviewed annually or more frequently.
Low - V-15138 - SV-24252r1_rule
RMF Control
Severity
Low
CCI
Version
DG0096-SQLServer9
Vuln IDs
  • V-15138
Rule IDs
  • SV-24252r1_rule
A regular review of current database security policies and procedures is necessary to maintain the desired security posture of the DBMS. Policies and procedures should be measured against current DOD policy, STIG guidance, vendor-specific guidance and recommendations, and site-specific or other security policy.Information Assurance OfficerDCAR-1
Checks: C-2743r1_chk

Review policy, procedures and implementation evidence of annual reviews of DBMS IA policy and procedures. If policy and procedures do not exist, are incomplete, or are not implemented and followed annually or more frequently, this is a Finding.

Fix: F-16095r1_fix

Develop, document and implement policy and procedures to monitor audit trail data daily.

b
Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.
Medium - V-15139 - SV-24254r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0097-SQLServer9
Vuln IDs
  • V-15139
Rule IDs
  • SV-24254r1_rule
Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches can render production systems inoperable or even introduce serious vulnerabilities. Some updates also set security configurations back to unacceptable settings that do not meet security requirements. For these reasons, it is a good practice to test updates and patches offline before introducing them in a production environment.Information Assurance OfficerDCCT-1
Checks: C-23649r1_chk

Review policy, procedures and implementation evidence for testing DBMS installations, upgrades and patches prior to production deployment. If policy and procedures do not exist, are incomplete or evidence of implementation does not exist, this is a Finding.

Fix: F-24541r1_fix

Develop, document and implement policy and procedures for testing DBMS installations, upgrades and patches prior to deployment on production systems.

b
Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.
Medium - V-15140 - SV-24218r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0069-SQLServer9
Vuln IDs
  • V-15140
Rule IDs
  • SV-24218r1_rule
Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure.Database AdministratorECAN-1
Checks: C-28438r1_chk

If the database being reviewed is not a production database, this check is Not Applicable. Review procedures or restrictions for data exports from the production database. If data exports are not allowed, then review methods for preventing and monitoring of any production data export. If procedures and methods are not complete or implemented, this is a Finding. Acknowledgement of data export restrictions and procedures by individuals granted privileges that enable data export is considered sufficient protection, however, record of such acknowledgement must be filed. Privileges required for database copy and/or export commands include sysadmin, dbcreator or database owner of the source database. If DBMS export utilities are not restricted to users authorized by the IAO, this is a Finding.

Fix: F-24466r1_fix

Document procedures and restrictions for production data export. Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of the export restrictions. Restrict permissions allowing use or access to database export procedures or functions to authorized users.

b
DBMS processes or services should run under custom, dedicated OS accounts.
Medium - V-15141 - SV-24263r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0102-SQLServer9
Vuln IDs
  • V-15141
Rule IDs
  • SV-24263r1_rule
Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services.Database AdministratorDCFA-1
Checks: C-23574r1_chk

Note: The SQL Server Service is covered in Check DG0101. View the service account properties for the SQL Server services. 1. Select Start / Administrative Tools / Services 2. View Properties / Log On for the following services: a. SQL Server Agent ([Instance Name]) b. SQL Server Analysis Services ([Instance Name]) c. SQL Server Browser ([Instance Name]) d. SQL Server FullText Search ([Instance Name]) e. SQL Server Reporting Services ([Instance Name]) 3. View Properties / Log on for the following services: a. SQL Server Active Directory Helper (Log On As Network Service) b. SQL Server Integration Services (Log On As Network Service) c. SQL Server VSS Writer (Log On As Local System) Not all of these services may exist. If some services do not exist, checks for these services are Not a Finding. If the listed services do not use a custom account (with exception to 3a – 3c above), this is a Finding. If any of the services uses a domain user account, then review the requirement for the domain user account. If the service does not require interaction with network or domain resources, this is a Finding. Note: Use of a local user account is recommended unless domain or network resources are accessed by the service. Review user rights assigned to the SQL Server service accounts. User rights may also be assigned to the service accounts via Windows groups and group policies: 1. Select Start / Run 2. Type: gpedit.msc (enter) 3. Under Group Policy Editor: a. Expand Local Computer Policy b. Expand Computer Configuration c. Expand Windows Settings d. Expand Security Settings e. Expand Local Properties f. Select User Rights Assignment g. Locate the Policies under each listed service h. Confirm the Security Setting for each policy contains the custom account assigned to the service i. Log on as a service 1. SQL Server Agent 2. SQL Server Analysis Services 3. SQL Server Browser 4. SQL Server FullText Search 5. SQL Server Reporting Services 6. SQL Server Active Directory Helper 7. SQL Server Integration Services 8. SQL Server VSS Writer ii. Act as part of the Operating System 1. SQL Server Agent iii. Log on as a batch job 1. SQL Server Agent iv. Bypass traverse checking 1. SQL Server Agent 2. SQL Server Integration Services v. Replace a process-level token 1. SQL Server Agent vi. Adjust memory quotas for a process 1. SQL Server Agent vii. Create global objects 1. SQL Server Integration Services viii. Impersonate a client after authentication 1. SQL Server Integration Services i. Exit Group Policy Editor If any user rights other than those listed above are assigned to the service accounts, this is a Finding.

Fix: F-25727r1_fix

Create and assign custom local or domain user accounts to the SQL Server service accounts. Disable any services and service accounts not required for operation. Assign only required user rights to the custom service accounts. Document in the System Security Plan.

b
Database data encryption controls should be configured in accordance with application requirements.
Medium - V-15143 - SV-24269r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0106-SQLServer9
Vuln IDs
  • V-15143
Rule IDs
  • SV-24269r1_rule
Authorizations may not sufficiently protect access to sensitive data and may require encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access.Database AdministratorDCFA-1
Checks: C-1314r1_chk

Review the System Security Plan and AIS Functional Architecture documentation and note sensitive data identified by the Information Owner as requiring encryption using DBMS features administered by the DBA. If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. Review the encryption configuration against the System Security Plan and AIS Functional Architecture documentation specification. If the specified encryption is not configured, this is a Finding.

Fix: F-17796r1_fix

Configure DBMS encryption features and functions as required by the System Security Plan and AIS Functional Architecture documentation. Discrepancies between what features are and are not available should be resolved with the Information Owner, Application Developer and DBA as overseen by the IAO.

b
Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.
Medium - V-15144 - SV-24271r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0107-SQLServer9
Vuln IDs
  • V-15144
Rule IDs
  • SV-24271r1_rule
A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned stands the chance of not being secured at a level appropriate to the risk it poses.Information Assurance OfficerDCFA-1
Checks: C-20335r1_chk

Review the System Security Plan and AIS Functional Architecture documentation for the DBMS and note any sensitive data that is identified. Review database table column data or descriptions that indicate sensitive data. For example, a data column labeled "SSN" could indicate social security numbers are stored in the column. Question the IAO or DBA where any questions arise. General categories of sensitive data requiring identification include any personal identifiable information (PII) involving health, financial and security proprietary or sensitive business data or data that might be classified. If any columns in the database contain data considered sensitive and is not referenced in the System Security Plan and AIS Functional Architecture documentation, this is a Finding.

Fix: F-21331r1_fix

Include identification of any sensitive data in the System Security Plan and AIS Functional Architecture. Include discussions of data that appear to be sensitive and annotate why it is not marked as such.

a
The DBMS restoration priority should be assigned.
Low - V-15145 - SV-24275r1_rule
RMF Control
Severity
Low
CCI
Version
DG0108-SQLServer9
Vuln IDs
  • V-15145
Rule IDs
  • SV-24275r1_rule
When DBMS service is disrupted, the impact it has on the overall mission of the organization can be severe. Without the proper assignment of the priority to be placed on restoration of the DBMS and its subsystems, restoration of DBMS services may not meet mission requirements.Information Assurance OfficerDCFA-1
Checks: C-28578r1_chk

Review the System Security Plan to discover the restoration priority assigned to the DBMS. If it is not assigned, this is a Finding.

Fix: F-17818r1_fix

Review the mission criticality of the DBMS in relation to the overall mission of the organization and assign it a restoration priority.

b
The DBMS should not be operated without authorization on a host system supporting other application services.
Medium - V-15146 - SV-24278r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0109-SQLServer9
Vuln IDs
  • V-15146
Rule IDs
  • SV-24278r1_rule
In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. A DBMS not installed on a dedicated host may pose a threat to and be threatened by other hosted applications. Applications that share a single DBMS may also create risk to one another. Access controls defined for one application by default may provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.Information Assurance OfficerDCPA-1
Checks: C-20423r1_chk

Review the list of processes/services running on the DBMS host system. For Windows, review the Services snap-in. Investigate with the DBA/SA any unknown services. If any of the services or processes are identified as supporting applications or functions not authorized in the System Security Plan, this is a Finding. Note: Only applications that are operationally required to share the same host system may be authorized to do so. Applications that share the same host for administrative, financial or other non-operational reasons may not be authorized and are a Finding.

Fix: F-24599r1_fix

A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine if supported by the DBMS vendor. Remove any unauthorized processes or services and install on a separate host system. Where separation is not supported, update the System Security Plan and provide the technical requirement for having the application share a host with the DBMS.

b
The DBMS data files, transaction logs and audit files should be stored in dedicated directories or disk partitions separate from software or other application files.
Medium - V-15147 - SV-24289r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0111-SQLServer9
Vuln IDs
  • V-15147
Rule IDs
  • SV-24289r1_rule
Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database process, resource contention and differing security controls may be required to isolate and protect one application's data and audit logs from another. DBMS software libraries and configuration files also require differing access control lists.Database AdministratorDCPA-1
Checks: C-20460r1_chk

If separation of data, transaction and audit data is not supported by the DBMS, this check is Not a Finding. In the references below, replace SQL5Root with the registry path: "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server" Replace [#] with the SQL Server instance number as listed under: SQL5Root \ Instance Names \ SQL \ [instance name] Review the disk/directory specification where database data, transaction log and audit files are stored: SQL5Root \ MSSQL.[#] \ Setup \ SQLProgramDir Review the default data and log directory specifications in the registry: SQL5Root \ MSSQL.[#] \ MSSQLServer \ DefaultData SQL5Root \ MSSQL.[#] \ MSSQLServer \ DefaultLog If the program file directory and disk partition is the same as either the DefaultData or the DefaultLog directories, this is a Finding. If stored separately and access permissions for each directory is the same, this is a Finding.

Fix: F-18327r1_fix

Configure the DBMS to specify dedicated host system disk directories to store database and log files for each application sharing the database. Do not share the application's data disk directory with application software libraries.

b
DBMS network communications should comply with PPS usage restrictions.
Medium - V-15148 - SV-25376r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0152-SQLServer9
Vuln IDs
  • V-15148
Rule IDs
  • SV-25376r1_rule
Non-standard network ports, protocol or services configuration or usage could lead to bypass of network perimeter security controls and protections.Database AdministratorDCPP-1
Checks: C-20476r1_chk

From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Select Protocols for [instance name] 3. Right-click on TCP/IP 4. Select Properties 5. Select IP Addresses tab View all TCP Dynamic Ports and TCP Port values for all IP addresses. OR View the registry values: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ Tcp\IP[#] \ TCPDynamicPorts HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ Tcp\IP[#] \ TcpPort HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ IPAll \ TCPDynamicPorts HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ IPAll \ TcpPort If any value (including 0) is entered for TCP Dynamic Ports, this is a Finding. A blank value indicates dynamic ports are not enabled and is Not a Finding. For SQL Server 2005 default instance, if the TCP Port value is set to 1433, this is Not a Finding. NOTE: For SQL Server 2005 named instance (via SQL Server Browser service), UDP Port 1434 is used. If any TCP Port value is set to a different port number, verify network traffic for the DBMS does not cross network or enclave boundaries as defined in the PPS CAL or registered with the PPS: http://iase.disa.mil/ports/index.html If any do and are not registered or allowed per the PPS, this is a Finding.

Fix: F-18426r1_fix

From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Select Protocols for [instance name] 3. Right-click on TCP/IP 4. Select Properties 5. Select IP Addresses tab 6. Clear any value listed in TCP Dynamic Ports for all IP addresses 7. Set all TCP Port values for ports accessed across a network boundary to TCP Port 1433 Ensure port is registered in the PPS CAL for use outside the enclave: http://iase.disa.mil/ports/index.html

a
DBA roles assignments should be assigned and authorized by the IAO.
Low - V-15149 - SV-25378r1_rule
RMF Control
Severity
Low
CCI
Version
DG0153-SQLServer9
Vuln IDs
  • V-15149
Rule IDs
  • SV-25378r1_rule
The DBA role and associated privileges provide complete control over the DBMS operation and integrity. DBA role assignment without authorization could lead to the assignment of these privileges to untrusted and untrustworthy persons and complete compromise of DBMS integrity.Information Assurance OfficerDCSD-1
Checks: C-22716r1_chk

Review the documented procedures for approval and granting of DBA privileges. Review implementation evidence for the procedures. If procedures do not exist or evidence that they are followed does not exist, this is a Finding.

