Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Ask the DBA to describe/demonstrate any software modification detection procedures in place and request documents of these procedures to review. If procedures exist that include review of the database software directories and database application directories, this is Not a Finding. Verify by reviewing reports for inclusion of the DBMS executable and configuration files: Sample Questions: What procedures/software do you have in place to detect unauthorized modification to application files? Are the database application software files including both the SQL Server and third party files scanned for modification? Do you scan for modifications to the configuration files?
Establish and implement procedures to monitor any changes made to the database software. Identify all database files and directories to be included in the host system or database backups and provide these to the person responsible for backups. For Windows systems, use the dir /s > filename.txt run weekly to store and compare file modification/creation dates and file sizes using the DOS fc command. This is not as comprehensive as some tools available, but may be enhanced by also checking checksum or file hashes.
Review procedures for controlling and granting access to use of the DBMS software installation account. If access or use of this account is not restricted to the minimum number of personnel required or unauthorized access to the account has been granted, this is a Finding.
Develop and implement procedures to restrict use and require logging of use of the DBMS software installation account. Document authorized personnel and assignments in the System Security Plan.
Review monitoring procedures and implementation evidence to verify that monitoring of changes to database software libraries, related applications and configuration files is done. Verify that the list of files and directories being monitored is complete. If monitoring does not occur or is not complete, this is a Finding.
Develop, document and implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet this requirement. File hashes or checksums should be used for comparisons as file dates may be manipulated by malicious users.
Review a list of database usernames against those listed in the System Security Plan or authorized user list. From the query prompt: SELECT name FROM [master].sys.server_principals WHERE type IN ('S', 'U') AND sid <> 0x01 ORDER BY name Consult the IAO or DBA to make a final determination on whether accounts listed are shared accounts. If shared accounts are not documented and approved as shared accounts, this is a Finding.
Use accounts assigned to individual users where feasible. Design applications to provide individual accountability (audit logs) for actions performed under a single database account. Implement other DBMS automated procedures that provide individual accountability. Where appropriate, implement manual procedures to use manual logs and monitor entries against account usage to ensure procedures are followed.
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'c2 audit mode' If 1 is returned as the value for Config_Value, this is Not a Finding If the value 0 is returned for Config_Value, confirm that a valid audit trace is configured and implemented. See checks DG0029, DG0145 and DM5267. If there is not a valid audit trace, this is a Finding.
Configure and enable C2 auditing or confirm valid audit traces are set per checks DG0029, DG0145 and DM5267. Note: Setting the C2 audit mode enables auditing of more events than required by the STIG and may generate too many records to manage effectively. From the query prompt: EXEC SP_CONFIGURE 'c2 audit mode', 1 RECONFIGURE To create a custom audit, see instructions in check DG0145.
From the query prompt: EXEC SP_HELPSRVROLEMEMBER 'bulkadmin' EXEC SP_HELPSRVROLEMEMBER 'dbcreator' EXEC SP_HELPSRVROLEMEMBER 'diskadmin' EXEC SP_HELPSRVROLEMEMBER 'processadmin' EXEC SP_HELPSRVROLEMEMBER 'securityadmin' EXEC SP_HELPSRVROLEMEMBER 'serveradmin' EXEC SP_HELPSRVROLEMEMBER 'setupadmin' EXEC SP_HELPSRVROLEMEMBER 'sysadmin' Verify authorization of each member listed in the System Security Plan. If any members are not authorized, this is a Finding.
Remove fixed server role assignments from unauthorized users. Grant fixed roles to authorized personnel only. Remove unauthorized accounts from assigned roles. From the query prompt: EXEC SP_DROPSRVROLEMEMBER '[account name]', '[fixed server role name]' Replace [account name] with the name of the account and [fixed server role name] with the name of the fixed server role.
From the query prompt: SELECT RTRIM(CONVERT(CHAR(20), SERVERPROPERTY('instancename'))) If the instance name contains the SQL Server version number, this is a Finding.
Do not use version number references in instance names. The instance name cannot be changed on an existing instance. A new instance can be created with a compliant name and the databases moved.
