Microsoft SQL Server 2005 Instance Security Technical Implementation Guide

U_SQL_Server_2005_Instance_V8R1-8_Manual-xccdf.xml

Version/Release Published Filters Downloads Update
V8R1 2015-04-03      
Update existing CKLs to this version of the STIG
The Microsoft SQL Server 2005 Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Vuln Rule Version CCI Severity Title Description
SV-24121r1_rule DG0010-SQLServer9 LOW Database executable and configuration files should be monitored for unauthorized modifications. Changes to files in the DBMS software directory including executable, configuration, script, or batch files can indicate malicious compromise of the software files. Changes to non-executable files, such as log files and data files, do not usually reflect unauthorized changes, but are modified by the DBMS as part of normal operation. These modifications can be ignored.Information Assurance OfficerDCSL-1
SV-24155r1_rule DG0040-SQLServer9 MEDIUM The DBMS software installation account should be restricted to authorized users. DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a greater impact on database security and operation. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them.Information Assurance OfficerECLP-1, ECPA-1
SV-24079r1_rule DG0050-SQLServer9 MEDIUM Database software, applications and configuration files should be monitored to discover unauthorized changes. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.Database AdministratorDCSL-1, DCSW-1
SV-7382r1_rule DG0060-SQLServer9 MEDIUM All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO. Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual account ability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users.trueDatabase AdministratorInformation Assurance OfficerIAGA-1
SV-25417r1_rule DM0510-SQLServer9 MEDIUM C2 Audit mode should be enabled or custom audit traces defined. The C2 audit mode uses a system-defined trace to collect audit information for MS SQL Server 2000 and higher. It utilizes all security event categories defined within SQL Server, not all of which are required by the Database STIG. Without required auditing, accountability and investigative support is limited.Database AdministratorECAT-1, ECAT-2
SV-23758r1_rule DM0530-SQLServer9 MEDIUM Fixed Server roles should have only authorized users or groups assigned as members. Fixed server roles provide a mechanism to grant groups of privileges to users. These privilege groupings are defined by the installation or upgrade of the SQL Server software at the discretion of Microsoft. Memberships in these roles granted to users should be strictly controlled and monitored. Privileges assigned to these roles should be reviewed for change after software upgrade or maintenance to ensure that the privileges continue to be appropriate to the assigned members.trueDatabase AdministratorECLP-1
SV-23762r1_rule DM0660-SQLServer9 MEDIUM MS SQL Server Instance name should not incude a SQL Server or other software version number. The use of version numbers within the database instance name restricts the use of the instance name from meaningful use in subsequent upgrades. Changing the database instance names on a production database causes unnecessary administrative overhead and compromise existing secure network configurations.trueDatabase AdministratorECAN-1
SV-23794r1_rule DM1758-SQLServer9 HIGH Extended stored procedure xp_cmdshell should be restricted to authorized accounts. The xp_cmdshell extended stored procedure allows execution of host executables outside the controls of database access permissions. This access may be exploited by malicious users who have compromised the integrity of the SQL Server database process to control the host operating system to perpetrate additional malicious activity.trueDatabase AdministratorECLP-1
SV-23884r1_rule DM1761-SQLServer9 MEDIUM Execute stored procedures at startup, if enabled, should have a custom audit trace defined. The DBMS startup process may be vulnerable to introduction of malicious or unauthorized actions. Any use of automated execution of custom procedures provides an opportunity to deploy unauthorized code. For some versions of SQL Server, audit requirements may only be met by audit procedures that are set to start automatically at system startup.Database AdministratorDCSS-1, DCSS-2
SV-23814r1_rule DM2095-SQLServer9 MEDIUM OLE Automation extended stored procedures should be restricted to sysadmin access. Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows account used by SQL Server to log on determines the security context used by extended stored procedures. Certain sensitive extended stored procedures should be closely monitored. These sensitive stored procedures include the OLE Automation stored procedures. OLE Automation stored procedures can be used to reconfigure the security of other services including IIS (Internet Information Server).trueDatabase AdministratorDCFA-1
SV-23825r1_rule DM2119-SQLServer9 MEDIUM Registry extended stored procedures should be restricted to sysadmin access. Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows NT DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows NT account used by SQL Server to log on determines the security context used by extended stored procedures. Certain sensitive extended stored procedures should be closely monitored. These sensitive stored procedures include the registry editing stored procedures. Registry extended stored procedures can be used to read or change security information, including the NT password database, from the registry.trueDatabase AdministratorDCFA-1
SV-25445r1_rule DM2142-SQLServer9 MEDIUM Remote access should be disabled if not authorized. The remote access option determines if connections to and from other Microsoft SQL Servers are allowed. Remote connections are used to support distributed queries and other data access and command executions across and between remote database hosts. The list of remote servers determines the servers that have defined for remote connections to and from the SQL Server instance. The list of remote logins determines which users on remote servers can connect to and from other SQL Servers. Remote servers and logins that are not properly secured can be used to compromise the server.Database AdministratorDCFA-1
SV-25448r1_rule DM3566-SQLServer9 MEDIUM SQL Server authentication mode should be set to Windows authentication mode or Mixed mode. SQL Server authentication does not provide a sufficiently robust password complexity and management capability to meet stringent security requirements. SQL Server allows use of Windows authentication, a more robust and security authentication service, to control access to the database.Database AdministratorIAIA-1, IAIA-2
SV-25451r1_rule DM3763-SQLServer9 MEDIUM SQL Server Agent CmdExec or ActiveScripting jobs should be restricted to sysadmins. SQL Server Agent CmdExec and ActiveScripting subsystems allow the execution of code by the host operating system under the security context. Allow use of these features only to SYSADMINs and use only where necessary to limit risk of database exploit to the host operating system. Members of the SYSADMIN group have access to all proxies and subsystems by default. Additional assignments are not necessary and would be considered suspect.Database AdministratorDCFA-1, ECLP-1
SV-23886r1_rule DM5267-SQLServer9 MEDIUM Trace Rollover should be enabled for audit traces that have a maximum trace file size. The majority of Microsoft SQL Server security auditing is provided by the trace facility. Traces may be created using system stored procedures or with Microsoft SQL Profiler. The trace must be running in order for security event data to be collected for analysis. Traces can specify a maximum size for the trace file. An action may also be specified when a maximum file size is reached. The trace file rollover option for a defined trace causes the current trace file to close and a new one to be opened with no loss of data. If a maximum file size has been set and the rollover option is not set, the trace stops writing when the maximum file size is reached. If the trace file writes function stops, then auditing is disabled.Database AdministratorECRR-1
SV-24149r1_rule DG0030-SQLServer9 MEDIUM Audit trail data should be retained for one year. Without preservation, a complete discovery of an attack or suspicious activity may not be determined. DBMS audit data also contributes to the complete investigation of unauthorized activity and needs to be included in audit retention plans and procedures.Database AdministratorECRR-1