Fix: F-24588r1_fix

Develop, document and implement procedures to ensure all DBA role assignments are authorized and assigned by the IAO. Include methods that provide evidence of approval in the procedures.

a
The DBMS requires a System Security Plan containing all required information.
Low - V-15150 - SV-25380r1_rule
RMF Control
Severity
Low
CCI
Version
DG0154-SQLServer9
Vuln IDs
  • V-15150
Rule IDs
  • SV-25380r1_rule
A System Security Plan identifies security control applicability and configuration for the DBMS. It also contains security control documentation requirements. Security controls applicable to the DBMS may not be documented, tracked or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of DBMS vulnerabilities.Information Assurance OfficerDCSD-1
Checks: C-19417r1_chk

Review the System Security Plan for the DBMS with the IAO. Review coverage of the following in the System Security Plan: 1. Technical, administrative and procedural IA program and policies that govern the DBMS 2. Identification of all IA personnel (IAM, IAO, DBA, SA) assigned responsibility to the DBMS 3. Specific IA requirements and objectives (e.g., requirements for data handling or dissemination (to include identification of sensitive data stored in the database, database application user job functions/roles and privileges), system redundancy and backup, or emergency response) If the System Security Plan does not exist, this is a Finding. If the System Security Plan does not include the information listed above at a minimum, this is a Finding.

Fix: F-19551r1_fix

Develop, document and implement a System Security Plan for the DBMS or include IA documentation related to the DBMS in the System Security Plan of the system that the DBMS supports. Refer to Section 3.4 in the Microsoft SQL Server Database Security Checklist for information on how to develop a System Security Plan. Include or note additional information in the System Security Plan where required in other DBMS checks.

b
DBMS login accounts require passwords to meet complexity requirements.
Medium - V-15152 - SV-24092r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0079-SQLServer9
Vuln IDs
  • V-15152
Rule IDs
  • SV-24092r2_rule
Weak passwords are a primary target for attack to gain unauthorized access to databases and other systems. Where username/password is used for identification and authentication to the database, requiring the use of strong passwords can help prevent simple and more sophisticated methods for guessing at passwords.trueDatabase AdministratorIAIA-1, IAIA-2
Checks: C-23535r2_chk

If SQL server is configured for Windows Authentication only, this check is Not a Finding. If the server is configured to allow SQL Server Authentication, verify passwords are checked for complexity requirements where DBMS version permits: From the query prompt: SELECT name FROM [master].sys.sql_logins WHERE type = 'S' AND is_policy_checked <> '1' ORDER BY name If any rows are returned, this is a Finding.

Fix: F-20068r1_fix

For all DBMS accounts using SQL Server logins, set the accounts for password complexity checking: From the query prompt: ALTER LOGIN [login name] CHECK_POLICY = ON Note: This setting depends upon host system password complexity settings. The host system must be configured to comply with Windows STIG requirements.

b
DBMS account passwords should be set to expire every 60 days or more frequently.
Medium - V-15153 - SV-19452r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0125-SQLServer9
Vuln IDs
  • V-15153
Rule IDs
  • SV-19452r2_rule
Unchanged passwords provide a means for compromised passwords to be used for unauthorized access to DBMS accounts over a long time.trueDatabase AdministratorIAIA-1, IAIA-2
Checks: C-20472r2_chk

If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. From the query prompt: SELECT name FROM [master].sys.sql_logins WHERE type = 'S' AND is_expiration_checked <> '1' ORDER BY name If any names are returned, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Fix: F-18422r1_fix

Set SQL Server logins to check password expiration. ALTER LOGIN [user name] WITH CHECK_EXPIRATION = ON

b
Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users.
Medium - V-15154 - SV-24111r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0190-SQLServer9
Vuln IDs
  • V-15154
Rule IDs
  • SV-24111r2_rule
Credentials defined for access to remote databases or applications may provide unauthorized access to additional databases and applications to unauthorized or malicious users.trueDatabase AdministratorDCFA-1
Checks: C-23660r2_chk

Review the list of defined database links generated from the DBMS instance. From the query prompt: SELECT s.name AS [Local Link Server Name], SUSER_NAME(l.local_principal_id) AS [Server Principal], l.remote_name AS [Remote User Name] FROM [master].sys.servers s JOIN [master].sys.linked_logins l ON s.server_id = l.server_id WHERE l.server_id <> 0 ORDER BY l.server_id If no linked servers are listed in the DBMS instance, this check is Not a Finding. Compare this list with the list documented in the System Security Plan and authorized by the IAO. If any linked servers exist that are not authorized or not listed in the System Security Plan, this is a Finding. For each Server Principal listed, confirm in the System Security Plan that they are authorized for access to the linked server. For any linked server login mapping that specifies a NULL Server Principal, this is a Finding. If access to any linked server has been granted to an unauthorized account, this is a Finding.

Fix: F-14763r1_fix

Grant access to linked servers to authorized accounts or applications only. Document all linked server access authorizations in the System Security Plan and authorize with the IAO.

b
The SQL Server Agent service account should not be assigned excess user rights.
Medium - V-15155 - SV-25439r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0933-SQLServer9
Vuln IDs
  • V-15155
Rule IDs
  • SV-25439r1_rule
Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the SQL Server Agent service is compromised, the attack can lead to use of the privileges assigned to the service account. Administrative and other unnecessary privileges assigned to the service account can be used for an attack on the host system and/or SQL Server database.System AdministratorDatabase AdministratorDCFA-1
Checks: C-23664r1_chk

Check User Rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment View the Security Settings to see user rights assigned to the service account or group. For SQL Server Agent service account: If any user rights are assigned to the service account other than the following, this is a Finding: 1. Log on as a service (SeServiceLogonRight) 2. Act as part of the operating system (SeTcbPrivilege) (Win2K only) 3. Log on as a batch job (SeBatchLogonRight) 4. Replace a process-level token (SeAssignPrimaryTokenPrivilege) 5. Bypass traverse checking (SeChangeNotifyPrivilege) 6. Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.

Fix: F-23515r1_fix

Create a local custom account for the SQL Server Agent service account. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed. Assign the account to the SQL Server Agent (group created at installation for SQL Server 2005) if available. Assign the SQL Server Agent account or group the user privileges as listed in the Check procedures.

b
Only authorized service broker endpoints should be configured on the server.
Medium - V-15165 - SV-23857r2_rule
RMF Control
Severity
Medium
CCI
Version
DM6128-SQLServer9
Vuln IDs
  • V-15165
Rule IDs
  • SV-23857r2_rule
Service Broker endpoints expose the database to SQL Server messaging communication access. Where not carefully designed and implemented, messaging communication can unnecessarily expose the database to additional exploit that compromises data confidentiality and integrity. Removing messaging communication endpoints helps to protect the database from unauthorized messaging communication access.trueDatabase AdministratorDCFA-1
Checks: C-13812r2_chk

From the query prompt: SELECT name FROM [master].sys.service_broker_endpoints Review the list of any endpoints returned. If no records are returned, this is Not a Finding. If any endpoints are returned and are not listed as a required and authorized XML web service endpoint in the System Security Plan, this is a Finding.

Fix: F-14832r1_fix

Authorize and document Service Broker endpoints in the System Security Plan. Where not authorized, drop Service Broker service endpoints. From the query prompt: DROP ENDPOINT [endpoint name]

b
Database Engine Ad Hoc distributed queries should be disabled.
Medium - V-15166 - SV-25496r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6160-SQLServer9
Vuln IDs
  • V-15166
Rule IDs
  • SV-25496r1_rule
Adhoc queries allow undefined access to remote database sources. Access to untrusted databases could result in execution of malicious applications and/or a compromise of local data confidentiality and integrity.Database AdministratorDCFA-1
Checks: C-13818r1_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'ad hoc distributed queries' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding.

Fix: F-19729r1_fix

Authorize and document requirements for use of Ad hoc distributed queries in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'ad hoc distributed queries', 0 RECONFIGURE

b
The data directory should specify a dedicated disk partition and restricted access.
Medium - V-15167 - SV-23867r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6189-SQLServer9
Vuln IDs
  • V-15167
Rule IDs
  • SV-23867r1_rule
Data directories require different access controls than software file directories. Locating data directories in separate directories on a dedicated disk partition allows assign of access controls to only those users that require access and helps protect the data from unauthorized access.Database AdministratorDCPA-1
Checks: C-20523r1_chk

Review the default data and log directory specifications: For SQL Server 2005 Default Instance: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ MSSQLServer \ MSSQLServer \ DefaultData HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ MSSQLServer \ MSSQLServer \ DefaultLog For SQL Server 2005 Named Instance: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultData HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultLog If the DefaultData directory lists the same directory as the DefaultLog directory, this is a Finding. Review the master database file locations: From the query prompt: SELECT physical_name, type_desc FROM [master].sys.master_files ORDER BY physical_name Review each database file locations: From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: USE [database name] SELECT physical_name, type_desc FROM sys.database_files ORDER BY physical_name If any results show more than one database using the same physical filename, this is a Finding. If any files from either the master_files or database_files show log files (*_log.ldf files) in the same directory as data files, this is a Finding. Note: Transactional log files (*.LDF) files can coexist with data files (*.MDF). A transactional log files will have a similar name or a variant name of its matching data file (ex: master.mdf vs. mastlog.ldf). Not all data files will have a corresponding transactional log file. If any databases share the same directory, verify in the System Security Plan that the databases are shared by the same application. If they are not, this is a Finding.

Fix: F-14830r1_fix

Create at least one dedicated disk partition to store database data and log files. Create dedicated directories to store database data files for each individual application that uses the database. Specify the dedicated database data file disk partition for the default data directory. Include this information in the System Security Plan and AIS Functional Architecture documentation.

b
The SQL Server services should not be assigned excessive user rights.
Medium - V-15169 - SV-25435r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0928-SQLServer9
Vuln IDs
  • V-15169
Rule IDs
  • SV-25435r1_rule
Excessive or unneeded privileges allow for unauthorized actions. When application vulnerabilities are exploited, excessive privileges assigned to the application can lead to unnecessary risk to the host system and other services.System AdministratorDatabase AdministratorDCFA-1
Checks: C-20378r1_chk

Check User Rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment View the Security Settings to see user rights assigned to the service account or group. If any user rights are assigned to the service account other than the following, this is a Finding. If any services listed below do not exist, then do not include them in the review: 1. Analysis Server: Log on as a service 2. Report Server: Log on as a service 3. Integration Services: a. Log on as a service b. Permission to write to application event log c. Bypass traverse checking d. Create global objects e. Impersonate a client after authentication 4. Full-Text Search: Log on as a Service 5. SQL Server Browser: Log on as a Service If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.

Fix: F-23511r1_fix

Create local custom accounts for the SQL Server Analysis, Reporting, Full Text Search, and Browser service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed. Assign the service account to the SQL Server service group (created at installation for the service accounts for SQL Server 2005/2008) if available. Assign the service account or group the user privileges as listed in the Check procedures.

b
SQL Server services should be assigned least privileges on the SQL Server Windows host.
Medium - V-15170 - SV-25420r1_rule
RMF Control
Severity
Medium
CCI
Version
DM0919-SQLServer9
Vuln IDs
  • V-15170
Rule IDs
  • SV-25420r1_rule
Exploits to SQL Server services may provide access to the host system resources within the security context of the service. Excess privileges assigned to the SQL Services can increase the threat to the host system.Information Assurance OfficerECPA-1
Checks: C-1362r1_chk

View the Windows group memberships assigned to the SQL Server service accounts: List of services: 1. SQL Server Database 2. SQL Server Agent 3. Analysis Services 4. Integration Services 5. Reporting Services 6. Notification Services 7. Full Text Search 8. SQL Server Browser 9. SQL Server Active Directory Helper 10. SQL Writer Group Membership: The service account and groups should be local unless the services access other domain or remote services. 1. Service-specific groups (e.g. SQLServer2005MSSQLUser$[host name]$[instance name]) 2. SQL Server services Users Groups - custom name, used to replace Users group permissions to SQL Server directories and files 3. Performance Monitor - for SQL Server Database service if Replication is in use and performance is monitored 4. Windows Users group If any services are assigned group membership to any groups other than: 1. A custom SQL Server service group 2. A custom SQL Server service users group, 3. Windows Users group this is a Finding. User rights and file permissions are reviewed under separate checks.

Fix: F-14803r1_fix

Remove unnecessary group membership from SQL Server service accounts. Review any group membership assignments other than the: 1. SQL Server service group 2. SQL Server service users group 3. Windows Users group For SQL Server Database service, Performance Monitor group membership if replication and monitoring are operationally required.

b
Database TRUSTWORTHY status should be authorized and documented or set to off.
Medium - V-15173 - SV-23868r2_rule
RMF Control
Severity
Medium
CCI
Version
DM6195-SQLServer9
Vuln IDs
  • V-15173
Rule IDs
  • SV-23868r2_rule
The TRUSTWORTHY database setting restricts access to database resources by databases that contain assemblies with the EXTERNAL_ACCESS or UNSAFE permission settings and modules that use impersonation of accounts assigned elevated privileges. Unless all assemblies and code for the database have been reviewed, especially in the case where databases have been detached and attached between server instances, leaving the TRUSTWORTHY status to off can help reduce threats from malicious assemblies or modules.trueDatabase AdministratorECLP-1
Checks: C-22823r2_chk

From the query prompt: SELECT name FROM [master].sys.databases WHERE is_trustworthy_on = 1 AND name <> 'msdb' AND state = 0 If any database names are returned, then verify in the System Security Plan that the TRUSTWORTHY database setting is documented as required and authorized. If it is not documented, required and authorized, this is a Finding.