From the query prompt: SELECT u.name FROM [master].dbo.sysobjects o, [master].dbo.sysusers u, [master].dbo.sysprotects p WHERE p.uid = u.uid AND p.id = o.id AND o.name = 'xp_cmdshell' ORDER BY u.name If any accounts are returned, ensure the IAO has documented in the System Security Plan allowing its use. If there is no documentation or use is not authorized, this is a Finding. If any non-DBA accounts are listed, this is a Finding. From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'xp_cmdshell' If a value of 0 is returned for Config_Value, this is Not a Finding. If a value of 1 is returned for Config_Value, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding.
Authorize and document requirements for use of the xp_cmdshell option in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable or restrict its use. From the query prompt: USE master REVOKE EXECUTE ON xp_cmdshell FROM [user] Replace 'user' with the user account name. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'xp_cmdshell', 0 RECONFIGURE
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'scan for startup procs' If a value of 1 is returned for Config_Value and a custom audit trace is NOT in use (see Check DG0145: DBMS audit record content), this is a Finding. NOTE: Use of the sp_procoption to mark or unmark automatically run stored procedures will enable this option automatically. If operationally required, document this option as required in the System Security Plan.
Enable the ‘scan for startup procs’ configuration option if a custom audit trace is in use (see Check DG0145: DBMS audit record content) or if operationally required and documented in the System Security Plan: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'scan for startup procs', 1 RECONFIGURE Otherwise, disable its use: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'scan for startup procs', 0 RECONFIGURE
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'ole automation procedures' If a value of 0 is returned for Config_Value, this is Not a Finding. If a value of 1 is returned for Config_Value, verify with the IAO and the System Security Plan that OLE Automation Procedures as listed are required. If they are not, this is a Finding. If OLE Automation Procedures are documented and authorized by the IAO, check which users have access. From the query prompt: SELECT USER_NAME(p.grantee_principal_id) 'User', o.name 'Object', p.permission_name 'Perm' FROM [master].sys.system_objects o, [master].sys.database_permissions p WHERE o.object_id = p.major_id AND o.name like 'sp_OA%' ORDER BY USER_NAME(p.grantee_principal_id), o.name, p.permission_name If non-DBA users are granted access, verify with the IAO and the System Security Plan allowing the specific users listed as valid users of these procedures. If there is no documentation or IAO authorization, this is a Finding.
Disable OLE extended stored procedures where no needed or restrict access to SYSADMINs and authorized roles. Disable OLE extended stored procedures: From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'OLE Automation Procedures', 0 RECONFIGURE Note: SQL Server 2005 does not drop system extended stored procedures. Microsoft recommends denying EXEC permissions instead.
From the query prompt: SELECT u.name AS [Principal], o.name AS [Extended Stored Procedure], u.type_desc AS [Type] FROM [master].sys.system_objects o JOIN [master].sys.database_permissions p ON o.object_id = p.major_id JOIN [master].sys.database_principals u ON p.grantee_principal_id = u.principal_id WHERE ( o.name LIKE 'xp_reg%' OR o.name LIKE 'xp_instance_reg%') AND p.type = 'EX' ORDER BY o.name, u.name If no results are displayed, this is Not a Finding. If non-DBA Principals are granted access (as listed in the query results), verify with the IAO and the System Security Plan allowing the specific Principals listed as valid users of these procedures. If there is no documentation or IAO authorization, this is a Finding. If permissions are assigned to Principal PUBLIC, this is a Finding. Note: By default, the public role is granted execute access to xp_regread. If this access is required, transfer the privilege assignment to an authorized custom database role.
Restrict access of Registry extended stored procedures to SYSADMINs and authorized roles as documented in the System Security Plan and authorized by the IAO. Note: SQL Server 2005 and later does not drop system extended stored procedures. Microsoft recommends denying EXEC permissions instead. Restrict and/or remove access to Registry extended stored procedures where not authorized: From the SQL Server Management Studio GUI: 1. Connect/expand SQL Server 2. Expand Databases 3. Expand System databases 4. Expand Master 5. Expand Programmability 6. Expand Extended Stored Procedures 7. Expand System Extended Stored Procedures 8. Locate and select each of the Registry extended stored procedures listed in the Check section 9. Right click on the extended stored procedure 10. Select Properties 11. Click on the Permissions page 12. Select each user or role and deselect the Grant (and With Grant if checked) permissions from all users, database roles and public except from SYSADMINs and authorized roles when permitted 13. Click OK Document access grants and restrictions in the System Security Plan and authorize with the IAO.