SV-24088r1_rule DG0070-SQLServer9 MEDIUM Unauthorized user accounts should not exist. Unauthorized user accounts provide unauthorized access to the database and may allow access to database objects. Only authorized users should be granted database accounts.trueDatabase AdministratorIAAC-1
SV-23880r1_rule DM0900-SQLServer9 MEDIUM SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are required and enabled. The SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are used by database applications to provide email messages to and from the database. This capability may easily be abused to send malicious messages to remote users or systems. Disabling its use helps to protect the database from generating or receiving malicious email notifications.Database AdministratorDCFA-1
SV-23958r1_rule DM0901-SQLServer9 MEDIUM SQL Server Agent email notification usage if enabled should be documented and approved by the IAO. SQL Mail accepts incoming database commands via email. This can introduce malicious codes or viruses into the SQL server environment.Database AdministratorDCBP-1
SV-24123r1_rule DG0011-SQLServer9 LOW Configuration management procedures should be defined and implemented for database software modifications. Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All changes to software libraries related to the database and its use need to be reviewed, considered, and the responsibility for CM assigned. CM responsibilities may appear to cross boundaries. It is important, however, for the boundaries of CM responsibility to be clearly defined and assigned to ensure no libraries or configurations are left unaddressed. Related database application libraries may include third-party DBMS management tools, DBMS stored procedures, or other end-user applications.Information Assurance OfficerDCPR-1
SV-24131r1_rule DG0016-SQLServer9 LOW Unused database components, database application software and database objects should be removed from the DBMS system. Unused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.Database AdministratorDCFA-1
SV-24133r1_rule DG0017-SQLServer9 MEDIUM A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations. Production, development and other non-production DBMS installations have different access and security requirements. Shared production/non-production DBMS installations secured at a production-level can impede development efforts whereas production/non-production DBMS installations secured at a development-level can lead to exploitation of production-level installations. Production DBMS installations should be kept separate from development, QA, TEST and other non-production DBMS systems.Database AdministratorInformation Assurance OfficerECSD-1, ECSD-2
SV-24135r1_rule DG0019-SQLServer9 LOW Application software should be owned by a Software Application account. File and directory ownership imparts full privileges to the owner. These privileges should be restricted to a single, dedicated account to preserve proper chains of ownership and privilege assignment management.Database AdministratorDCSL-1, ECSD-1, ECSD-2
SV-24142r1_rule DG0021-SQLServer9 MEDIUM A baseline of database application software should be documented and maintained. Without maintenance of a baseline of current DBMS application software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to the DBMS executables could be the result of intentional or unintentional actions.Database AdministratorInformation Assurance OfficerDCSW-1
SV-24174r1_rule DG0052-SQLServer9 MEDIUM All applications that access the database should be logged in the audit trail. Protections and privileges are designed within the database to correspond to access via authorized software. Use of unauthorized software to access the database could indicate an attempt to bypass established permissions. Reviewing the use of application software to the database can lead to discovery of unauthorized access attempts.Database AdministratorECAT-1, ECAT-2
SV-24081r1_rule DG0051-SQLServer9 MEDIUM Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions. Unauthorized users may bypass security mechanisms by submitting jobs to job queues managed by the database to be run under a more privileged security context of the database or host system. These queues should be monitored regularly to detect any such unauthorized job submissions.trueDatabase AdministratorECLP-1
SV-24086r1_rule DG0065-SQLServer9 MEDIUM DBMS authentication should require use of a DoD PKI certificate. In a properly configured DBMS, access controls defined for data access and DBMS management actions are assigned based on the user identity and job function. Unauthenticated or falsely authenticated access leads directly to the potential unauthorized access, misuse, and lost accountability of data and activities within the DMBS. Use of PKI certificates for authentication to the DBMS provides a robust mechanism to ensure identity to authorize access to the DBMS.Information Assurance OfficerIATS-1, IATS-2
SV-24193r1_rule DG0066-SQLServer9 MEDIUM Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented. New accounts authenticated by passwords that are created without a password or with an easily guessed password are vulnerable to unauthorized access. Procedures for creating new accounts with passwords should include the required assignment of a temporary password to be modified by the user upon first use.Database AdministratorIAIA-1, IAIA-2
SV-24197r1_rule DG0067-SQLServer9 HIGH Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations. Database passwords stored in clear text are vulnerable to unauthorized disclosure. Database passwords should always be encoded or encrypted when stored internally or externally to the DBMS.Database AdministratorIAIA-1, IAIA-2
SV-24215r1_rule DG0068-SQLServer9 MEDIUM DBMS tools or applications that echo or require a password entry in clear text should be protected from password display. Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if possible, by the application. If it cannot be disabled, users should be strictly instructed not to use this feature. Typically, the application will prompt for this information and accept it without echoing it on the users computer screen.Database AdministratorIAIA-1, IAIA-2
SV-24220r1_rule DG0071-SQLServer9 MEDIUM New passwords should be required to differ from old passwords by more than four characters. Changing passwords frequently can thwart password-guessing attempts or re-establish protection of a compromised DBMS account. Minor changes to passwords may not accomplish this as password guessing may be able to continue to build on previous guesses or the new password may be easily guessed using the old password.Database AdministratorIAIA-1, IAIA-2
SV-24090r1_rule DG0075-SQLServer9 MEDIUM Unauthorized database links should not be defined and active. DBMS links provide a communication and data transfer path definition between two databases that may be used by malicious users to discover and obtain unauthorized access to remote systems. Database links between production and development DBMSs provide a means for developers to access production data not authorized for their access or to introduce untested or unauthorized applications to the production database. Only protected, controlled, and authorized downloads of any production data to use for development should be allowed. Only applications that have completed the configuration management process should be introduced by the application object owner account to the production system.trueDatabase AdministratorDCFA-1
SV-24226r1_rule DG0076-SQLServer9 MEDIUM Sensitive information from production database exports should be modified after import to a development database. Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure. See DODD 8500.1 section E2.1.41 for a definition of Sensitive Information.Database AdministratorECAN-1
SV-24228r1_rule DG0077-SQLServer9 MEDIUM Production databases should be protected from unauthorized access by developers on shared production/development host systems. Developers granted elevated database and operating system privileges on systems that support both development and production databases can affect the operation and/or security of the production database system. Operating system and database privileges assigned to developers on shared development and production systems should be restricted.Database AdministratorECLP-1
SV-24232r1_rule DG0080-SQLServer9 MEDIUM Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy. Users granted privileges not required to perform their assigned functions are able to make unauthorized modifications to the production data or database. Monthly or more frequent periodic review of privilege assignments assures that organizational and/or functional changes are reflected appropriately.Database AdministratorECLP-1