Fix: F-19745r1_fix

Disable TRUSTWORTHY status on all databases (except the msdb database) if enabled and not authorized From the query prompt: ALTER DATABASE [database name] SET TRUSTWORTHY OFF Include in the System Security Plan all relevant settings for each database.

b
SQL Server event forwarding, if enabled, should be operational.
Medium - V-15176 - SV-25463r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6030-SQLServer9
Vuln IDs
  • V-15176
Rule IDs
  • SV-25463r1_rule
If SQL Server is configured to forward events to an Alerts Management Server that is not available, then no alerts are issued for the server.Database AdministratorDCFA-1
Checks: C-22792r1_chk

From RegEdit, view values: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Sever \ MSSQL.[#] \ SQLServerAgent \ AlertForwardingServer If the value is empty or NULL, this is Not a Finding. If the value is not NULL, verify that the use of alert forwarding is authorized in the System Security Plan. If alert forwarding is in use and not authorized and documented, this is a Finding.

Fix: F-19714r1_fix

Enable use of event forwarding only as part of a SQL Server automated management system design where careful consideration and the requirements for its use are carefully considered. The plan should include consideration for network or alert management server failure and subsequent loss of alert data. Include the alert management plan or a reference to it in the System Security Plan that includes the instance of SQL Server under review. Disable event forwarding where not required. From the SQL Server Management Studio GUI: 1. Expand instance 2. Right-click on SQL Server Agent 3. Select Properties 4. Select the Advanced page 5. Click on Forward events to a different server to remove the check from the check box 6. Click the OK button to save and close

b
Replication databases should have authorized db_owner role members. The replication monitor role should have authorized members.
Medium - V-15178 - SV-23855r2_rule
RMF Control
Severity
Medium
CCI
Version
DM6070-SQLServer9
Vuln IDs
  • V-15178
Rule IDs
  • SV-23855r2_rule
Role privileges required by replication include full privileges to the databases with replicated objects. Restrict replication database db_owner role memberships and the system distribution database replmonitor database role membership to authorized replication agent accounts that require access to the database. Unauthorized access can provide unintentional or malicious users greater opportunity to exploit replication access.trueDatabase AdministratorECLP-1
Checks: C-20516r2_chk

From the query prompt: SELECT COUNT(name) FROM [master].sys.databases WHERE name = 'distribution' AND state = 0 If count = 0, the distribution database does not exist and this check is Not a Finding. From the query prompt: USE distribution EXEC SP_HELPROLEMEMBER 'replmonitor' View list of databases participating in replication: EXEC SP_HELPREPLICATIONDBOPTION For each replication database: USE [database name] EXEC SP_HELPROLEMEMBER 'db_owner' If any role members listed are not authorized for replication access in the System Security Plan, this is a Finding.

Fix: F-14829r1_fix

Revoke role membership for unauthorized accounts granted replication role memberships: USE [database name] EXEC SP_DROPROLEMEMBER '[replmonitor or db_owner]' FROM '[account name]'

b
The DBMS should not share a host supporting an independent security service.
Medium - V-15179 - SV-24283r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0110-SQLServer9
Vuln IDs
  • V-15179
Rule IDs
  • SV-24283r1_rule
The Security Support Structure is a security control function or service provided by an external system or application. An example of this would be a Windows domain controller that provides identification and authentication that can be used by other systems to control access. The vulnerabilities and, therefore, associated risk of a DBMS installed on a system that provides a security support structure is significantly higher than when installed with other functions that do not provide security support. In cases where the DBMS is dedicated to local support of a security support function (e.g. a directory service), separation may not be possible.Information Assurance OfficerDCSP-1
Checks: C-28584r1_chk

Review the services and processes active on the DBMS host system. If the host system is acting as a Windows domain controller, this is a finding. If the host system is supporting any other directory or security service that does not use the DBMS to store the directory information, this is a Finding. Note: A local installation of Anti-virus or Firewall does not constitute a security service in this context.

Fix: F-20270r1_fix

Either move the DBMS installation to a dedicated host system or move the directory or security services to another host system. A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine if supported by the DBMS vendor.

b
Only authorized users should be granted access to Analysis Services data sources.
Medium - V-15180 - SV-25499r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6193-SQLServer9
Vuln IDs
  • V-15180
Rule IDs
  • SV-25499r1_rule
Access control applied to data sources controls user access to remotely defined systems using the authentication and authorizations defined for the data source. Unauthorized access to the data source in turn provides unauthorized access to remote systems.Database AdministratorECAN-1
Checks: C-13828r1_chk

From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. For each Analysis Services database: a. Expand the database b. Expand Roles c. For each role listed: i. Right-click on the role ii. Select Properties iii. Select the Data Sources page Review the list of data sources listed for the role against authorized roles in the System Security Plan. If access to any unauthorized data sources is assigned to the role, this is a Finding. If documentation does not exist or is insufficient to determine authorized access, this is a Finding.

Fix: F-14849r1_fix

Document all roles authorized to access data sources in the System Security Plan. Remove any unauthorized data sources from roles.

b
Analysis Services user-defined COM functions should be disabled if not required.
Medium - V-15181 - SV-25470r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6099-SQLServer9
Vuln IDs
  • V-15181
Rule IDs
  • SV-25470r1_rule
Allowing user-defined COM functions can allow unauthorized code access to the Analysis Services instance. Where not required as part of the operational design, allowing user-defined COM functions can expose the instance to unnecessary risk.Database AdministratorDCFA-1
Checks: C-13797r1_chk

If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. If the System Security Plan indicates User-Defined COM Functions is required for operation, this check is Not a Finding. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ ComUdfEnabled If the value = 'true', this is a Finding. The User-Defined COM Functions value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [ComUdfEnabled] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.

Fix: F-14817r1_fix

If not documented as required and authorized by the IAO, set value for ComUdfEnabled to 'false'. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ ComUdfEnabled 5. Select value = 'false' 6. Click OK

b
Replication snapshot folders should be protected from unauthorized access.
Medium - V-15182 - SV-25465r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6075-SQLServer9
Vuln IDs
  • V-15182
Rule IDs
  • SV-25465r1_rule
Replication snapshot folders contain database data to which only authorized replication accounts require access. Unauthorized access to these folders could compromise data confidentiality and integrity, and could compromise database availability.Database AdministratorECAN-1
Checks: C-13792r1_chk

View the list of databases participating in replication: EXEC SP_HELPREPLICATIONDBOPTION For each replication database: EXEC SP_HELPPUBLICATION If snapshot_in_defaultfolder is 1 for any records returned, the snapshot folder name is: [install dir]\[instance dir]\MSSQL\ReplData If the snapshot_in_defaultfolder is 0, then the snapshot folder name is listed in alt_snapshot_folder. View OS permissions to the snapshot folder: Review operating system permissions assigned to the snapshot folder using Windows Explorer. The following are required/authorized permissions by role: 1. Administrators/DBAs: Full Control 2. Snapshot Agents: Write access 3. Merge and Distribution agents: Read access If any permission other than those listed is assigned or are assigned to unauthorized accounts, this is a Finding. View database permissions to the snapshot folder: For each replication database: EXEC SP_HELPPUBLICATION_SNAPSHOT '[publication name]' If any permission is granted to accounts other than Administrators, DBAs, CREATOR OWNER, SYSTEM, or the snapshot agent account, merge, or distribution agents, this is a Finding. If merge and distribution agents have more than Read access to the snapshot folder, this is a Finding.

Fix: F-14812r1_fix

Restrict access to the replication snapshot folders: From Windows Explorer: 1. Administrators/DBAs: Full Control 2. Snapshot Agents: Write access 3. Merge, Subscription, and Distribution agents: Read access

b
The Analysis Services ad hoc data mining queries configuration option should be disabled if not required.
Medium - V-15183 - SV-25466r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6085-SQLServer9
Vuln IDs
  • V-15183
Rule IDs
  • SV-25466r1_rule
SQL Server Ad Hoc distributed queries allow specific functions (OPENROWSET and OPENDATASOURCE) to connect to remote systems without those remote systems being defined within database. Access to unauthorized systems could lead to unauthorized activity in remote systems that could compromise the local database.Database AdministratorDCFA-1
Checks: C-13793r1_chk

If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for DataMining \ AllowAdHocOpenRowsetQueries If value = 'true', this is a Finding. The AllowAdHocOpenRowsetQueries value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [AllowAdHocOpenRowsetQueries] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.

Fix: F-14813r1_fix

Set value for AllowAdHocOpenRowsetQueries to 'false' From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for DataMining \ AllowAdHocOpenRowsetQueries 5. Select value = 'false' 6. Click OK

b
Analysis Services Anonymous Connections should be disabled.
Medium - V-15184 - SV-25467r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6086-SQLServer9
Vuln IDs
  • V-15184
Rule IDs
  • SV-25467r1_rule
Anonymous connections allow unauthenticated access to the database. Although the database may not store sensitive application data, operation and data compromise may occur without accountability where unauthenticated access is allowed.Database AdministratorIAIA-1, IAIA-2
Checks: C-13794r1_chk

If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Security \ RequireClientAuthentication If value = 'false', this is a Finding. The RequireClientAuthentication value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [RequireClientAuthentication] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.

Fix: F-14814r1_fix

Set value for RequireClientAuthentication to 'true' From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Security \ RequireClientAuthentication 5. Select value = 'true' 6. Click OK

b
Analysis Services Links From Objects should be disabled if not required.
Medium - V-15186 - SV-25469r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6088-SQLServer9
Vuln IDs
  • V-15186
Rule IDs
  • SV-25469r1_rule
Analysis Services allows other server instances to link to local analysis services objects. Where not required, enabling of this allowance can unnecessarily expose the database objects to unauthorized access or compromise.Database AdministratorDCFA-1
Checks: C-13796r1_chk

If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. If the System Security Plan indicates Links from Other instances is required for operation, this check is Not a Finding. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ LinkFromOtherInstanceEnabled If the value = 'true', this is a Finding. The LinkFromOtherInstanceEnabled value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [LinkFromOtherInstanceEnabled] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.

Fix: F-14816r1_fix

Set value for LinkFromOtherInstanceEnabled to 'false'. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ LinkFromOtherInstanceEnabled 5. Select value = 'false' 6. Click OK

b
Linked server providers should not allow ad hoc access.
Medium - V-15187 - SV-25494r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6155-SQLServer9
Vuln IDs
  • V-15187
Rule IDs
  • SV-25494r1_rule
Ad hoc access allows undefined access to remote systems. Access to remote systems should be controlled to prevent untrusted data to be executed or uploaded to the local server.Database AdministratorDCFA-1
Checks: C-13817r1_chk

From the SQL Server Management Studio GUI: 1. Expand Database 2. Expand Server Objects 3. Expand Linked Servers 4. Expand Providers 5. For each Provider listed: a. Right click on Provider name b. Click Properties c. View Provider options If "Disallow adhoc access" is not enabled (checked) for all Providers, this is a Finding.

Fix: F-14837r1_fix

Enable Disallow adhoc access for all linked servers. From the SQL Server Management Studio GUI: 1. Expand Database 2. Expand Server Objects 3. Expand Linked Servers 4. Expand Providers 5. For each Provider listed: a. Right click on Provider name b. Select Properties c. Click on the Enable check box for Name = Disallow adhoc access d. Click OK button Note: The procedure described above will disallow adhoc access for all linked servers that use the providers..

c
Analysis Services Required Protection Levels should be set to 1.
High - V-15188 - SV-25471r1_rule
RMF Control
Severity
High
CCI
Version
DM6101-SQLServer9
Vuln IDs
  • V-15188
Rule IDs
  • SV-25471r1_rule
Sensitive data is vulnerable to unauthorized access when traversing untrusted network segments. Encryption of the data in transit helps protect the confidentiality of the data.Database AdministratorECCT-1, ECCT-2
Checks: C-13798r1_chk

Determine if SQL Server Analysis Services is installed. View the Windows Services Snap-In. If SQL Server Analysis Services ([instance name]) is not listed, Analysis Services is not installed on this host. If SQL Server Analysis Services is not installed on the DBMS host, this check is Not a Finding. If SQL Server Analysis Services in installed on the DBMS host (regardless of whether it is actively running or not), review the msmdsrv.ini file for the SQL Server Analysis service. The value for [install dir] can be found in the Windows Registry under the parameter: HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SqlProgramDir The msmdsrv.ini configuration file may be found in the directory: [install dir]\MSSQL.2\OLAP\Config View the contens of the msmdsrv.ini file. 1. Locate the RequiredProtectionLevel XML tag under the DataProtection tag. If the RequiredProtectionLevel tag is not listed, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. 2. Locate the RequiredProtectionLevel XML tag under the AdministrativeDataProtection tag. If the RequiredProtectionLevel tag is not listed, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. 3. Locate the RequiredWebProtectionLevel XML tag under the DataProtection tag. If the RequiredWebProtectionLevel tag is not listed, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. 4. Locate the RequiredWebProtectionLevel XML tag under the AdministrativeDataProtection tag. If the RequiredWebProtectionLevel tag is not listed, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. If any parts of this check are a Finding, this check is a Finding. NOTE: Check DM6101 now combines checks from DM6101, DM6102, DM6106 and DM6107 into this single check. Checks DM6102, DM6106 and DM6107 have been inactivated.