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'remote access' If a value of 1 is returned for Config_Value, remote access is enabled. If the use of linked servers is not documented and authorized in the System Security Plan and AIS Functional Architecture documentation, this is a Finding. If the use of linked servers is not approved by the IAO, this is a Finding. Note: See check DG0190 for authorized linked servers. If remote access is not documented in the System Security Plan and AIS Functional Architecture documentation regardless of authorization or use, this is a Finding.
Document remote access in the System Security Plan and AIS Functional Architecture documentation. If required and authorized, document the requirement and authorization in the System Security Plan and AIS Functional Architecture documentation. To enable remote access: From the query prompt: EXEC SP_CONFIGURE 'remote access', 1 RECONFIGURE If not required, disable remote access and document the requirement and authorization in the System Security Plan and AIS Functional Architecture documentation. To disable remote access: From the query prompt: EXEC SP_CONFIGURE 'remote access', 0 RECONFIGURE Follow procedures documented on Microsoft's website on how to configure a remote server setup. http://support.microsoft.com/kb/914277
From the query prompt: EXEC XP_LOGINCONFIG 'login mode' If a value of 'Windows Authentication' is returned for config_value, this is Not a Finding. If a value of 'Mixed' is returned for config_value, confirm in the System Security Plan that SQL Server authentication is required and authorized. If it is not, this is a Finding. Note: SQL Server authentication and the use of passwords are dependent on password management configured on the host platform. Sufficient password management is available only in SQL Server 2005 on Windows 2003 or later. Password authentication is discouraged and only authorized where Windows authentication is not possible. Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.
Configure the instance to accept Windows authentication. From the query prompt: EXEC XP_LOGINCONFIG 'login mode', 1 If SQL Server authentication is required and authorized, document the requirement with a justification in the System Security Plan. Configure the instance to accept SQL Server authentication. From the query prompt: EXEC XP_LOGINCONFIG 'login mode', 2
From the query prompt: USE msdb EXEC SP_ENUM_PROXY_FOR_SUBSYSTEM @subsystem_name = 'ActiveScripting' EXEC SP_ENUM_PROXY_FOR_SUBSYSTEM @subsystem_name = 'CmdExec' If no records are returned, this is Not a Finding. For each proxy listed: EXEC SP_ENUM_LOGIN_FOR_PROXY @proxy_name = '[proxy name]' Replace [proxy name] with the proxy names returned above. Review the names listed in the return. If any names include users that are not SYSADMINs or list groups that contain members other than SYSADMIN, this is a Finding.
Members of the SYSADMIN role have access to all proxies by default. For any proxies defined for Active Scripting or CmdExec subsystems, remove all additional access privileges. Select based on returns from the SP_ENUM_PROXY_SUBSYSTEM results: From the query prompt: EXEC SP_REVOKE_LOGIN_FROM_PROXY '[login name]' @proxy_name = 'ActiveScripting' EXEC SP_REVOKE_LOGIN_FROM_PROXY '[login name]' @proxy_name = 'CmdExec' Replace [login name] with the name returned in the SP_ENUM_PROXY_FOR_SUBSYSTEM procedure.
If C2 Auditing is enabled (See Check DM0510: C2 audit mode), this check is Not a Finding. Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), if auditing is not enabled or not configured completely to requirements, review the System Security Plan. If this is properly explained in the System Security Plan, this is Not a Finding. If this is not documented or documented poorly in the System Security Plan, this is a Finding. If value returned is 2 (Standard Edition) or 3 (Enterprise/Developer Edition), these findings apply. Determine if trace file rollover is enabled. From the query prompt: SELECT traceid 'TraceID' FROM ::FN_TRACE_GETINFO('0') WHERE property = 1 AND value = 2 If no trace is returned, this is a Finding. If the trace returned for Check DG0145 is not returned above, this is a Finding.
Re-create the trace and specify TRACE_FILE_ROLLOVER (option = 2) added to SHUTDOWN_ON_ERROR (option > 4). From the query prompt: EXEC SP_TRACE_CREATE [ @traceid = ] trace_id OUTPUT , [ @options = ] option_value , [ @tracefile = ] 'trace_file' [ , [ @maxfilesize = ] max_file_size ] [ , [ @stoptime = ] 'stop_time' ] [ , [ @filecount = ] 'max_rollover_files' ]
Review and verify the implementation of an audit trail retention policy. Verify that audit data is maintained for a minimum of one year. If audit data is not maintained for a minimum of one year, this is a Finding.