SV-24248r1_rule DG0093-SQLServer9 MEDIUM Remote adminstrative connections to the database should be encrypted. Communications between a client and database service across the network may contain sensitive information including passwords. Encryption of remote administrative connections to the database ensures confidentiality.Database AdministratorECCT-1, ECCT-2
SV-24250r1_rule DG0095-SQLServer9 MEDIUM Audit trail data should be reviewed daily or more frequently. Review of audit trail data provides a means for detection of unauthorized access or attempted access. Frequent and regularly scheduled reviews ensures that such access is discovered in a timely manner.Information Assurance OfficerECAT-1
SV-25423r1_rule DM0920-SQLServer9 MEDIUM A Windows OS DBA group should exist. The DBA job function differs from the host system administrator job function. Without a separate host OS group to assign necessary privileges on the operating system, separation of duties is not achieved and excess privileges for the job function are assigned.Information Assurance OfficerECPA-1
SV-25426r1_rule DM0921-SQLServer9 MEDIUM Windows OS DBA group should contain only authorized users. The host DBA group is assigned permissions to the DBMS system libraries and may also be used to assign DBA privileges within the database. Unauthorized DBA privilege assignment leaves the DBMS data and operations vulnerable to complete compromise.Information Assurance OfficerECPA-1
SV-25429r1_rule DM0924-SQLServer9 MEDIUM The SQL Server service should use a least-privileged local or domain user account. The Windows builtin Administrators group and LocalSystem account are assigned full privileges to the Windows operating system. These privileges are not required by the SQL Server service accounts for operation and, if assigned, could allow a successful attack of the SQL Server service to lead to a full compromise of the host system.System AdministratorDatabase AdministratorDCFA-1
SV-25432r1_rule DM0927-SQLServer9 MEDIUM SQL Server registry keys should be properly secured. Registry keys contain configuration data for the SQL Server services and applications. Unrestricted access or access unnecessary for operation can lead to a compromise of the application or disclosure of information that may lead to a successful attack or compromise of data.Database AdministratorECAN-1
SV-24125r1_rule DG0012-SQLServer9 MEDIUM Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications. Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directoriies both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to the other application’s database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.Database AdministratorDCPA-1
SV-24115r1_rule DG0002-SQLServer9 MEDIUM An upgrade/migration plan should be developed to address an unsupported DBMS software version. Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Developing and implementing an upgrade plan prior to a lapse in support helps to protect against published vulnerabilities.Information Assurance OfficerVIVM-1
SV-24113r1_rule DG0001-SQLServer9 HIGH Vendor supported software is evaluated and patched against newly found vulnerabilities. The version of MS SQL Server must be listed by Microsoft as a supported version. Microsoft discontinues fixes for unsupported versions on reported dates. In order to maintain a secure environment, the installed version must continue to receive fixes for reported vulnerabilities.Information Assurance OfficerVIVM-1
SV-24117r1_rule DG0003-SQLServer9 MEDIUM The latest security patches should be installed. Maintaining the currency of the software version protects the database from known vulnerabilities.If any update has been released that is deemed by Microsoft to be a critical update, this check should be assigned a Severity Category of I.Database AdministratorVIVM-1
SV-24075r1_rule DG0029-SQLServer9 MEDIUM Required auditing parameters for database auditing should be set. Auditing provides accountability for changes made to the DBMS configuration or its objects and data. It provides a means to discover suspicious activity and unauthorized changes. Without auditing, a compromise may go undetected and without a means to determine accountability.Database AdministratorECAR-1, ECAR-2, ECAR-3
SV-24077r1_rule DG0032-SQLServer9 MEDIUM Audit records should be restricted to authorized individuals. Audit data is frequently targeted by malicious users as it can provide a means to detect their activity. The protection of the audit trail data is of special concern and requires restrictions to allow only the auditor and DBMS backup, recovery, and maintenance users access to it.trueDatabase AdministratorECTP-1
SV-24119r1_rule DG0005-SQLServer9 MEDIUM Only necessary privileges to the host system should be granted to DBA OS accounts. Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system.System AdministratorDatabase AdministratorECLP-1
SV-24234r1_rule DG0083-SQLServer9 MEDIUM Automated notification of suspicious activity detected in the audit trail should be implemented. Audit record collection may quickly overwhelm storage resources and an auditor's ability to review it in a productive manner. Automated tools can provide the means to manage the audit data collected as well as present it to an auditor in an efficient way.Information Assurance OfficerECRG-1
SV-25393r1_rule DG0161-SQLServer9 MEDIUM An automated tool that monitors audit data and immediately reports suspicious activity should be employed for the DBMS. Audit logs only capture information on suspicious events. Without an automated monitoring and alerting tool, malicious activity may go undetected and without response until compromise of the database or data is severe.Information Assurance OfficerECAT-2
SV-25395r1_rule DG0167-SQLServer9 HIGH Sensitive data served by the DBMS should be protected by encryption when transmitted across the network. Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review.Database AdministratorECCT-1, ECCT-2
SV-24104r1_rule DG0120-SQLServer9 MEDIUM Unauthorized access to external database objects should be removed from application user roles. Access to objects stored and/or executed outside of the DBMS security context may provide an avenue of attack to host system resources not controlled by the DBMS. Any access to external resources from the DBMS can lead to a compromise of the host system or its resources.trueDatabase AdministratorECLP-1
SV-24238r1_rule DG0086-SQLServer9 MEDIUM DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges. Excess privilege assignment can lead to intentional or unintentional unauthorized actions. Such actions may compromise the operation or integrity of the DBMS and its data.Information Assurance OfficerECLP-1
SV-24084r1_rule DG0063-SQLServer9 MEDIUM DBMS privileges to restore database data or other DBMS configurations, features or objects should be restricted to authorized DBMS accounts. Unauthorized restoration of database data, objects, or other configuration or features can result in a loss of data integrity, unauthorized configuration, or other DBMS interruption or compromise.trueDatabase AdministratorECLP-1
SV-25411r1_rule DG0194-SQLServer9 MEDIUM Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes. The developer role does not require Need-to-Know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise of database operations.Information Assurance OfficerECPC-1, ECPC-2
SV-25413r1_rule DG0195-SQLServer9 MEDIUM DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems. Developer roles should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production and development DBA and developer roles help protect the production system from unauthorized, malicious or unintentional interruption due to development activities.System AdministratorDatabase AdministratorECPC-1, ECPC-2
SV-24157r1_rule DG0041-SQLServer9 MEDIUM Use of the DBMS installation account should be logged. The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost.Information Assurance OfficerECLP-1
SV-24167r1_rule DG0042-SQLServer9 MEDIUM Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions. The DBMS software installation account is granted privileges not required for DBA or other functions. Use of accounts configured with excess privileges may result in unauthorized or unintentional compromise of the DBMS.Information Assurance OfficerECLP-1