Fix: F-14818r1_fix

Modify the msmdsrv.ini to set Required Protection Levels to use encryption. Make a backup copy of the msmdsrv.ini file. Edit the msmdsrv.ini file Under the DataProtection tag, set the value for RequiredProtectionLevel to 1 OR under the DataProtection tag, create the tag RequiredProtectionLevel and set the value to 1. Under the DataProtection tag, set the value for RequiredWebProtectionLevel to 1 OR under the DataProtection tag, create the tag RequiredWebProtectionLevel and set the value to 1. Under the AdministrativeDataProtection tag, set the value for RequiredProtectionLevel to 1 OR under the AdministrativeDataProtection tag, create the tag RequiredProtectionLevel and set the value to 1. Under the AdministrativeDataProtection tag, set the value for RequiredWebProtectionLevel to 1 OR under the AdministrativeDataProtection tag, create the tag RequiredWebProtectionLevel and set the value to 1. Save and exit. Restart the SQL Server Analysis Services service for the changes to take effect. NOTE: Check DM6101 now combines fixes from DM6101, DM6102, DM6106 and DM6107 into this single fix. Checks DM6102, DM6106 and DM6107 have been inactivated.

b
Analysis Services Security Package List should be disabled if not required.
Medium - V-15190 - SV-25473r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6103-SQLServer9
Vuln IDs
  • V-15190
Rule IDs
  • SV-25473r1_rule
Analysis Services Security Packages are security applications provided outside of the default Analysis Services installation. The packages may be provided by custom development or commercial third-party products used for client authentication. Use of untested or unverified security applications may introduce unknown vulnerabilities to the instance. Restrict use of non-default security packages to tested and trusted applications that meet DOD authentication requirements.Information Assurance OfficerDCFA-1
Checks: C-13800r1_chk

If Analysis Services is not installed on the local host, this check is Not a Finding. Note: To detect installation, view the Windows Services snap-in. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Security \ SecurityPackageList If the value is not NULL and lists packages other than those documented in the System Security Plan, this is a Finding. The SecurityPackageList value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [SecurityPackageList] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.

Fix: F-14820r1_fix

From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Security \ SecurityPackageList 5. Select value and delete all unauthorized packages from the list 6. Click OK

b
The Analysis Services server role should be restricted to authorized users.
Medium - V-15193 - SV-25476r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6108-SQLServer9
Vuln IDs
  • V-15193
Rule IDs
  • SV-25476r1_rule
The Analysis Services server role grants server-wide security privileges to the assigned user. An unauthorized user could compromise database and analysis server data and operational integrity or availability.Information Assurance OfficerECLP-1
Checks: C-13803r1_chk

If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. Select the Security page 5. View member names assigned to the server role If any assigned members are not included as authorized in the System Security Plan, this is a Finding.

Fix: F-14823r1_fix

Remove unauthorized members from the Analysis Service instance. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. Select the Security page 5. Select any unauthorized user to remove 6. Click the Remove button 7. Click OK

b
Only authorized accounts should be assigned to one or more Analysis Services database roles.
Medium - V-15194 - SV-25477r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6109-SQLServer9
Vuln IDs
  • V-15194
Rule IDs
  • SV-25477r1_rule
Unauthorized group membership assignment grants unauthorized privileges to database accounts. Unauthorized may lead to a compromise of data confidentiality or integrity.Database AdministratorECAN-1
Checks: C-13804r1_chk

If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Expand Databases 4. Repeat for each database: a. Click on each database role b. View the member list If any members are assigned database roles that are not documented in the System Security Plan, this is a Finding.

Fix: F-14824r1_fix

Authorize and document all Analysis Services database role assignments in the System Security Plan. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Expand the Analysis Services instance 3. Expand Databases 4. Repeat for each database: a. Click on each database role b. Open the member list c. Select any unauthorized users d. Click the Remove button e. Click OK

b
Only authorized SQL Server proxies should be assigned access to subsystems.
Medium - V-15196 - SV-23859r2_rule
RMF Control
Severity
Medium
CCI
Version
DM6145-SQLServer9
Vuln IDs
  • V-15196
Rule IDs
  • SV-23859r2_rule
SQL Server subsystems define a set of functionality available for assignment to a SQL Server Agent proxy. These act as privileges to perform certain job tasks. Excess privilege assignment or subsystem assignment can lead to unauthorized access to the SQL Server instance or host operating system.trueDatabase AdministratorECAN-1
Checks: C-13815r2_chk

From the query prompt: SELECT p.name, sp.subsystem FROM [msdb].dbo.sysproxies p, [msdb].dbo.sysproxysubsystem s, [msdb].dbo.syssubsystems sp WHERE p.proxy_id = s.proxy_id AND s.subsystem_id = sp.subsystem_id ORDER BY p.name, sp.subsystem Review the list of subsystem assignments to proxies against the authorized list in the System Security Plan document. If unauthorized subsystems are assigned to any proxy or is not documented, this is a Finding.

Fix: F-14835r1_fix

Define and document in the System Security Plan the minimum subsystem assignments required by individual proxies. Assign to each proxy only those subsystems required to complete the SQL Server Agent job.

b
Dedicated accounts should be designated for SQL Server Agent proxies.
Medium - V-15197 - SV-23858r2_rule
RMF Control
Severity
Medium
CCI
Version
DM6140-SQLServer9
Vuln IDs
  • V-15197
Rule IDs
  • SV-23858r2_rule
SQL Server proxies use to execute specific job functions defined for SQL Server Agent. If proxies share a single account for multiple job functions, least privileges cannot be assigned based on the particular job function. This can compromise the security of the shared functions should a compromise of the SQL Server Agent job occur.trueDatabase AdministratorECAN-1
Checks: C-13814r2_chk

From the query prompt: SELECT c.name AS [Credential], c.credential_identity AS [Identity], p.name AS [Proxy], b.subsystem AS [Subsystem] FROM [master].sys.credentials c JOIN [msdb].dbo.sysproxies p ON c.credential_id = p.credential_id JOIN [msdb].dbo.sysproxysubsystem s ON s.proxy_id = p.proxy_id JOIN [msdb].dbo.syssubsystems b ON s.subsystem_id = b.subsystem_id JOIN (SELECT w.credential_identity FROM [master].sys.credentials w JOIN [msdb].dbo.sysproxies x ON w.credential_id = x.credential_id JOIN [msdb].dbo.sysproxysubsystem y ON x.proxy_id = y.proxy_id WHERE (y.subsystem_id < 4 OR y.subsystem_id > 8) GROUP BY w.credential_identity HAVING COUNT(*) > 1) d ON c.credential_identity = d.credential_identity WHERE (s.subsystem_id < 4 OR s.subsystem_id > 8) ORDER BY c.name, p.name, b.subsystem Review the list of proxies and assigned logins. If any Identity/Login names are listed more than once, this is a Finding.

Fix: F-14834r1_fix

Create Windows accounts for each proxy defined. Assign only the file permissions, subsystem access and other privileges required to run the SQL Server Agent job. Document proxy accounts in the System Security Plan and authorize with the IAO.

b
The Web Assistant procedures configuration option should be disabled if not required.
Medium - V-15198 - SV-25488r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6130-SQLServer9
Vuln IDs
  • V-15198
Rule IDs
  • SV-25488r1_rule
The Web Assistant procedures are used by database applications to create web pages. This capability may easily be abused to send malicious messages to remote users or systems. Disabling its use helps to protect the database from generating or receiving malicious email notifications.Database AdministratorDCFA-1
Checks: C-13813r1_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'web assistant procedures' If the value of Config_Value is 1, confirm in the System Security Plan and AIS Functional Architecture documentation that Web Assistant procedures are required and approved by the IAO. If it is not documented, required and approved, this is a Finding.

Fix: F-14833r1_fix

Authorize and document requirements for use of Web Assistant Procedures in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable use of Web Assistant Procedures. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'Web Assistant procedures', 0 RECONFIGURE

a
Reporting Services Web service requests and HTTP access should be disabled if not required.
Low - V-15199 - SV-25481r1_rule
RMF Control
Severity
Low
CCI
Version
DM6120-SQLServer9
Vuln IDs
  • V-15199
Rule IDs
  • SV-25481r1_rule
Where not required, SOAP and URL access to the web service unnecessarily exposes the report server to attack via the SOAP and HTTP protocols.Database AdministratorDCFA-1
Checks: C-13805r1_chk

If Reporting Services is not installed, this check is Not a Finding. Note: To detect installation, view Windows Services. If SQL Server Reporting Services ([instance name]) is not listed, then Reporting Services is not installed on this host. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Web Service Requests and HTTP Access If checked, verify that Web Service requests are HTTP access are required and the requirement is documented in the System Security Plan. If it is not, this is a Finding.

Fix: F-14825r1_fix

Document requirements for enabling Report Services access via web services and HTTP. If not required, disable Web Service Requests and HTTP access. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Web Service Requests and HTTP Access 5. Click on Enable Web Service Requests and HTTP access to clear the check box 6. Click OK

b
Cross database ownership chaining, if required, should be documented and authorized by the IAO.
Medium - V-15201 - SV-23959r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6150-SQLServer9
Vuln IDs
  • V-15201
Rule IDs
  • SV-23959r1_rule
Cross database ownership chaining allows permissions to objects to be assigned by users other than the Information Owner. This allows access to objects that are not authorized directly by the Information Owner based on job functions defined by the owner. Unauthorized access may lead to a compromise of data integrity or confidentiality.Database AdministratorECLP-1
Checks: C-13816r1_chk

From the query prompt: SELECT CAST(value AS INT) AS [Config Value] FROM [master].sys.configurations WHERE name = 'cross db ownership chaining' If the value of Config Value is 0, this is Not a Finding. If the value of Config Value is 1, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding. To check assignment per individual database. From the query prompt: SELECT name AS [Database Name] FROM [master].sys.databases WHERE is_db_chaining_on = 1 AND name NOT IN ('master', 'tempdb', 'msdb') AND state = 0 If any database names are listed, are not documented in the System Security Plan and not authorized by the IAO, this is a Finding.

Fix: F-14836r1_fix

Document requirements for use of cross db ownership chaining in the System Security Plan and AIS Functional Architecture documentation and authorize with the IAO. Where not authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'cross db ownership chaining', 0 RECONFIGURE NOTE: If you have databases that require cross-database ownership chaining, the recommended practice is to turn off the cross db ownership chaining option for the instance using sp_configure; then turn on cross-database ownership chaining for individual databases that require it using the ALTER DATABASE statement.

a
Use of Command Language Runtime objects should be disabled if not required.
Low - V-15202 - SV-25487r1_rule
RMF Control
Severity
Low
CCI
Version
DM6123-SQLServer9
Vuln IDs
  • V-15202
Rule IDs
  • SV-25487r1_rule
The clr_enabled parameter configures SQL Server to allow or disallow use of Command Language Runtime objects. CLR objects is managed code that integrates with the .NET Framework. This is a more secure method than external stored procedures, although it still contains some risk. Where no external application execution requirements are required, disallowing use of any improves the overall security posture of the database.Database AdministratorDCFA-1
Checks: C-13808r1_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'clr enabled' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, confirm in the System Security Plan that access to CLR applications is required. If it is not, this is a Finding.

Fix: F-14828r1_fix

Where CLR object use is part of the designed and approved use of the SQL Server database, document the requirement in the System Security Plan. Where CLR object use is not required, disable its use. From the query prompt: EXEC SP_CONFIGURE 'clr_enabled', 0 RECONFIGURE

b
Reporting Services Windows Integrated Security should be disabled.
Medium - V-15203 - SV-25486r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6122-SQLServer9
Vuln IDs
  • V-15203
Rule IDs
  • SV-25486r1_rule
Use of Windows integrated security may allow access via Report Services bypasses security controls assessed at the database level. This may be restricted by requiring that all report data source connections use specific credentials to access report data sources.Database AdministratorIAIA-1, IAIA-2
Checks: C-13807r1_chk

If Reporting Services is not installed, this check is Not a Finding. Note: To detect installation, view Windows Services. If SQL Server Reporting Services ([instance name]) is not listed, then Reporting Services is not installed on this host. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Windows Integrated Security If checked, this is a Finding.

Fix: F-14827r1_fix

Disable Windows Integrated Security. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Windows Integrated Security 5. Click on Windows Integrated Security to clear the check box 6. Click OK

b
Analysis Services Links to Objects should be disabled if not required.
Medium - V-15204 - SV-25468r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6087-SQLServer9
Vuln IDs
  • V-15204
Rule IDs
  • SV-25468r1_rule
Analysis Services may make connections to external SQL Server instances. In some cases this may be required for the intended operation, however, where not required, this may introduce unnecessary risk where unauthorized external links may be made.Database AdministratorDCFA-1
Checks: C-13795r1_chk

If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. If the System Security Plan indicates Links to Other instances is required for operation, this check is Not a Finding. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ LinkToOtherInstanceEnabled If the value = 'true', this is a Finding. The LinkToOtherInstanceEnabled value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [LinkToOtherInstanceEnabled] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.

Fix: F-14815r1_fix

Set value for LinkToOtherInstanceEnabled to 'false'. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ LinkToOtherInstanceEnabled 5. Select value = 'false' 6. Click OK

a
Reporting Services scheduled events and report delivery should be disabled if not required.
Low - V-15205 - SV-25485r1_rule
RMF Control
Severity
Low
CCI
Version
DM6121-SQLServer9
Vuln IDs
  • V-15205
Rule IDs
  • SV-25485r1_rule
Where not required, Scheduled events and report delivery unnecessarily exposes the report server to attack via Report Service event handling and report delivery.Database AdministratorDCFA-1
Checks: C-13806r1_chk

If Reporting Services is not installed, this check is Not a Finding. Note: To detect installation, view Windows Services. If SQL Server Reporting Services ([instance name]) is not listed, then Reporting Services is not installed on this host. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Scheduled events and report delivery If checked, verify that Scheduled events and report delivery is required and the requirement is documented in the System Security Plan. If it is not, this is a Finding.