Develop, document and implement an audit retention policy and procedures. It is recommended that the most recent thirty days of audit logs remain available online. After thirty days, the audit logs may be maintained offline. Online maintenance provides for a more timely capability and inclination to investigate suspicious activity.
Review procedures for ensuring authorization of new or re-assigned DBMS user accounts. Requests for user account access to the DBMS should include documented approval by an authorized requestor. Procedures should also include notification for a change in status, particularly cause for revocation of account access, to any DBMS accounts. Review the user accounts listed either in the script report or manually against the authorized user list. From the query prompt: SELECT name FROM sys.server_principals WHERE type IN ('S', 'U') AND principal_id <> 1 ORDER BY name If procedures for DBMS user account authorization are incomplete or not implemented, this is a Finding. If any accounts listed are not clearly authorized, this is a Finding.
Develop, document and implement procedures for authorizing creation and changes to user accounts. Monitor user accounts to verify that they remain authorized. Drop user accounts that are no longer authorized.
Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), this check is Not Applicable. From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'sql mail xps' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, then confirm in the System Security Plan that email message traffic is required by the database applications. If it is not documented, and required this is a Finding. From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'database mail xps' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, then confirm in the System Security Plan that email message traffic is required by the database applications. If it is not documented, and required this is a Finding.
Ensure you properly document SQL Mail, SQL Mail XPs and Database Mail XPs configurations regardless of authorization or use in the System Security Plan. If not approved by the IAO and authorized for use, disable SQL Mail, SQL Mail XPs and Database Mail XPs. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'SQL Mail XPs', 0 RECONFIGURE From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'Database Mail XPs', 0 RECONFIGURE
Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), this check is Not Applicable. From the SQL Server Management Studio GUI: 1. Right click on SQL Server Agent 2. Select Properties 3. Select Alert System If the box next to "Enable mail profile" is checked, documentation for this function should exist with the IAO in the System Security Plan and AIS Functional Architecture documentation. If this function is not documented, this is a Finding.
Ensure you properly document Agent Email Alert configurations regardless of authorization or use in the System Security Plan. Where not required and authorized for use, disable Email notification for SQL Server Agent.
Interview the IAO and review documentation to determine if a configuration management (CM) process is implemented for the DBMS system that includes requirements for: (1) Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation; (2) A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems; (3) A testing process to verify proposed configuration changes prior to implementation in the operational environment; and (4) A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted. If documented evidence for procedures or processes outlined above are not present or are incomplete, this is a Finding.
Develop, document and implement configuration management procedures or processes. Ensure the 4 major requirements listed in the check are documented at a minimum. Assign responsibilities for oversight and approval for any and all changes made to DBMS software and configuration.
Review the list of components or optional features installed with the database. This may be most clearly displayed using the DBMS product installation tool, but may require review of the product installation documentation. If no optional features or components are installed, this is Not a Finding. If optional components or features are installed, then review the System Security Plan to verify that they are documented and authorized. If any are not documented and authorized, this is a Finding.
Review the list of optional features or components available for the DBMS product. If any are required for operation of applications that will be accessing the DBMS, then include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, then uninstall them and remove any database objects and applications that are installed to support them.
Review the System Security Plan and interview the DBA and IAO to determine if the DBMS host contains production and non-production DBMS installations. If the DBMS host contains both production and non-production DBMS installations or the production DBMS installation is being used for non-production efforts, determine if this allowance is documented in the System Security Plan and authorized by the IAO. If not documented and authorized, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.
Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.
Review the ownership of all DBMS and dependent application software and configuration files. If the owner is other than the software installation account or the designated owner account for the file, this is a Finding. Some configuration and log files may be owned by a service or process account. Ownership of these files should be recorded and verified accordingly.
Assign DBMS file and directory ownership to the software installation and maintenance account. Use the software owner account to install and maintain the DBMS software libraries and configuration files.