SV-24240r1_rule DG0088-SQLServer9 LOW The DBMS should be periodically tested for vulnerability management and IA compliance. The DBMS security configuration may be altered either intentionally or unintentionally over time. The DBMS may also be the subject of published vulnerabilities that require the installation of a security patch or a reconfiguration to mitigate the vulnerability. If the DBMS is not monitored for required or unintentional changes that render it not compliant with requirements, it can be vulnerable to attack or compromise.Information Assurance OfficerECMT-1, ECMT-2
SV-23852r1_rule DM6065-SQLServer9 MEDIUM SQL Server replications agents should be run under separate and dedicated OS accounts. Use of shared accounts used by replication agents require that all permissions required to support each of the separate replication agent roles (snapshot publication, distribution, log reading, merge publication, queue reading, and replication maintenance) be assigned to the shared account. This translates to excess privilege assignment to the account to perform a specific job task and an exploit to the single account means a compromise to all replication elements accessed by the shared account. Separation of duties by use of separate and dedicated accounts reduces the risk to the entire replication implementation.trueDatabase AdministratorDCFA-1
SV-24242r1_rule DG0089-SQLServer9 LOW Developers should not be assigned excessive privileges on production databases. Developers play a unique role and represent a specific type of threat to the security of the DBMS. Where restricted resources prevent the required separation of production and development DBMS installations, developers granted elevated privileges to create and manage new database objects must also be prevented from actions that can threaten the production operation.Database AdministratorECPC-1, ECPC-2
SV-25400r1_rule DG0175-SQLServer9 MEDIUM The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements. The security of the data stored in the DBMS is also vulnerable to attacks against the host platform, calling applications, and other application or optional components.Information Assurance OfficerECSC-1
SV-25402r1_rule DG0176-SQLServer9 MEDIUM The DBMS audit logs should be included in backup operations. DBMS audit logs are essential to the investigation and prosecution of unauthorized access to the DBMS data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data.Database AdministratorECTB-1
SV-25391r1_rule DG0159-SQLServer9 MEDIUM Remote administrative access to the database should be monitored by the IAO or IAM. Remote administrative access to systems provides a path for access to and exploit of DBA privileges. Where the risk has been accepted to allow remote administrative access, it is imperative to instate increased monitoring of this access to detect any abuse or compromise.Information Assurance OfficerInformation Assurance ManagerEBRP-1
SV-24100r1_rule DG0114-SQLServer9 MEDIUM DBMS files critical for DBMS recovery should be stored on RAID or other high-availability storage devices. DBMS recovery can be adversely affected by hardware storage failure. Impediments to DBMS recovery can have a significant impact on operations.trueSystem AdministratorDatabase AdministratorCOBR-1
SV-24189r1_rule DG0064-SQLServer9 MEDIUM DBMS backup and restoration files should be protected from unauthorized access. Lost or compromised DBMS backup and restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. Backup files need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss. Most DBMSs maintain online copies of critical control files to provide transparent or easy recovery from hard disk loss or other interruptions to database operation.Database AdministratorCOBR-1
SV-25409r1_rule DG0187-SQLServer9 MEDIUM DBMS software libraries should be periodically backed up. The DBMS application depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of DBMS operations.Database AdministratorCOSW-1
SV-25407r1_rule DG0186-SQLServer9 MEDIUM The database should not be directly accessible from public or unauthorized networks. Databases often store critical and/or sensitive information used by the organization. For this reason, databases are targeted for attacks by malicious users. Additional protections provided by network defenses that limit accessibility help protect the database and its data from unnecessary exposure and risk.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3
SV-25457r1_rule DM6015-SQLServer9 MEDIUM The Named Pipes network protocol should be documented and approved if enabled. The named pipes network protocol requires more ports to be opened on firewalls than TCP/IP. Managing and administering multiple network protocols may unnecessarily complicate network controls.Database AdministratorDCFA-1
SV-23851r1_rule DM6045-SQLServer9 MEDIUM Only authorized users should be assigned permissions to SQL Server Agent proxies. Database accounts granted access to SQL Server Agent proxies are granted permissions to create and submit specific function job steps to be executed by SQL Server Agent. Unauthorized users may use access to proxies to execute unauthorized functions against the SQL Server instance or host operating system.trueDatabase AdministratorECAN-1
SV-24302r1_rule DG0118-SQLServer9 MEDIUM The IAM should review changes to DBA role assignments. Unauthorized assignment of DBA privileges can lead to a compromise of DBMS integrity. Providing oversight to the authorization and assignment of privileges provides the separation of duty to support sufficient oversight.Information Assurance ManagerECPA-1
SV-24139r1_rule DG0020-SQLServer9 MEDIUM Backup and recovery procedures should be developed, documented, implemented and periodically tested. Problems with backup procedures or backup media may not be discovered until after a recovery is needed. Testing and verification of procedures provides the opportunity to discover oversights, conflicts, or other issues in the backup procedures or use of media designed to be used.Database AdministratorCODP-1, CODP-2, CODP-3
SV-24224r1_rule DG0074-SQLServer9 MEDIUM Unapproved inactive or expired database accounts should not be found on the database. Unused or expired DBMS accounts provide a means for undetected, unauthorized access to the database.trueDatabase AdministratorIAAC-1
SV-24244r1_rule DG0090-SQLServer9 MEDIUM Sensitive information stored in the database should be protected by encryption. Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing.Database AdministratorInformation Assurance OfficerECCR-1, ECCR-2, ECCR-3
SV-24246r1_rule DG0092-SQLServer9 MEDIUM Database data files containing sensitive information should be encrypted. Where access controls do not provide complete protection of sensitive or classified data, encryption can help to close the gap. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to view the data that is stored in files outside of the database. Data encryption also provides a level of protection where database controls cannot restrict access to single rows and columns of data.Database AdministratorECCR-1, ECCR-2, ECCR-3
SV-25436r1_rule DM0929-SQLServer9 MEDIUM The Integration Services service account should not be assigned excess host system privileges. Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the Integration Service is compromised, the attack can lead to use of the privileges assigned to the service account. Administrative and other unnecessary privileges assigned to the service account can be used for an attack on the host system and/or SQL Server database.System AdministratorDatabase AdministratorDCFA-1
SV-25454r1_rule DM3930-SQLServer9 MEDIUM Error log retention shoud be set to meet log retention policy. For SQL Server, error logs are used to store system event and system error information. In addition to assisting in correcting system failures or issues that could affect system availability and operation, log information may also be useful in discovering evidence of malicious intent. Management of the error logs requires consideration and planning to prevent loss of security data and maintaining system operation.Database AdministratorECCR-1, ECCR-2, ECCR-3
SV-24252r1_rule DG0096-SQLServer9 LOW The DBMS IA policies and procedures should be reviewed annually or more frequently. A regular review of current database security policies and procedures is necessary to maintain the desired security posture of the DBMS. Policies and procedures should be measured against current DOD policy, STIG guidance, vendor-specific guidance and recommendations, and site-specific or other security policy.Information Assurance OfficerDCAR-1
SV-24254r1_rule DG0097-SQLServer9 MEDIUM Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation. Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches can render production systems inoperable or even introduce serious vulnerabilities. Some updates also set security configurations back to unacceptable settings that do not meet security requirements. For these reasons, it is a good practice to test updates and patches offline before introducing them in a production environment.Information Assurance OfficerDCCT-1