Fix: F-14826r1_fix

Document requirements for enabling 'Report Services Scheduled events and report delivery'. If not required, disable Scheduled events and report delivery. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Scheduled events and report delivery 5. Click on the Scheduled events and report delivery to clear the check box 6. Click OK

b
Only authorized XML Web Service endpoints should be configured on the server.
Medium - V-15206 - SV-23856r2_rule
RMF Control
Severity
Medium
CCI
Version
DM6126-SQLServer9
Vuln IDs
  • V-15206
Rule IDs
  • SV-23856r2_rule
XML Web Service endpoints expose the database its data to web service access. Where not carefully designed and implemented, web services can unnecessarily expose the database to additional exploit that compromises data confidentiality and integrity. Removing web service endpoints helps to protect the database from unauthorized web service access.trueDatabase AdministratorDCFA-1
Checks: C-13811r2_chk

From the query prompt: SELECT name FROM [master].sys.http_endpoints WHERE (is_integrated_auth_enabled = 0 AND is_kerberos_auth_enabled = 0 AND is_ntlm_auth_enabled = 0) AND state = 0 ORDER BY name Review the list of any endpoints returned. If no records are returned, this is Not a Finding. If any endpoints are returned and not listed as a required and authorized XML web service endpoint in the System Security Plan and AIS Functional Architecture documentation, this is a Finding. If listed endpoints are: 1. Not using integrated authentication (is_integrated_auth_enabled = 0) 2. Not using Kerberos authentication (is_kerberos_auth_enabled = 0) and 3. Not using NT LAN Manager (NTLM) authentication (is_ntlm_auth_enabled = 0) 4. Are STARTED, listening and processing requests (state = 0) this is a Finding. If listed endpoints are required to use SSL (is_ssl_port_enabled = 1 and is_clear_port_enabled = 0) and are not, this is a Finding. If listed endpoints are enabled to use anonymous access (is_anonymous_enabled = 1) and is not documented and authorized, this is a Finding.

Fix: F-14831r1_fix

Authorized and document XML web service endpoints in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, drop XML web service endpoints. From the query prompt: DROP ENDPOINT [endpoint name] Where documented and authorized, set each endpoint to use the appropriate authentication protocol, SSL if required and disable anonymous access if not authorized. If a clear port is also required and authorized, ensure the value for clear_port is set to a known value (i.e. HTTP port 80 or other IAO authorized port value).

b
The Agent XPs option should be set to disabled if not required.
Medium - V-15210 - SV-25500r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6198-SQLServer9
Vuln IDs
  • V-15210
Rule IDs
  • SV-25500r1_rule
The Agent XPs are extended stored procedures used by the SQL Server Agent that provide privileged actions that run externally to the DBMS under the security context of the SQL Server Agent service account. If these procedures are available from a database session, an exploit to the SQL Server instance could result in a compromise of the host system and external SQL Server resources. Access to these procedures should be disabled unless use of SQL Server Agent is required and authorized.Database AdministratorDCFA-1
Checks: C-13601r1_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'agent xps' If the value of Config_Value is 1, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding. Note: If you are using SQL Server Management Studio to administer the SQL Server DBMS, document, approve and enable this option in the System Security Plan.

Fix: F-14650r1_fix

Authorize and document requirements for use of the Agent XPs option in the System Security Plan and AIS Functional Architecture documentation. Where not required and authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'Agent XPs', 0 RECONFIGURE

b
The SMO and DMO SPs option should be set to disabled if not required.
Medium - V-15211 - SV-25501r1_rule
RMF Control
Severity
Medium
CCI
Version
DM6199-SQLServer9
Vuln IDs
  • V-15211
Rule IDs
  • SV-25501r1_rule
The SMO and DMO XPs are management object extended stored procedures that provide highly privileged actions that run externally to the DBMS under the security context of the SQL Server service account. If these procedures are available from a database session, an exploit to the SQL Server instance could result in a compromise of the host system and external SQL Server resources including the SQL Server software, audit, log and data files. Access to these procedures should be disabled unless a clear requirement for their use is indicated and authorized.Database AdministratorDCFA-1
Checks: C-13602r1_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'smo and dmo xps' If the value of Config_Value is 1, confirm in the System Security Plan and AIS Functional Architecture documentation that this option is documented and is required and approved by the IAO. If it is not documented, required and approved, this is a Finding. Note: If you are using SQL Server Management Studio to administer the SQL Server DBMS, document, approve and enable this option in the System Security Plan.

Fix: F-14651r1_fix

Authorize and document requirements for use of the SMO and DMO XPs option in the System Security Plan and AIS Functional Architecture documentation. Where not required and authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'SMO and DMO XPs', 0 RECONFIGURE

b
Access to DBMS software files and directories should not be granted to unauthorized users.
Medium - V-15608 - SV-24070r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0009-SQLServer9
Vuln IDs
  • V-15608
Rule IDs
  • SV-24070r1_rule
The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.Database AdministratorDCSL-1
Checks: C-20509r1_chk

SQL Server program files are installed in two places: 1. A subdirectory of Program Files directory named Microsoft SQL Server ( specified here as [PFdir]) 2. The directory created for the specific instance (specified here as [InstDir]). This directory is specified in the registry for database engine instances under: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ SQL Instances for Reporting Services and Analysis Services are listed under the registry keys: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ RS HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ OLAP File permissions may be reviewed individually using Windows explorer by navigating to the directory specified and viewing the Security properties. There are also tools available that are designed to streamline review of file permissions. Verify that the permissions are equal to or more restrictive than listed below: The following groups may have Full Control assigned to any or all directories or files: 1. Administrators (builtin group) 2. DBAs (custom group) 3. CREATOR OWNER (builtin) 4. SYSTEM (builtin) 5. SQL Server Service Account If permission assignments are less restrictive than listed, this is a Finding. If permission assignments are granted to the Builtin USERS group, this is a Finding. Retain the SQL Server specific groups installed by Microsoft, any file permissions assigned to them and document in the System Security Plan.

Fix: F-24677r1_fix

Restrict access to SQL Server files and directories as directed in the check.

b
Default demonstration and sample database objects and applications should be removed.
Medium - V-15609 - SV-24129r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0014-SQLServer9
Vuln IDs
  • V-15609
Rule IDs
  • SV-24129r2_rule
Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the DBMS and host system.Database AdministratorDCFA-1
Checks: C-23476r2_chk

Review the list of databases defined for the instance: From the query prompt: SELECT name FROM [master].sys.databases WHERE name IN ('Northwind', 'Pubs', 'AdventureWorks', 'AdventureWorksDW', 'AdventureWorksAS', 'DataEncryptDemo') If any results are displayed, this is a Finding.

Fix: F-24673r1_fix

Drop sample or demonstration databases from production instances. Verify that no production objects have been stored in demonstration or sample databases prior to dropping. DROP DATABASE [database name]

b
DBMS should use NIST FIPS 140-2 validated cryptography.
Medium - V-15610 - SV-24074r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0025-SQLServer9
Vuln IDs
  • V-15610
Rule IDs
  • SV-24074r2_rule
Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.trueDatabase AdministratorInformation Assurance OfficerDCNR-1
Checks: C-22714r2_chk

Review the DBMS documentation to determine where cryptography may be used and/or configured. If DBMS data/network encryption is not required, this check is Not a Finding. The following product versions and editions are FIPS 140-2 certified: SQL Server 2005 SP1, SP2 & SP3 Standard, Enterprise & Developer Editions (KB 920995) SQL Server 2008 RTM & SP1 Standard, Enterprise & Developer Editions (KB 955720) Review DBMS network communication encryption options, data object encryption (both tables and application code objects), and encryption key management. Where cryptography is employed and configured by the database, review the configuration settings to see if they use: 1. Compliant algorithms (AES (128, 192 or 256), Triple DES or TDEA (3 distinct 56-bit keys), Skipjack) 2. Compliant hash functions (SHA-1, SHA-224, SHA-256, SHA-384 and SHA-5122) 3) validated cryptographic modules (whether native to the database or not) 3. Validated cryptographic modules (whether native to the DBMS or not) Detailed information on the FIPS 140-2 standard is available at the following website: http://csrc.nist.gov/groups/STM/index.html From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT name, algorithm_desc FROM sys.symmetric_keys WHERE key_algorithm NOT IN ('D3','A1','A2','A3') ORDER BY name, algorithm_desc If any records are returned, this is a Finding.

Fix: F-19678r1_fix

Upgrade to a FIPS 140-2 certified SQL Server version if encryption is required by the Information Owner. Configure cryptographic functions to use FIPS 140-2 compliant algorithms and hashing functions. If the DBMS does not employ validated cryptographic modules, consider obtaining and using a third-party FIPS 140-2 validated solution. Note: FIPS 140-2 compliance or non-compliance for the host and network is outside the purview of the Database STIG/Checklist. FIPS 140-2 non-compliance at the host/network level does not negate this requirement. Configure symmetric keys to use approved encryption algorithms. Existing keys are not re-configurable to use different algorithms. This may only be specified at key creation time: CREATE SYMMETRIC KEY [key name] WITH ALGORITHM = AES_256 ENCRYPTION BY [certificate or asymmetric key] Other approved algorithms that may be specified are TRIPLE_DES, AES_128 and AES_192. The symmetric key must specify a certificate or asymmetric for encryption. The certificate may be the code-signing certificate used by the application.

a
The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.
Low - V-15611 - SV-24183r1_rule
RMF Control
Severity
Low
CCI
Version
DG0054-SQLServer9
Vuln IDs
  • V-15611
Rule IDs
  • SV-24183r1_rule
Regular and timely reviews of audit records increases the likelihood of early discovery of suspicious activity. Discovery of suspicious behavior can in turn trigger protection responses to minimize or eliminate a negative impact from malicious activity. Use of unauthorized application to access the DBMS may indicate an attempt to bypass security controls including authentication and data access or manipulation implemented by authorized applications.Information Assurance OfficerECAT-1, ECAT-2
Checks: C-22655r1_chk

Review procedures for and evidence of monitoring the audit log to detect access by unauthorized applications in the System Security Plan. If procedures or implementation evidence do not exist, this is a Finding. If alerts are not generated automatically, manual reviews should occur weekly or more frequently. If manual reviews are required and implementation evidence does not exist, this is a Finding.

Fix: F-18444r1_fix

Develop, document and implement procedures for monitoring application access to the database to detect access meant to bypass security controls. Where alerts are not implemented or available, establish weekly or more frequent review of queue activity.

b
Database password changes by users should be limited to one change within 24 hours where supported by the DBMS.
Medium - V-15612 - SV-24222r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0072-SQLServer9
Vuln IDs
  • V-15612
Rule IDs
  • SV-24222r1_rule
Frequent password changes may indicate suspicious activity or attempts to bypass password controls based on password histories. Limiting the frequency of password changes helps to enforce password change rules and can lead to the discovery of compromised accounts.Database AdministratorIAIA-1, IAIA-2
Checks: C-13758r1_chk

If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. If the DBMS supports this functionality, review the settings and function logic or have the DBA demonstrate a password change to ensure that the function does not allow user changes to database passwords to occur more than once within a 24-hour period. If the review or demonstration reveals that database passwords can be changed by users more than once within a 24-hour period, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Fix: F-18386r1_fix

Develop, configure and test a password verify feature or function that authenticates passwords on change to ensure that changes to database passwords do not occur more than once within a 24-hour period where supported by the DBMS.

b
Each database user, application or process should have an individually assigned account.
Medium - V-15613 - SV-24230r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0078-SQLServer9
Vuln IDs
  • V-15613
Rule IDs
  • SV-24230r1_rule
Use of accounts shared by multiple users, applications, or processes limit the accountability for actions taken in or on the data or database. Individual accounts provide an opportunity to limit database authorizations to those required for the job function assigned to each individual account.Database AdministratorIAIA-1, IAIA-2
Checks: C-13759r1_chk

Review DBMS account names against the list of authorized DBMS accounts in the System Security Plan. If any accounts indicate use by mulitiple persons that are not mapped to a specific person, this is a Finding. If any applications or processes share an account that could be assigned an individual account or are not specified as requiring a shared account, this is a Finding. Note: Privileged installation accounts may be required to be accessed by DBA or other administrators for system maintenance. In these cases, each use of the account must be logged in some manner to assign accountability for any actions taken during the use of the account.

Fix: F-18389r1_fix

Create individual accounts for each user, application, or other process that requires a database connection. Document any accounts that are shared where separation is not supported by the application or for maintenance support. Design, develop and implement a method to log use of any account to which more than one person has access. Restrict interactive access to shared accounts to the fewest persons possible.

a
The DBMS should be configured to clear residual data from memory, data objects or files, or other storage locations.
Low - V-15614 - SV-20971r1_rule
RMF Control
Severity
Low
CCI
Version
DG0084-SQLServer9
Vuln IDs
  • V-15614
Rule IDs
  • SV-20971r1_rule
Database storage locations may be reassigned to different objects during normal operations. If not cleared of residual data, sensitive data may be exposed to unauthorized access.Database AdministratorECRC-1
Checks: C-22799r1_chk

Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition), 2 (Standard Edition) or 4 (Express Edition), this check is Not Applicable. From the query prompt: SELECT CAST(value AS INT) FROM [master].sys.configurations WHERE name = 'common criteria compliance enabled' If the value = 0, confirm in the System Security Plan that common criteria compliance is documented as not required by the IAO. If it is not documented or is required and approved, this is a Finding.

Fix: F-19723r1_fix

Authorize and document requirements for use of the common criteria compliance option in the System Security Plan and AIS Functional Architecture documentation. Where authorized, enable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'common criteria compliance enabled', 1 RECONFIGURE

b
DBA accounts should not be assigned excessive or unauthorized role privileges.
Medium - V-15615 - SV-24236r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0085-SQLServer9
Vuln IDs
  • V-15615
Rule IDs
  • SV-24236r1_rule
The default DBA privileges typically include all privileges defined for a DBMS. These privileges are required to configure the DBMS and to provide other users access to DBMS objects. However, DBAs may not require access to application data or other privileges to administer the DBMS. Where not required or desired, DBAs may be prevented from accessing protected data for which they have no need-to-know or from utilizing unauthorized privileges for other actions. Although DBAs may assign themselves privileges to override any restrictions, the assignment of privileges is an audit requirement and this auditable event may assist discovery of a misuse of privileges.Database AdministratorInformation Assurance OfficerECLP-1
Checks: C-2817r1_chk

Review DBA account role assignments and compare them to those listed in the System Security Plan with the IAO. If system/database roles assigned to DBAs are not listed as required assignments in the System Security Plan, this is a Finding.

Fix: F-26086r1_fix

Document DBA job functions and minimum role privileges required to perform the DBA job function in the System Security Plan. Assign DBA accounts role privileges as documented and authorized in the System Security Plan. Revoke role privileges from DBA accounts where not documented and approved in the System Security Plan.

a
Sensitive data should be labeled.
Low - V-15616 - SV-21481r1_rule
RMF Control
Severity
Low
CCI
Version
DG0087-SQLServer9
Vuln IDs
  • V-15616
Rule IDs
  • SV-21481r1_rule
The sensitivity marking or labeling of data items promotes the correct handling and protection of the data. Without such notification, the user may unwittingly disclose sensitive data to unauthorized users.Database AdministratorECML-1
Checks: C-23678r1_chk

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If the DBMS does not provide the capability to mark or label sensitive data within the DBMS, this check is Not a Finding. Review the DBMS configuration for marking and labeling of sensitive data. If sensitive data is not marked and labeled in accordance with the System Security Plan, this is a Finding. http://www.microsoft.com/technet/prodtechnol/sql/2005/multisec.mspx

Fix: F-20176r1_fix

Employ DBMS capabilities to mark or label sensitive data stored within the DBMS where supported. Document the appropriate markings of sensitive data in the System Security Plan.

b
Access to external objects should be disabled if not required and authorized.
Medium - V-15617 - SV-24256r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0098-SQLServer9
Vuln IDs
  • V-15617
Rule IDs
  • SV-24256r1_rule
Objects defined within the database, but stored externally to the database are accessible based on authorizations defined by the local operating system or other remote system that may be under separate security authority. Access to external objects may thus be uncontrolled or not based on least privileges defined for each user job function. This in turn may provide unauthorized access to the external objects.Database AdministratorDCFA-1
Checks: C-13790r1_chk

Review the database for definitions of application objects stored externally to the database. Determine if there are methods to disable use or access or to remove definitions for external data objects. If there are ways to prevent access to the external application data objects or the requirement for their access is not documented in the AIS functional architecture, this is a Finding.

Fix: F-25724r1_fix

Include any external application data objects defined in the database that is required for authorized application use in the AIS functional architecture documentation. Disable use of or remove any external application data object definitions that are not authorized.

b
Access to external DBMS executables should be disabled or restricted.
Medium - V-15618 - SV-24096r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0099-SQLServer9
Vuln IDs
  • V-15618
Rule IDs
  • SV-24096r2_rule
DBMS’s may spawn additional external processes to execute procedures that are defined in the DBMS, but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than the DBMS and provide unauthorized access to the host system.trueDatabase AdministratorDCFA-1
Checks: C-22807r2_chk

From the query prompt: SELECT o.name AS [External Procedure Name] FROM master.sys.all_objects o LEFT JOIN master.sys.database_permissions p ON p.major_id = o.object_id LEFT JOIN master.sys.database_principals u ON p.grantee_principal_id = u.principal_id WHERE o.type = 'X' AND u.name IS NULL ORDER BY o.name Review the list of extended stored procedures returned. Verify that any extended stored procedures listed are documented in the System Security Plan as required for current or future operation and authorized by the IAO. If any extended stored procedures listed are not documented and authorized, this is a Finding.

Fix: F-19731r1_fix

Document extended stored procedures in the System Security Plan and authorize with the IAO. Restrict access of extended stored procedures to SYSADMINs and application owner accounts where authorized for use. Note: Use of some extended stored procedures is required for common use and removal may affect SQL Server operations. The requirement differs based on SQL Server usage. To determine required extended stored procedures for a specific SQL Server installation, enable auditing on execute of the procedures. Review the audit data after a sufficient period to capture all operational usage, and then restrict access to unused extended stored procedures. If no operational issues arise after a sufficient time (you should double the period used before), remove the unused extended stored procedures where supported by the DBMS vendor. By default, the public role is granted execute access to many system-supplied extended stored procedures. It is recommended these execute privileges to extended stored procedures (the ones being retained for system use) be transferred from the public role and re-assigned to a custom all-user group. Redesign applications to use CLR integration.

b
Replication accounts should not be granted DBA privileges.
Medium - V-15619 - SV-24258r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0100-SQLServer9
Vuln IDs
  • V-15619
Rule IDs
  • SV-24258r1_rule
Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on one database could lead to the compromise of any database participating in the replication that uses the same account name and credentials. If the replication account is compromised and it has DBA privileges, the database is at additional risk to unauthorized or malicious action.Database AdministratorDCFA-1
Checks: C-23568r1_chk

From the query prompt: USE master EXEC SP_GET_DISTRIBUTOR If the value of installed is 0, and a review of the System Security Plan confirms the use of replication is not required and not allowed, this check is Not a Finding. If the value of installed is 1, and a review of the System Security Plan confirms the use of replication is required and allowed, this is Not a Finding. If it is not required or not allowed, this is a Finding. The following steps determine if the security of the configured Replication follows best practices: From the query prompt: EXEC SP_HELPREPLICATIONDBOPTION 1. Ensure replication data is encrypted in transit Review documentation and evidence of configuration for encrypted connections between remote databases participating in replication where transmissions cross untrusted (support connections that do not have a need-to-know access requirement to the data being replicated) networks. 2. Confirm replication agents use dedicated accounts This is covered individually under check DM6065 and is not included in Finding status here. To view replication agent accounts: USE msdb SELECT p.name 'Proxy Name', c.credential_identity FROM sys.credentials c, sysproxies p, sysproxysubsystem s WHERE c.credential_id = p.proxy_id AND s.proxy_id = p.proxy_id AND s.subsysstem_id > 3 AND s.subsystem_id < 9 3. Confirm Replication Agent accounts are assigned minimum privileges For each database, review assigned roles/permissions for each agent account: USE [database name] For each agent account listed under #2 above: EXEC SP_HELPUSER '[user name]' If any GroupName other than db_owner is listed in any database, this is a Finding. If any GroupName is listed in any database other than replication databases, this is a Finding EXEC SP_HELPROTECT '[user name]' If any permission is listed, this is a Finding. Perform once: EXEC SP_HELPSRVROLEMEMBER If any replication agent accounts are listed, this is a Finding. 4. Confirm only authorized Merge and Distribution Agent accounts are listed in the Publication Access List (PAL) For each replication database: EXEC SP_HELPPUBLICATION For each publication listed: EXEC SP_HELP_PUBLICATION_ACCESS '[publication name]' If any accounts are listed under publications that are not SYSADMINs, replication merge (category REPL-Merge) or replication distributor (category REPL-Distribution) agent accounts, this is a Finding. 5. Confirm minimum permissions are assigned to any local snapshot folders Results for this security check are recorded individually under DM6075. 6. (cont from 5) Confirm snapshot Agent accounts are granted only write permissions to the snapshot folder If the snapshot agent account has more than write access to the snapshot folder, this is a Finding. 7. Verify network shares are used for snapshot folders accessed by pull subscriptions If the server does not have a Publisher database, this check is Not a Finding. For each publisher database: USE [database name] EXEC SP_HELPSUBSCRIPTION If any subscribers listed indicate a remote database (a database on a different server), then confirm the snapshot folder is defined as a network share. If it is not, this is a Finding. Note: See folder information for the publication listed for the subscriber under the SP_HELPPUBLICATION results. Windows shares are indicated with a share icon and are indicated as shared in the directory properties \ share tab. 8. Verify Agent accounts use Windows authentication See Agent accounts returned from #2 above If any accounts listed are not Windows accounts (display [domain or computername]\[account name]), this is a Finding.

Fix: F-20088r1_fix

Disable replication if replication is not required. From the SQL Server Management Studio GUI: 1. Expand SQL Server 2. Right-click on Replication 3. Click Disable Publishing and Distribution 4. Complete the steps presented Secure replication if required, authorized and documented. 1. Create and use dedicated Windows-authenticated database accounts for Replication Agent use 2. Assign minimum database and file permissions to the Replication Agent accounts 3. Add only authorized Replication Merge and Distribution Agent accounts (and SYSADMIN accounts) to the PAL 4. Use network shared for snapshot folders access by pull subscriptions Document replication in the System Security Plan, AIS Functional Architecture documentation and authorize with the IAO regardless of requirement.

b
OS accounts used to execute external procedures should be assigned minimum privileges.
Medium - V-15620 - SV-24260r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0101-SQLServer9
Vuln IDs
  • V-15620
Rule IDs
  • SV-24260r1_rule
External applications spawned by the DBMS process may be executed under OS accounts assigned unnecessary privileges that can lead to unauthorized access to OS resources. Unauthorized access to OS resources can lead to the compromise of the OS, the DBMS, and any other service provided by the host platform.Database AdministratorDCFA-1
Checks: C-13791r1_chk

View the Security Settings of the SQL Server service account to see user rights assigned to the service account or group. To view assigned user rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment For SQL Server Service account: If any user rights are assigned to the service account other than the following, this is a Finding: 1. Log on as a service (SeServiceLogonRight) 2. Act as part of the operating system (SeTcbPrivilege) (Win2K only) 3. Log on as a batch job (SeBatchLogonRight) 4. Replace a process-level token (SeAssignPrimaryTokenPrivilege) 5. Bypass traverse checking (SeChangeNotifyPrivilege) 6. Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) The following user rights are applicable for SQL Server 2005 only: 1. Permission to start SQL Server Active Directory Helper 2. Permission to Start SQL Write

Fix: F-25726r1_fix

Create a local custom account for the SQL Server service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for detailed information. Assign the account to the SQL Server group (created at installation for SQL Server 2005) if available. Assign the SQL Server account or group the user privileges as listed in the Check procedures.

a
DBMS service identification should be unique and clearly identifies the service.
Low - V-15622 - SV-24267r1_rule
RMF Control
Severity
Low
CCI
Version
DG0104-SQLServer9
Vuln IDs
  • V-15622
Rule IDs
  • SV-24267r1_rule
Local or network services that do not employ unique or clearly identifiable targets can lead to inadvertent or unauthorized connections.Database AdministratorDCFA-1
Checks: C-13825r1_chk

Review the SQL Server database names on the DBMS host: Go to Start / Administrative Tools / Services View service names that begin with "SQL Server". The database name is in parenthesis (NAME). If database names as listed do not clearly identify the use of the database or clearly differentiate individual databases, this is a Finding. An example of database naming that meets the requirement: prdinv01 (Production Inventory Database #1) dvsales02 (Development Sales Database #2) msfindb1 (Microsoft Financials Database #1) Examples of instance naming that do not meet the requirement: database1, MyDatabase, SQL7 Interview the DBA to get an understanding of the naming scheme used to determine if the names are clear differentiations.

Fix: F-20093r1_fix

Follow instructions for renaming a database instance: Review the sp_dropserver and sp_addserver procedures Set the value so that it does not identify the SQL Server version and clearly identifies its purpose.

b
Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner.
Medium - V-15625 - SV-24294r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0115-SQLServer9
Vuln IDs
  • V-15625
Rule IDs
  • SV-24294r1_rule
A DBMS may be vulnerable to use of compromised data or other critical files during recovery. Use of compromised files could introduce maliciously altered application code, relaxed security settings or loss of data integrity. Where available, DBMS mechanisms to ensure use of only trusted files can help protect the database from this type of compromise during DBMS recovery.Database AdministratorCOTR-1
Checks: C-28998r1_chk

Review DBMS recovery procedures or technical system features to determine if mechanisms exist and are in place to specify use of trusted files during DBMS recovery. If recovery procedures do not exist or are not sufficient to ensure recovery is done in a secure and verifiable manner, this is a Finding. If system features exist and are not employed or not employed sufficiently, this is a Finding. If circumstances that can inhibit a trusted recovery are not documented and appropriate mitigating procedures have not been put in place, this is a Finding.