SV-24218r1_rule DG0069-SQLServer9 MEDIUM Procedures and restrictions for import of production data to development databases should be documented, implemented and followed. Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure.Database AdministratorECAN-1
SV-24263r1_rule DG0102-SQLServer9 MEDIUM DBMS processes or services should run under custom, dedicated OS accounts. Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services.Database AdministratorDCFA-1
SV-24269r1_rule DG0106-SQLServer9 MEDIUM Database data encryption controls should be configured in accordance with application requirements. Authorizations may not sufficiently protect access to sensitive data and may require encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access.Database AdministratorDCFA-1
SV-24271r1_rule DG0107-SQLServer9 MEDIUM Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation. A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned stands the chance of not being secured at a level appropriate to the risk it poses.Information Assurance OfficerDCFA-1
SV-24275r1_rule DG0108-SQLServer9 LOW The DBMS restoration priority should be assigned. When DBMS service is disrupted, the impact it has on the overall mission of the organization can be severe. Without the proper assignment of the priority to be placed on restoration of the DBMS and its subsystems, restoration of DBMS services may not meet mission requirements.Information Assurance OfficerDCFA-1
SV-24278r1_rule DG0109-SQLServer9 MEDIUM The DBMS should not be operated without authorization on a host system supporting other application services. In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. A DBMS not installed on a dedicated host may pose a threat to and be threatened by other hosted applications. Applications that share a single DBMS may also create risk to one another. Access controls defined for one application by default may provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.Information Assurance OfficerDCPA-1
SV-24289r1_rule DG0111-SQLServer9 MEDIUM The DBMS data files, transaction logs and audit files should be stored in dedicated directories or disk partitions separate from software or other application files. Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database process, resource contention and differing security controls may be required to isolate and protect one application's data and audit logs from another. DBMS software libraries and configuration files also require differing access control lists.Database AdministratorDCPA-1
SV-25376r1_rule DG0152-SQLServer9 MEDIUM DBMS network communications should comply with PPS usage restrictions. Non-standard network ports, protocol or services configuration or usage could lead to bypass of network perimeter security controls and protections.Database AdministratorDCPP-1
SV-25378r1_rule DG0153-SQLServer9 LOW DBA roles assignments should be assigned and authorized by the IAO. The DBA role and associated privileges provide complete control over the DBMS operation and integrity. DBA role assignment without authorization could lead to the assignment of these privileges to untrusted and untrustworthy persons and complete compromise of DBMS integrity.Information Assurance OfficerDCSD-1
SV-25380r1_rule DG0154-SQLServer9 LOW The DBMS requires a System Security Plan containing all required information. A System Security Plan identifies security control applicability and configuration for the DBMS. It also contains security control documentation requirements. Security controls applicable to the DBMS may not be documented, tracked or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of DBMS vulnerabilities.Information Assurance OfficerDCSD-1
SV-24092r1_rule DG0079-SQLServer9 MEDIUM DBMS login accounts require passwords to meet complexity requirements. Weak passwords are a primary target for attack to gain unauthorized access to databases and other systems. Where username/password is used for identification and authentication to the database, requiring the use of strong passwords can help prevent simple and more sophisticated methods for guessing at passwords.trueDatabase AdministratorIAIA-1, IAIA-2
SV-19452r1_rule DG0125-SQLServer9 MEDIUM DBMS account passwords should be set to expire every 60 days or more frequently. Unchanged passwords provide a means for compromised passwords to be used for unauthorized access to DBMS accounts over a long time.trueDatabase AdministratorIAIA-1, IAIA-2
SV-24111r1_rule DG0190-SQLServer9 MEDIUM Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users. Credentials defined for access to remote databases or applications may provide unauthorized access to additional databases and applications to unauthorized or malicious users.trueDatabase AdministratorDCFA-1
SV-25439r1_rule DM0933-SQLServer9 MEDIUM The SQL Server Agent service account should not be assigned excess user rights. Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the SQL Server Agent service is compromised, the attack can lead to use of the privileges assigned to the service account. Administrative and other unnecessary privileges assigned to the service account can be used for an attack on the host system and/or SQL Server database.System AdministratorDatabase AdministratorDCFA-1
SV-23857r1_rule DM6128-SQLServer9 MEDIUM Only authorized service broker endpoints should be configured on the server. Service Broker endpoints expose the database to SQL Server messaging communication access. Where not carefully designed and implemented, messaging communication can unnecessarily expose the database to additional exploit that compromises data confidentiality and integrity. Removing messaging communication endpoints helps to protect the database from unauthorized messaging communication access.trueDatabase AdministratorDCFA-1
SV-25496r1_rule DM6160-SQLServer9 MEDIUM Database Engine Ad Hoc distributed queries should be disabled. Adhoc queries allow undefined access to remote database sources. Access to untrusted databases could result in execution of malicious applications and/or a compromise of local data confidentiality and integrity.Database AdministratorDCFA-1
SV-23867r1_rule DM6189-SQLServer9 MEDIUM The data directory should specify a dedicated disk partition and restricted access. Data directories require different access controls than software file directories. Locating data directories in separate directories on a dedicated disk partition allows assign of access controls to only those users that require access and helps protect the data from unauthorized access.Database AdministratorDCPA-1
SV-25435r1_rule DM0928-SQLServer9 MEDIUM The SQL Server services should not be assigned excessive user rights. Excessive or unneeded privileges allow for unauthorized actions. When application vulnerabilities are exploited, excessive privileges assigned to the application can lead to unnecessary risk to the host system and other services.System AdministratorDatabase AdministratorDCFA-1
SV-25420r1_rule DM0919-SQLServer9 MEDIUM SQL Server services should be assigned least privileges on the SQL Server Windows host. Exploits to SQL Server services may provide access to the host system resources within the security context of the service. Excess privileges assigned to the SQL Services can increase the threat to the host system.Information Assurance OfficerECPA-1
SV-23868r1_rule DM6195-SQLServer9 MEDIUM Database TRUSTWORTHY status should be authorized and documented or set to off. The TRUSTWORTHY database setting restricts access to database resources by databases that contain assemblies with the EXTERNAL_ACCESS or UNSAFE permission settings and modules that use impersonation of accounts assigned elevated privileges. Unless all assemblies and code for the database have been reviewed, especially in the case where databases have been detached and attached between server instances, leaving the TRUSTWORTHY status to off can help reduce threats from malicious assemblies or modules.trueDatabase AdministratorECLP-1
SV-25463r1_rule DM6030-SQLServer9 MEDIUM SQL Server event forwarding, if enabled, should be operational. If SQL Server is configured to forward events to an Alerts Management Server that is not available, then no alerts are issued for the server.Database AdministratorDCFA-1