Fix: F-19746r1_fix

Develop, document and implement DBMS recovery procedures and employ technical system features where supported by the DBMS to specify trusted files during DBMS recovery. Ensure circumstances that can inhibit a trusted recovery are documented and appropriate mitigating procedures have been put in place.

b
Database privileged role assignments should be restricted to IAO-authorized DBMS accounts.
Medium - V-15626 - SV-24102r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0116-SQLServer9
Vuln IDs
  • V-15626
Rule IDs
  • SV-24102r2_rule
Roles assigned privileges to perform DDL and/or system configuration actions in the database can lead to compromise of any data in the database as well as operation of the DBMS itself. Restrict assignment of privileged roles to authorized personnel and database accounts to help prevent unauthorized activity.trueInformation Assurance OfficerECLP-1
Checks: C-23589r2_chk

View SYSADMIN group membership: From the query prompt: SELECT p.name FROM [master].sys.server_principals p, [master].sys.server_role_members m WHERE p.principal_id = m.member_principal_id AND m.member_principal_id <> 1 AND m.role_principal_id = 3 ORDER BY p.name Verify with the DBA that all users listed under System Administrators are authorized DBAs and authorized to manage the database system audit configuration. Authorized application object owner accounts are Not a Finding unless they are not disabled (DG0004). If any authorized application object owner accounts are enabled, this is a Finding (for DG0116). If this is a production environment, verify with the DBA that none of the users listed under the SYSADMIN fixed server role are application administrators. If the BUILTIN/Administrators group is listed as a member of the SYSADMIN fixed server role, this is a Finding. Note: Removing BUILTIN/Administrators without creating an appropriate group to administer SQL Server will result in a ‘lock out’ condition within SQL Server. Ensure the proper steps have been taken to create a new group that is added to SYSADMIN fixed server role before removing BUILTIN/Administrators. Also, ensure the SA password is known before making this change.

Fix: F-17955r1_fix

Document IAO-authorized privileged role assignments in the System Security Plan. Remove assignments where not authorized. If BUILTIN\Administrators is part of the SYSADMIN fixed server role, create a custom group for SYSADMIN functions, add authorized users to the custom group, add the group to the SYSADMIN fixed server role, remove BUILTIN\Administrators from the role. If other unauthorized users exist, remove them from the role. To remove BUILTIN\Administrators from the SYSADMIN fixed server role: 1. Create a custom group for SYSADMIN functions 2. Add authorized users to the custom group 3. Add the group to the SYSADMIN fixed server role 4. Remove BUILTIN\Administrators from the role

b
Administrative privileges should be assigned to database accounts via database roles.
Medium - V-15627 - SV-24298r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0117-SQLServer9
Vuln IDs
  • V-15627
Rule IDs
  • SV-24298r1_rule
Privileges granted outside the role of the administrative user job function are more likely to go unmanaged or without oversight for authorization. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of administrative user privilege assignments and helps to protect against unauthorized privilege assignment.Information Assurance OfficerECPA-1
Checks: C-28585r1_chk

Review administrative accounts for direct privilege assignment. If any administrative privileges have been assigned directly to a database account, this is a Finding.

Fix: F-22607r1_fix

Create roles for administrative function assignments. Assign the necessary privileges for the administrative function to a role. Assign administrative roles to authorized administrative users. Document administrative job functions, roles, and required permissions in the System Security Plan. Maintain evidence of administrative role authorizations.

b
DBMS application users should not be granted administrative privileges to the DBMS.
Medium - V-15628 - SV-55936r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0119-SQLServer9
Vuln IDs
  • V-15628
Rule IDs
  • SV-55936r1_rule
DBMS privileges to issue other than Database Manipulation Language (DML) commands provide means to affect database object configuration and use of resources. Application users do not require these privileges to complete non-administrative job functions. Where applications require administrative privileges to execute non-administrative functions, exploits of the application can lead to unauthorized administrative access to the DBMS.Database AdministratorECLP-1
Checks: C-20524r4_chk

Review privileges assigned to application roles in the database. If any privileges other than SELECT, INSERT, UPDATE, DELETE or EXECUTE are assigned to application roles, this is a Finding.

Fix: F-24534r2_fix

Revoke administrative privileges from application roles. Do not allow Database Definition Language (DDL) or other administrative privileges for operation of the application, for example, do not create and drop database objects for temporary storage of data. Consider, instead, the storage of temporary data in static database tables.

b
Access to DBMS system tables and other configuration or metadata should be restricted to DBAs.
Medium - V-15631 - SV-24309r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0123-SQLServer9
Vuln IDs
  • V-15631
Rule IDs
  • SV-24309r1_rule
Administrative data includes DBMS metadata and other configuration and management data. Unauthorized access to this data could result in unauthorized changes to database objects, access controls, or DBMS configuration.Database AdministratorECAN-1
Checks: C-28698r1_chk

Review access controls on system tables. Review access to configuration data stored in the database. If any users not assigned DBA privileges are assigned access to the underlying tables, this is a Finding.

Fix: F-19562r1_fix

Revoke access to system tables to non-DBA users. Where use of system data is required by non-DBA users, provide controlled access for authorized functions via views, procedures, or other use of controlled objects.

b
Use of DBA accounts should be restricted to administrative activities.
Medium - V-15632 - SV-24312r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0124-SQLServer9
Vuln IDs
  • V-15632
Rule IDs
  • SV-24312r1_rule
Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification or exposure. In particular, DBA accounts if used for non-administration application development or application maintenance can lead to miss-assignment of privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in and provided by applications.Information Assurance OfficerECLP-1
Checks: C-23586r1_chk

Review accounts assigned fixed server roles and fixed database roles with the DBA/IAO and as documented in the System Security Plan. Review other database or application roles assigned to the accounts assigned fixed roles as documented in the System Security Plan. If any accounts assigned fixed roles are also assigned application roles or other application object privilege roles or own application objects used for other than DBA functions, this is a Finding.

Fix: F-20455r1_fix

Create separate accounts for administration activities. Develop, document and implement policy and procedures that require separate, unprivileged or less-privileged accounts for development, testing and application users.

b
DBMS account passwords should not be set to easily guessed words or values.
Medium - V-15634 - SV-24314r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0127-SQLServer9
Vuln IDs
  • V-15634
Rule IDs
  • SV-24314r1_rule
DBMS account passwords set to common dictionary words or values render accounts vulnerable to password guessing attacks and unauthorized access.Database AdministratorIAIA-1, IAIA-2
Checks: C-23839r1_chk

If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. Review methods for protecting accounts from assignment of easily guessed passwords. If methods do not include at least one of the following or a viable alternate means to prevent use of easily guessed passwords, this is a Finding. 1. Password cracker run frequently to report easily guessed passwords 2. Automated routine to check passwords against password dictionaries at password assignment time 3. User training and understanding of the risk of easily guessed passwords 4. Using Windows Authentication for database accounts NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Fix: F-20171r1_fix

Employ preventative means, user training and/or password cracking routines to discover and prevent easily guessed passwords in the database.

c
DBMS default accounts should be assigned custom passwords.
High - V-15635 - SV-24108r2_rule
RMF Control
Severity
High
CCI
Version
DG0128-SQLServer9
Vuln IDs
  • V-15635
Rule IDs
  • SV-24108r2_rule
DBMS default passwords provide a commonly known and exploited means for unauthorized access to database installations.If identified accounts show an account status of LOCKED and password is set to EXPIRED this is a Finding, but downgrade the severity Category Code to II.Database AdministratorIAIA-1, IAIA-2
Checks: C-23613r2_chk

From the query prompt: SELECT name AS [User], type_desc AS [Type], create_date AS [Create Date] FROM [master].sys.sql_logins WHERE PWDCOMPARE ('', password_hash) = 1 If any user accounts are listed, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Fix: F-14773r1_fix

Assign a password to accounts that meet DoD complexity requirements. From the query prompt: USE master ALTER LOGIN [name] WITH PASSWORD = '[new password]' Replace [new password] with a password and [name] with the account name. Use the SQL Server Enterprise Manager GUI to change the assigned password of any SQL Server–related service. Each service must be changed individually.

c
Passwords should be encrypted when transmitted across the network.
High - V-15636 - SV-29118r1_rule
RMF Control
Severity
High
CCI
Version
DG0129-SQLServer9
Vuln IDs
  • V-15636
Rule IDs
  • SV-29118r1_rule
DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.Database AdministratorIAIA-1, IAIA-2
Checks: C-29859r1_chk

SQL Server natively encrypts passwords in transit when using SQL Server connection protocols and products (i.e. SQL Server Client). Where other connection products and protocols are used, review configuration options for encrypting passwords during login events across the network. If passwords are not encrypted, this is a Finding. Where only SQL Server connection protocols and products are used and password encryption is not purposely disabled and enabled where applicable, this is Not a Finding. If determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a Finding.

Fix: F-26742r1_fix

Utilize SQL Server connection protocols and products (i.e. SQL Server Client) where possible. Where other connection products and protocols are used, ensure configuration options for encrypting passwords during login events across the network are used. If the database does not provide encryption for login events natively, employ encryption at the OS or network level. Ensure passwords remain encrypted from source to destination.

b
DBMS passwords should not be stored in compiled, encoded or encrypted batch jobs or compiled, encoded or encrypted application source code.
Medium - V-15637 - SV-24320r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0130-SQLServer9
Vuln IDs
  • V-15637
Rule IDs
  • SV-24320r1_rule
The storage of passwords in application source or batch job code that is compiled, encoded or encrypted prevents compliance with password expiration and other management requirements as well as provides another means for potential discovery.Database AdministratorInformation Assurance OfficerIAIA-1, IAIA-2
Checks: C-28674r1_chk

Ask the DBA to review application source code that is required by Check DG0091 to be encoded or encrypted for database accounts used by applications or batch jobs to access the database. Ask the DBA to review source batch job code prior to compiling, encoding or encrypting for database accounts used by applications or the batch jobs themselves to access the database. Ask the DBA and/or IAO to determine if the compiled, encoded or encrypted application source code or batch jobs contain passwords used for authentication to the database. If none of the identified compiled, encoded or encrypted application source code or batch job code contain passwords used for authentication, this check is Not a Finding. If any of the identified compiled, encoded or encrypted application source code or batch job code do contain passwords used for authentication to the database, this is a Finding. NOTE: This check only applies to application source code or batch job code that is compiled, encoded or encrypted in a production environment. Application source code or batch job code that is not compiled, encoded or encrypted would fall under Check DG0067 for determination of compliance.

Fix: F-20613r1_fix

Design DBMS application code and batch job code that is compiled, encoded or encrypted to NOT contain passwords. Consider alternatives to using password authentication for compiled, encoded or encrypted batch jobs and DBMS application code.

a
DBMS default account names should be changed.
Low - V-15638 - SV-21454r2_rule
RMF Control
Severity
Low
CCI
Version
DG0131-SQLServer9
Vuln IDs
  • V-15638
Rule IDs
  • SV-21454r2_rule
Well-known DBMS account names are targeted most frequently by attackers and are thus more prone to providing unauthorized access to the database.Database AdministratorIAIA-1, IAIA-2
Checks: C-23618r2_chk

From the query prompt: SELECT name FROM [master].sys.sql_logins WHERE name = 'sa' If the value returned for Name is 'sa', this is a Finding.

Fix: F-20135r1_fix

From the query prompt: ALTER LOGIN sa WITH NAME = '[new sa name]' Replace [new sa name] with a custom-supplied name.

b
Unlimited account lock times should be specified for locked accounts.
Medium - V-15639 - SV-24322r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0133-SQLServer9
Vuln IDs
  • V-15639
Rule IDs
  • SV-24322r1_rule
When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts may continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database.Database AdministratorECLO-1, ECLO-2
Checks: C-16980r1_chk

If the DBMS does not provide a method or means for configuration of account lock times, this check is Not a Finding. Review the account lock time configuration setting. If the lock time is not set to unlimited or is set to allow the DBMS to unlock the account after a pre-determined amount of time, this is a Finding. For DBMS accounts using Windows Authentication: 1. Launch the Group Policy Editor on the DBMS Server 2. Under Computer Configuration: a. Expand Windows Settings b. Expand Security Settings c. Expand Account Policies d. Select Account Lockout Policy 3. Review Account Lockout Duration, Account Lockout Threshold and Reset Account Lockout Counter After policies If Account Lockout Duration is not set or set to a value greater than 0, this is a Finding. If Account Lockout Threshold is not set or set to a value greater than 3, this is a Finding. If Reset Account Lockout Counter After is not set to its maximum value (For Windows 2003, this is 99999), this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Fix: F-24484r1_fix

Configure the database to maintain an account lock time until the account is manually unlocked by an authorized account administrator. For DBMS accounts using Windows Authentication: 1. Launch the Group Policy Editor on the DBMS Server 2. Under Computer Configuration: a. Expand Windows Settings b. Expand Security Settings c. Expand Account Policies d. Select Account Lockout Policy 3. Set "Account Lockout Threshold" = 3 4. Set or Reset "Account Lockout Duration" = 0 5. Set or Reset "Reset Account Lockout Counter After" = 99999 (about 69 days, which is max for this policy setting) 6. Close Group Policy Editor Document these settings in the System Security Plan.

b
Access to DBMS security should be audited.
Medium - V-15643 - SV-25371r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0140-SQLServer9
Vuln IDs
  • V-15643
Rule IDs
  • SV-25371r1_rule
DBMS security data is useful to malicious users to perpetrate activities that compromise DBMS operations or data integrity. Auditing of access to this data supports forensic and accountability investigations.Database AdministratorECAR-1, ECAR-2, ECAR-3
Checks: C-23625r1_chk

Note: Checks DG0029, DG0145, DM0510 and DM5267 cover auditing of data within SQL Server and should not be included in this check. Determine locations of DBMS audit, configuration, credential and other security data using the registry keys provided below: Audit Trace = HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultData Log = C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\LogFiles HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.3\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultLog HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\ErrorLogFile Config = C:\Program Files\Microsoft SQL Server\90\Shared\ASConfig HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\{INSTANCE NAME}\Setup\SQLPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\BackupDirectory HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\FullTextDefaultPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Replication\WorkingDirectory HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLBinRoot HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLDataRoot HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLProgramDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\WorkingDirectory HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\DataDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLBinRoot HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLProgramDir Review audit settings for these directories, files or data objects. If the security data is not audited for access, consider the operational impact and appropriateness for access that is not audited. If the risk for incomplete auditing of the security files is reasonable and documented in the System Security Plan, do not include this as a Finding.