SV-23855r1_rule DM6070-SQLServer9 MEDIUM Replication databases should have authorized db_owner role members. The replication monitor role should have authorized members. Role privileges required by replication include full privileges to the databases with replicated objects. Restrict replication database db_owner role memberships and the system distribution database replmonitor database role membership to authorized replication agent accounts that require access to the database. Unauthorized access can provide unintentional or malicious users greater opportunity to exploit replication access.trueDatabase AdministratorECLP-1
SV-24283r1_rule DG0110-SQLServer9 MEDIUM The DBMS should not share a host supporting an independent security service. The Security Support Structure is a security control function or service provided by an external system or application. An example of this would be a Windows domain controller that provides identification and authentication that can be used by other systems to control access. The vulnerabilities and, therefore, associated risk of a DBMS installed on a system that provides a security support structure is significantly higher than when installed with other functions that do not provide security support. In cases where the DBMS is dedicated to local support of a security support function (e.g. a directory service), separation may not be possible.Information Assurance OfficerDCSP-1
SV-25499r1_rule DM6193-SQLServer9 MEDIUM Only authorized users should be granted access to Analysis Services data sources. Access control applied to data sources controls user access to remotely defined systems using the authentication and authorizations defined for the data source. Unauthorized access to the data source in turn provides unauthorized access to remote systems.Database AdministratorECAN-1
SV-25470r1_rule DM6099-SQLServer9 MEDIUM Analysis Services user-defined COM functions should be disabled if not required. Allowing user-defined COM functions can allow unauthorized code access to the Analysis Services instance. Where not required as part of the operational design, allowing user-defined COM functions can expose the instance to unnecessary risk.Database AdministratorDCFA-1
SV-25465r1_rule DM6075-SQLServer9 MEDIUM Replication snapshot folders should be protected from unauthorized access. Replication snapshot folders contain database data to which only authorized replication accounts require access. Unauthorized access to these folders could compromise data confidentiality and integrity, and could compromise database availability.Database AdministratorECAN-1
SV-25466r1_rule DM6085-SQLServer9 MEDIUM The Analysis Services ad hoc data mining queries configuration option should be disabled if not required. SQL Server Ad Hoc distributed queries allow specific functions (OPENROWSET and OPENDATASOURCE) to connect to remote systems without those remote systems being defined within database. Access to unauthorized systems could lead to unauthorized activity in remote systems that could compromise the local database.Database AdministratorDCFA-1
SV-25467r1_rule DM6086-SQLServer9 MEDIUM Analysis Services Anonymous Connections should be disabled. Anonymous connections allow unauthenticated access to the database. Although the database may not store sensitive application data, operation and data compromise may occur without accountability where unauthenticated access is allowed.Database AdministratorIAIA-1, IAIA-2
SV-25469r1_rule DM6088-SQLServer9 MEDIUM Analysis Services Links From Objects should be disabled if not required. Analysis Services allows other server instances to link to local analysis services objects. Where not required, enabling of this allowance can unnecessarily expose the database objects to unauthorized access or compromise.Database AdministratorDCFA-1
SV-25494r1_rule DM6155-SQLServer9 MEDIUM Linked server providers should not allow ad hoc access. Ad hoc access allows undefined access to remote systems. Access to remote systems should be controlled to prevent untrusted data to be executed or uploaded to the local server.Database AdministratorDCFA-1
SV-25471r1_rule DM6101-SQLServer9 HIGH Analysis Services Required Protection Levels should be set to 1. Sensitive data is vulnerable to unauthorized access when traversing untrusted network segments. Encryption of the data in transit helps protect the confidentiality of the data.Database AdministratorECCT-1, ECCT-2
SV-25473r1_rule DM6103-SQLServer9 MEDIUM Analysis Services Security Package List should be disabled if not required. Analysis Services Security Packages are security applications provided outside of the default Analysis Services installation. The packages may be provided by custom development or commercial third-party products used for client authentication. Use of untested or unverified security applications may introduce unknown vulnerabilities to the instance. Restrict use of non-default security packages to tested and trusted applications that meet DOD authentication requirements.Information Assurance OfficerDCFA-1
SV-25476r1_rule DM6108-SQLServer9 MEDIUM The Analysis Services server role should be restricted to authorized users. The Analysis Services server role grants server-wide security privileges to the assigned user. An unauthorized user could compromise database and analysis server data and operational integrity or availability.Information Assurance OfficerECLP-1
SV-25477r1_rule DM6109-SQLServer9 MEDIUM Only authorized accounts should be assigned to one or more Analysis Services database roles. Unauthorized group membership assignment grants unauthorized privileges to database accounts. Unauthorized may lead to a compromise of data confidentiality or integrity.Database AdministratorECAN-1
SV-23859r1_rule DM6145-SQLServer9 MEDIUM Only authorized SQL Server proxies should be assigned access to subsystems. SQL Server subsystems define a set of functionality available for assignment to a SQL Server Agent proxy. These act as privileges to perform certain job tasks. Excess privilege assignment or subsystem assignment can lead to unauthorized access to the SQL Server instance or host operating system.trueDatabase AdministratorECAN-1
SV-23858r1_rule DM6140-SQLServer9 MEDIUM Dedicated accounts should be designated for SQL Server Agent proxies. SQL Server proxies use to execute specific job functions defined for SQL Server Agent. If proxies share a single account for multiple job functions, least privileges cannot be assigned based on the particular job function. This can compromise the security of the shared functions should a compromise of the SQL Server Agent job occur.trueDatabase AdministratorECAN-1
SV-25488r1_rule DM6130-SQLServer9 MEDIUM The Web Assistant procedures configuration option should be disabled if not required. The Web Assistant procedures are used by database applications to create web pages. This capability may easily be abused to send malicious messages to remote users or systems. Disabling its use helps to protect the database from generating or receiving malicious email notifications.Database AdministratorDCFA-1
SV-25481r1_rule DM6120-SQLServer9 LOW Reporting Services Web service requests and HTTP access should be disabled if not required. Where not required, SOAP and URL access to the web service unnecessarily exposes the report server to attack via the SOAP and HTTP protocols.Database AdministratorDCFA-1
SV-23959r1_rule DM6150-SQLServer9 MEDIUM Cross database ownership chaining, if required, should be documented and authorized by the IAO. Cross database ownership chaining allows permissions to objects to be assigned by users other than the Information Owner. This allows access to objects that are not authorized directly by the Information Owner based on job functions defined by the owner. Unauthorized access may lead to a compromise of data integrity or confidentiality.Database AdministratorECLP-1
SV-25487r1_rule DM6123-SQLServer9 LOW Use of Command Language Runtime objects should be disabled if not required. The clr_enabled parameter configures SQL Server to allow or disallow use of Command Language Runtime objects. CLR objects is managed code that integrates with the .NET Framework. This is a more secure method than external stored procedures, although it still contains some risk. Where no external application execution requirements are required, disallowing use of any improves the overall security posture of the database.Database AdministratorDCFA-1
SV-25486r1_rule DM6122-SQLServer9 MEDIUM Reporting Services Windows Integrated Security should be disabled. Use of Windows integrated security may allow access via Report Services bypasses security controls assessed at the database level. This may be restricted by requiring that all report data source connections use specific credentials to access report data sources.Database AdministratorIAIA-1, IAIA-2