Fix: F-14764r1_fix

Enable auditing for access to any security data where supported by the OS. If audit for access results in an unacceptable adverse impact on application operation, scale back the audit to a reasonable and acceptable level. Document any incomplete audit with acceptance of the risk of incomplete audit in the System Security Plan. Auditing for Access via OS should include, at a minimum, the User ID, date and time of the event and the event type per Check DG0145.

b
Attempts to bypass access controls should be audited.
Medium - V-15644 - SV-25374r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0141-SQLServer9
Vuln IDs
  • V-15644
Rule IDs
  • SV-25374r2_rule
Detection of suspicious activity including access attempts and successful access from unexpected places, during unexpected times, or other unusual indicators can support decisions to apply countermeasures to deter an attack. Without detection, malicious activity may proceed without impedance.Database AdministratorECAR-2, ECAR-3
Checks: C-28695r2_chk

From the query prompt: EXEC XP_LOGINCONFIG 'audit level' If the config_value returned is not 'All' or 'Failure', this is a finding.

Fix: F-20143r1_fix

Enable Auditing level. From the SQL Server Management Studio GUI: 1. Navigate to the SQL Server instance name 2. Right-click on it 3. Select Properties 4. Select Security tab or page 5. Review Login Auditing selection 6. Select "Failed logins only" or "Both failed and successful logins" from the Login Auditing section 7. Apply changes 8. Exit the SQL Server Management Studio GUI

b
Changes to configuration options should be audited.
Medium - V-15645 - SV-21458r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0142-SQLServer9
Vuln IDs
  • V-15645
Rule IDs
  • SV-21458r1_rule
The default audit trace provides a log of activity and changes primarily related to DBMS configuration options. The default audit trace option does not provide adequate auditing and should be disabled.Database AdministratorECAR-3
Checks: C-23629r1_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'default trace enabled' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, confirm in the System Security Plan and AIS Functional Architecture documentation that this option is documented as required and approved by the IAO. If it is not documented and is required and approved, this is a Finding.

Fix: F-20145r1_fix

Authorize and document requirements for use of the default trace option in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'default trace enabled', 0 RECONFIGURE

b
Audit records should contain required information.
Medium - V-15646 - SV-24109r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0145-SQLServer9
Vuln IDs
  • V-15646
Rule IDs
  • SV-24109r2_rule
Complete forensically valuable data may be unavailable or accountability may be jeopardized when audit records do not contain sufficient information.Database AdministratorECAR-1, ECAR-2, ECAR-3
Checks: C-22856r2_chk

If C2 Auditing is enabled (See Check DM0510: C2 audit mode), this check is Not a Finding. Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), if auditing is not enabled or not configured completely to requirements, review the System Security Plan. If this is properly explained in the System Security Plan, this is Not a Finding. If this is not documented or documented poorly in the System Security Plan, this is a Finding. If value returned is 2 (Standard Edition) or 3 (Enterprise/Developer Edition), findings in all steps apply. Note: Complete all checks to determine final Finding results. 1. Check to see that all required events are being audited From the query prompt: SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0') All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a Finding. 2. For each traceid listed, replacing # with a traceid From the query prompt: SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO('#') The required eventid’s 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177 and 178 should be listed. If any of the audit events or eventid’s required above are not listed, this is a Finding. 3. Check to see that auditing is set to shutdown the database system if auditing fails (For each traceid listed, replacing # with a traceid) From the query prompt: SELECT CAST(value AS INT) FROM ::FN_TRACE_GETINFO('#') WHERE property = 1 AND value > 4 If value returned is not greater than 4 for any traceid, this is a Finding.

Fix: F-19762r1_fix

Create and start an audit trace that audits required events. CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT DECLARE @TraceID INT DECLARE @maxfilesize BIGINT DECLARE @fso_audit_log NVARCHAR(128) SET @maxfilesize = 5 -- Define custom @fso_audit_log to path\filename SET @fso_audit_log = 'd:\sqlserver\audit\fsoauditlog.log' EXEC @rc = SP_TRACE_CREATE @TraceID output, 6, @fso_audit_log, @maxfilesize, NULL IF (@rc != 0) GOTO Error -- Client side File and Table cannot be scripted. -- Set the events: DECLARE @on BIT SET @on = 1 -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on -- Set the Filters. DECLARE @intfilter INT DECLARE @bigintfilter bigint -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1 -- Display trace ID for future references. SELECT TraceID = @TraceID GOTO Finish Error: SELECT ErrorCode = @rc Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true' GO Note: Replace ['d:\sqlserver\audit\fsoauditlog.log'] with the PATH and file name to your audit file.

b
Access to the DBMS should be restricted to static, default network ports.
Medium - V-15648 - SV-21459r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0151-SQLServer9
Vuln IDs
  • V-15648
Rule IDs
  • SV-21459r1_rule
Use of static, default ports helps management of enterprise network device security controls. Use of non-default ports makes tracking and protection of published vulnerabilities to services and protocols more difficult to track and block. and may result in the exposure of the database to unintended network segments and users.Database AdministratorDCPP-1
Checks: C-23634r1_chk

From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Port If the value = 0, this is a Finding (Dynamic port assignment in use). If the value = 2383, this is Not a Finding. The Port value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [Port] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory. If a different port is assigned, verify that the port reassignment requirement is documented and approved in the System Security Plan and AIS Functional Architecture documentation.

Fix: F-20147r1_fix

Use static, default network ports. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Port 5. Set value = 2383 or IAO-approved value 6. Click OK

b
The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions.
Medium - V-15649 - SV-25382r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0155-SQLServer9
Vuln IDs
  • V-15649
Rule IDs
  • SV-25382r1_rule
The DBMS opens data files and reads configuration files at system startup, system shutdown and during abort recovery efforts. If the DBMS does not verify the trustworthiness of these files, it is vulnerable to malicious alterations of its configuration or unauthorized replacement of data.Database AdministratorInformation Assurance OfficerDCSS-1, DCSS-2
Checks: C-23838r1_chk

Ask the DBA and/or IAO to demonstrate that the DBMS system initialization, shutdown, and aborts are configured to ensure that the DBMS system remains in a secure state. If the DBA and/or IAO has documented proof from the DBMS vendor demonstrating that the DBMS does not support this either natively or programmatically, this check is a Finding, but can be downgraded to a CAT 3 severity. If the DBMS does support this either natively or programmatically and the configuration does not meet the requirements listed above, this is a Finding. For all MAC 1, all MAC 2 and Classified MAC 3 systems where the DBMS supports the requirements, review documented procedures and evidence of periodic testing to ensure DBMS system state integrity. If documented procedures do not exist or no evidence of implementation is provided, this is a Finding.

Fix: F-16116r1_fix

Configure DBMS system initialization, shutdown and aborts to ensure DBMS system remains in a secure state. For applicable DBMS systems as listed in the check, periodically test configuration to ensure DBMS system state integrity. Where DBMS system state integrity is not supported by the DBMS vendor, obtain and apply mitigation strategies to bring risk to a DAA-acceptable level.

b
Remote DBMS administration is not authorized and is not disabled.
Medium - V-15651 - SV-25387r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0157-SQLServer9
Vuln IDs
  • V-15651
Rule IDs
  • SV-25387r1_rule
Remote administration may expose configuration and sensitive data to unauthorized viewing during transit across the network or allow unauthorized administrative access to the DBMS to remote users.Database AdministratorEBRP-1
Checks: C-23643r1_chk

From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'remote admin connections' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, confirm in the System Security Plan that remote admin connection access is required and approved by the IAO. If it is not documented, required and approved, this is a Finding.

Fix: F-20157r1_fix

Where remote admin connection access is part of the designed and approved use of the SQL Server database, document the requirement in the System Security Plan. Where remote admin connection access is not required, disable its use. From the query prompt: EXEC SP_CONFIGURE 'remote admin connections', 0 RECONFIGURE

b
DBMS remote administration should be audited.
Medium - V-15652 - SV-25389r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0158-SQLServer9
Vuln IDs
  • V-15652
Rule IDs
  • SV-25389r1_rule
When remote administration is available, the vulnerability to attack for administrative access is increased. An audit of remote administrative access provides additional means to discover suspicious activity and to provide accountability for administrative actions completed by remote users.Database AdministratorEBRP-1
Checks: C-28408r1_chk

If the DBMS does not provide auditing of remote administrative actions, this check is Not a Finding. Review settings for actions taken during remote administration sessions. If auditing of remote administration sessions and actions is not enabled, this is a Finding. If audit logs do not include all actions taken by database administrators during remote sessions, this is a Finding. Actions should be tied to a specific user.

Fix: F-20261r1_fix

Develop, document and implement policy and procedures for remote administration auditing. Configure the DBMS to provide an audit trail for remote administrative sessions. Include all actions taken by database administrators during remote sessions. Actions should be tied to a specific user.

b
The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level.
Medium - V-15656 - SV-25398r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0171-SQLServer9
Vuln IDs
  • V-15656
Rule IDs
  • SV-25398r1_rule
Applications that access databases and databases connecting to remote databases that differ in their assigned classification levels may expose sensitive data to unauthorized clients. Any interconnections between databases or applications and databases differing in classification levels are required to comply with interface control rules.Database AdministratorECIC-1
Checks: C-23841r1_chk

Review database links or other connections defined for the database (See Check DG0075 for list). If any interconnections show differences in the DBMS and remote system classification levels, this is a Finding.

Fix: F-22608r1_fix

Disassociate or remove connection definitions to remote systems of differing classification levels.

b
The DBMS warning banner does not meet DoD policy requirements.
Medium - V-15658 - SV-25405r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0179-SQLServer9
Vuln IDs
  • V-15658
Rule IDs
  • SV-25405r1_rule
Without sufficient warning of monitoring and access restrictions of a system, legal prosecution to assign responsibility for unauthorized or malicious access may not succeed. A warning message provides legal support for such prosecution. Access to the DBMS or the applications used to access the DBMS require this warning to help assign responsibility for database activities.A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check Not Applicable.Database AdministratorECWM-1
Checks: C-22843r1_chk

A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check Not Applicable. View the warning banner. If it does not contain the following text as written below, this is a Finding: [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OK [B. For Blackberries and other PDAs/PEDs with severe character limitations:] I've read & consent to terms in IS user agreem't. This User Agreement conforms to DoD Standard Notice and Consent Banner and User Agreement – JTF-GNO CTO 08-008A, May 9, 2008.

Fix: F-19763r1_fix

Replace the DBMS banner text with the banner text as shown in this check. For all versions of SQL Server, this requirement can be fulfilled where the database user receives the warning message when authenticating or connecting to a front-end system that includes or covers the SQL Server DBMS. Mark this check as a Finding if the display of a warning banner (not necessarily this specific warning banner) cannot be confirmed. The banner text listed in the Check section supersedes that referenced in the Database STIG requirement.

b
Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.
Medium - V-15662 - SV-25415r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0198-SQLServer9
Vuln IDs
  • V-15662
Rule IDs
  • SV-25415r1_rule
Remote administration provides many conveniences that can assist in the maintenance of the designed security posture of the DBMS. On the other hand, remote administration of the database also provides malicious users the ability to access from the network a highly privileged function. Remote administration needs to be carefully considered and used only when sufficient protections against its abuse can be applied. Encryption and dedication of ports to access remote administration functions can help prevent unauthorized access to it.Database AdministratorEBRP-1
Checks: C-28430r1_chk

If remote administration is disabled or not configured, this check is Not a Finding. Review configured network access interfaces for remote DBMS administration with the SA and DBA. These may be host-based encryptions such as IPSec or may be configured for the DBMS as part of the network communications and/or in the DBMS listening process. For DBMS listeners, verify that encrypted ports exist and are restricted to specific network addresses to access the DBMS. View the System Security Plan to review the authorized procedures and access for remote administration. If the configuration does not match the documented plan, this is a Finding.

Fix: F-23495r1_fix

Disable remote administration where it is not required or authorized. Consider restricting administrative access to local connections only. Where necessary, configure the DBMS network communications to provide an encrypted, dedicated port for remote administration access. Develop and provide procedures for remote administrative access to DBAs that have been authorized for remote administration. Verify during audit reviews that DBAs do not access the database remotely except through the dedicated and encrypted port.