SV-25468r1_rule DM6087-SQLServer9 MEDIUM Analysis Services Links to Objects should be disabled if not required. Analysis Services may make connections to external SQL Server instances. In some cases this may be required for the intended operation, however, where not required, this may introduce unnecessary risk where unauthorized external links may be made.Database AdministratorDCFA-1
SV-25485r1_rule DM6121-SQLServer9 LOW Reporting Services scheduled events and report delivery should be disabled if not required. Where not required, Scheduled events and report delivery unnecessarily exposes the report server to attack via Report Service event handling and report delivery.Database AdministratorDCFA-1
SV-23856r1_rule DM6126-SQLServer9 MEDIUM Only authorized XML Web Service endpoints should be configured on the server. XML Web Service endpoints expose the database its data to web service access. Where not carefully designed and implemented, web services can unnecessarily expose the database to additional exploit that compromises data confidentiality and integrity. Removing web service endpoints helps to protect the database from unauthorized web service access.trueDatabase AdministratorDCFA-1
SV-25500r1_rule DM6198-SQLServer9 MEDIUM The Agent XPs option should be set to disabled if not required. The Agent XPs are extended stored procedures used by the SQL Server Agent that provide privileged actions that run externally to the DBMS under the security context of the SQL Server Agent service account. If these procedures are available from a database session, an exploit to the SQL Server instance could result in a compromise of the host system and external SQL Server resources. Access to these procedures should be disabled unless use of SQL Server Agent is required and authorized.Database AdministratorDCFA-1
SV-25501r1_rule DM6199-SQLServer9 MEDIUM The SMO and DMO SPs option should be set to disabled if not required. The SMO and DMO XPs are management object extended stored procedures that provide highly privileged actions that run externally to the DBMS under the security context of the SQL Server service account. If these procedures are available from a database session, an exploit to the SQL Server instance could result in a compromise of the host system and external SQL Server resources including the SQL Server software, audit, log and data files. Access to these procedures should be disabled unless a clear requirement for their use is indicated and authorized.Database AdministratorDCFA-1
SV-24070r1_rule DG0009-SQLServer9 MEDIUM Access to DBMS software files and directories should not be granted to unauthorized users. The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.Database AdministratorDCSL-1
SV-24129r1_rule DG0014-SQLServer9 MEDIUM Default demonstration and sample database objects and applications should be removed. Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the DBMS and host system.Database AdministratorDCFA-1
SV-24074r1_rule DG0025-SQLServer9 MEDIUM DBMS should use NIST FIPS 140-2 validated cryptography. Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.trueDatabase AdministratorInformation Assurance OfficerDCNR-1
SV-24183r1_rule DG0054-SQLServer9 LOW The audit logs should be periodically monitored to discover DBMS access using unauthorized applications. Regular and timely reviews of audit records increases the likelihood of early discovery of suspicious activity. Discovery of suspicious behavior can in turn trigger protection responses to minimize or eliminate a negative impact from malicious activity. Use of unauthorized application to access the DBMS may indicate an attempt to bypass security controls including authentication and data access or manipulation implemented by authorized applications.Information Assurance OfficerECAT-1, ECAT-2
SV-24222r1_rule DG0072-SQLServer9 MEDIUM Database password changes by users should be limited to one change within 24 hours where supported by the DBMS. Frequent password changes may indicate suspicious activity or attempts to bypass password controls based on password histories. Limiting the frequency of password changes helps to enforce password change rules and can lead to the discovery of compromised accounts.Database AdministratorIAIA-1, IAIA-2
SV-24230r1_rule DG0078-SQLServer9 MEDIUM Each database user, application or process should have an individually assigned account. Use of accounts shared by multiple users, applications, or processes limit the accountability for actions taken in or on the data or database. Individual accounts provide an opportunity to limit database authorizations to those required for the job function assigned to each individual account.Database AdministratorIAIA-1, IAIA-2
SV-20971r1_rule DG0084-SQLServer9 LOW The DBMS should be configured to clear residual data from memory, data objects or files, or other storage locations. Database storage locations may be reassigned to different objects during normal operations. If not cleared of residual data, sensitive data may be exposed to unauthorized access.Database AdministratorECRC-1
SV-24236r1_rule DG0085-SQLServer9 MEDIUM DBA accounts should not be assigned excessive or unauthorized role privileges. The default DBA privileges typically include all privileges defined for a DBMS. These privileges are required to configure the DBMS and to provide other users access to DBMS objects. However, DBAs may not require access to application data or other privileges to administer the DBMS. Where not required or desired, DBAs may be prevented from accessing protected data for which they have no need-to-know or from utilizing unauthorized privileges for other actions. Although DBAs may assign themselves privileges to override any restrictions, the assignment of privileges is an audit requirement and this auditable event may assist discovery of a misuse of privileges.Database AdministratorInformation Assurance OfficerECLP-1
SV-21481r1_rule DG0087-SQLServer9 LOW Sensitive data should be labeled. The sensitivity marking or labeling of data items promotes the correct handling and protection of the data. Without such notification, the user may unwittingly disclose sensitive data to unauthorized users.Database AdministratorECML-1
SV-24256r1_rule DG0098-SQLServer9 MEDIUM Access to external objects should be disabled if not required and authorized. Objects defined within the database, but stored externally to the database are accessible based on authorizations defined by the local operating system or other remote system that may be under separate security authority. Access to external objects may thus be uncontrolled or not based on least privileges defined for each user job function. This in turn may provide unauthorized access to the external objects.Database AdministratorDCFA-1
SV-24096r1_rule DG0099-SQLServer9 MEDIUM Access to external DBMS executables should be disabled or restricted. DBMS’s may spawn additional external processes to execute procedures that are defined in the DBMS, but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than the DBMS and provide unauthorized access to the host system.trueDatabase AdministratorDCFA-1
SV-24258r1_rule DG0100-SQLServer9 MEDIUM Replication accounts should not be granted DBA privileges. Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on one database could lead to the compromise of any database participating in the replication that uses the same account name and credentials. If the replication account is compromised and it has DBA privileges, the database is at additional risk to unauthorized or malicious action.Database AdministratorDCFA-1
SV-24260r1_rule DG0101-SQLServer9 MEDIUM OS accounts used to execute external procedures should be assigned minimum privileges. External applications spawned by the DBMS process may be executed under OS accounts assigned unnecessary privileges that can lead to unauthorized access to OS resources. Unauthorized access to OS resources can lead to the compromise of the OS, the DBMS, and any other service provided by the host platform.Database AdministratorDCFA-1
SV-24267r1_rule DG0104-SQLServer9 LOW DBMS service identification should be unique and clearly identifies the service. Local or network services that do not employ unique or clearly identifiable targets can lead to inadvertent or unauthorized connections.Database AdministratorDCFA-1
SV-24294r1_rule DG0115-SQLServer9 MEDIUM Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner. A DBMS may be vulnerable to use of compromised data or other critical files during recovery. Use of compromised files could introduce maliciously altered application code, relaxed security settings or loss of data integrity. Where available, DBMS mechanisms to ensure use of only trusted files can help protect the database from this type of compromise during DBMS recovery.Database AdministratorCOTR-1
SV-24102r1_rule DG0116-SQLServer9 MEDIUM Database privileged role assignments should be restricted to IAO-authorized DBMS accounts. Roles assigned privileges to perform DDL and/or system configuration actions in the database can lead to compromise of any data in the database as well as operation of the DBMS itself. Restrict assignment of privileged roles to authorized personnel and database accounts to help prevent unauthorized activity.trueInformation Assurance OfficerECLP-1
SV-24298r1_rule DG0117-SQLServer9 MEDIUM Administrative privileges should be assigned to database accounts via database roles. Privileges granted outside the role of the administrative user job function are more likely to go unmanaged or without oversight for authorization. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of administrative user privilege assignments and helps to protect against unauthorized privilege assignment.Information Assurance OfficerECPA-1
SV-24309r1_rule DG0123-SQLServer9 MEDIUM Access to DBMS system tables and other configuration or metadata should be restricted to DBAs. Administrative data includes DBMS metadata and other configuration and management data. Unauthorized access to this data could result in unauthorized changes to database objects, access controls, or DBMS configuration.Database AdministratorECAN-1
SV-24312r1_rule DG0124-SQLServer9 MEDIUM Use of DBA accounts should be restricted to administrative activities. Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification or exposure. In particular, DBA accounts if used for non-administration application development or application maintenance can lead to miss-assignment of privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in and provided by applications.Information Assurance OfficerECLP-1
SV-24314r1_rule DG0127-SQLServer9 MEDIUM DBMS account passwords should not be set to easily guessed words or values. DBMS account passwords set to common dictionary words or values render accounts vulnerable to password guessing attacks and unauthorized access.Database AdministratorIAIA-1, IAIA-2
SV-24108r1_rule DG0128-SQLServer9 HIGH DBMS default accounts should be assigned custom passwords. DBMS default passwords provide a commonly known and exploited means for unauthorized access to database installations.If identified accounts show an account status of LOCKED and password is set to EXPIRED this is a Finding, but downgrade the severity Category Code to II.Database AdministratorIAIA-1, IAIA-2
SV-29118r1_rule DG0129-SQLServer9 HIGH Passwords should be encrypted when transmitted across the network. DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.Database AdministratorIAIA-1, IAIA-2
SV-24320r1_rule DG0130-SQLServer9 MEDIUM DBMS passwords should not be stored in compiled, encoded or encrypted batch jobs or compiled, encoded or encrypted application source code. The storage of passwords in application source or batch job code that is compiled, encoded or encrypted prevents compliance with password expiration and other management requirements as well as provides another means for potential discovery.Database AdministratorInformation Assurance OfficerIAIA-1, IAIA-2
SV-21454r1_rule DG0131-SQLServer9 LOW DBMS default account names should be changed. Well-known DBMS account names are targeted most frequently by attackers and are thus more prone to providing unauthorized access to the database.Database AdministratorIAIA-1, IAIA-2
SV-24322r1_rule DG0133-SQLServer9 MEDIUM Unlimited account lock times should be specified for locked accounts. When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts may continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database.Database AdministratorECLO-1, ECLO-2
SV-25371r1_rule DG0140-SQLServer9 MEDIUM Access to DBMS security should be audited. DBMS security data is useful to malicious users to perpetrate activities that compromise DBMS operations or data integrity. Auditing of access to this data supports forensic and accountability investigations.Database AdministratorECAR-1, ECAR-2, ECAR-3
SV-25374r1_rule DG0141-SQLServer9 MEDIUM Attempts to bypass access controls should be audited. Detection of suspicious activity including access attempts and successful access from unexpected places, during unexpected times, or other unusual indicators can support decisions to apply countermeasures to deter an attack. Without detection, malicious activity may proceed without impedance.Database AdministratorECAR-2, ECAR-3
SV-21458r1_rule DG0142-SQLServer9 MEDIUM Changes to configuration options should be audited. The default audit trace provides a log of activity and changes primarily related to DBMS configuration options. The default audit trace option does not provide adequate auditing and should be disabled.Database AdministratorECAR-3
SV-24109r1_rule DG0145-SQLServer9 MEDIUM Audit records should contain required information. Complete forensically valuable data may be unavailable or accountability may be jeopardized when audit records do not contain sufficient information.Database AdministratorECAR-1, ECAR-2, ECAR-3
SV-21459r1_rule DG0151-SQLServer9 MEDIUM Access to the DBMS should be restricted to static, default network ports. Use of static, default ports helps management of enterprise network device security controls. Use of non-default ports makes tracking and protection of published vulnerabilities to services and protocols more difficult to track and block. and may result in the exposure of the database to unintended network segments and users.Database AdministratorDCPP-1
SV-25382r1_rule DG0155-SQLServer9 MEDIUM The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions. The DBMS opens data files and reads configuration files at system startup, system shutdown and during abort recovery efforts. If the DBMS does not verify the trustworthiness of these files, it is vulnerable to malicious alterations of its configuration or unauthorized replacement of data.Database AdministratorInformation Assurance OfficerDCSS-1, DCSS-2
SV-25387r1_rule DG0157-SQLServer9 MEDIUM Remote DBMS administration is not authorized and is not disabled. Remote administration may expose configuration and sensitive data to unauthorized viewing during transit across the network or allow unauthorized administrative access to the DBMS to remote users.Database AdministratorEBRP-1
SV-25389r1_rule DG0158-SQLServer9 MEDIUM DBMS remote administration should be audited. When remote administration is available, the vulnerability to attack for administrative access is increased. An audit of remote administrative access provides additional means to discover suspicious activity and to provide accountability for administrative actions completed by remote users.Database AdministratorEBRP-1
SV-25398r1_rule DG0171-SQLServer9 MEDIUM The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level. Applications that access databases and databases connecting to remote databases that differ in their assigned classification levels may expose sensitive data to unauthorized clients. Any interconnections between databases or applications and databases differing in classification levels are required to comply with interface control rules.Database AdministratorECIC-1
SV-25405r1_rule DG0179-SQLServer9 MEDIUM The DBMS warning banner does not meet DoD policy requirements. Without sufficient warning of monitoring and access restrictions of a system, legal prosecution to assign responsibility for unauthorized or malicious access may not succeed. A warning message provides legal support for such prosecution. Access to the DBMS or the applications used to access the DBMS require this warning to help assign responsibility for database activities.A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check Not Applicable.Database AdministratorECWM-1
SV-25415r1_rule DG0198-SQLServer9 MEDIUM Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports. Remote administration provides many conveniences that can assist in the maintenance of the designed security posture of the DBMS. On the other hand, remote administration of the database also provides malicious users the ability to access from the network a highly privileged function. Remote administration needs to be carefully considered and used only when sufficient protections against its abuse can be applied. Encryption and dedication of ports to access remote administration functions can help prevent unauthorized access to it.Database AdministratorEBRP-1