Have the DBA and/or IAO provide the DBMS software baseline procedures, implementation evidence, and a list of files and directories included in the baseline procedure for completeness. If baseline procedures do not exist, not implemented reliably or not complete, this is a Finding. Software and configuration directories are under: [drive] \Program Files\Microsoft SQL Server The exact directory is specified in the registry key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ 90 \ VerSpecificRootDir For each instance, the directory and all contents specified under the registry key below where [#] is the assigned instance number: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ Setup \ SQLProgramDir
Develop, document and implement baseline procedures that include all DBMS software files and directories. Update the baseline after new installations, upgrades or maintenance activities that include changes to the software baseline.
Review the DBMS audit trail to determine if the names [or unique identifiers] of applications used to connect to the database are included. If an alternate method other than DBMS logging is authorized and implemented, review the audit trail to determine if the names [or unique identifiers] of applications used to connect to the database are included. If application access to the DBMS is not being audited, this is a Finding. If auditing does not capture the name [or unique identifier] of applications accessing the DBMS at a minimum, this is a Finding.
Modify auditing to ensure audit records include identification of applications used to access the DBMS. Ensure auditing captures the name [or unique identifier] of applications accessing the DBMS at a minimum. Develop or procure a 3rd-party solution where native DBMS logging is not employed or does not capture required information.
1. Review jobs scheduled to start automatically at system startup. From the query prompt: SELECT name FROM [master].sys.procedures WHERE is_auto_executed = 1 If any jobs listed are not documented as authorized, this part of the check is a Finding. 2. Review SQL Server job history From the query prompt: SELECT DISTINCT j.name FROM [msdb].dbo.sysjobhistory h, [msdb].dbo.sysjobs j WHERE h.job_id = j.job_id If no data is listed and no jobs are listed, this part of the check is Not a Finding. If any jobs listed are not documented as authorized, this part of the check is a Finding. Review monitoring procedures for job queues and evidence of implementation. If procedures for monitoring job queues are not documented are not complete or are not implemented, this is a Finding. If any part of this check results in a Finding, this is a Finding for the entire check.
Establish and implement procedures to monitor the database job queue and job history for unauthorized job submissions. Include or note documented policy and procedures in the System Security Plan.
If user access to the DBMS is via a portal or mid-tier system or product and PKI-authentication occurs at the portal/mid-tier, this check is Not a Finding. Review the list of all DBMS accounts and their authentication methods. This list is usually available from a system view or table and is easily gained from a simple SQL query. If any accounts are listed with an authentication method other than a PKI certificate, this is a Finding. For MAC 3 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 certificate and hardware security token (when available) at minimum, this is a Finding. For MAC 1 and 2 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum, this is a Finding.
Implement PKI authentication for all accounts defined within the database where applicable. Applications may use host system (server) certificates to authenticate. For MAC 3 systems, use of the DoD PKI Class 3 certificate and hardware security token (when available) at minimum is required. For MAC 1 and 2 systems, use of the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum is required.
If all DBMS accounts are configured to authenticate using certificates or other credential besides passwords, this check is Not a Finding. Where accounts are authenticated using passwords, review procedures and implementation evidence for creation of temporary passwords. If the procedures or evidence do not exist or do not enforce passwords to meet DoD password requirements, this is a Finding.
Develop, document and implement procedures for assigning temporary passwords to user accounts. Procedures should include instruction to meet current DoD password length and complexity requirements and provide a secure method to relay the temporary password to the user. Temporary passwords should also be short-lived and require immediate update by the user upon first login.
This check applies specifically to the Oracle DBMS installation and its associated files, scripts and environments. This check does not apply to compiled, encoded or encrypted application source code and batch job code covered in Check DG0130. Ask the DBA to review the list of DBMS database objects, database configuration files, associated scripts and applications defined within and external to the DBMS that access the database. The list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Ask the DBA and/or IAO to determine if any DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are encoded or encrypted. If any passwords are stored in clear text, this is a Finding. If a list of DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings is not maintained in the System Security Plan, this is a Finding.
Develop, document and maintain a list of DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings in the System Security Plan. Record whether they do or do not contain DBMS passwords. If passwords are present, ensure they are encoded or encrypted and protected by host system security. Consider using vendor or 3rd party tools to support external authentication.
Interview the DBA to determine if any applications that access the database (such as sqlcmd, etc.) allow for entry of the account name and password on the command line. If any applications exist and are in use, ask the DBA if users have been instructed not to include passwords on the command line and if these applications are monitored for compliance. If documentation of instruction and monitoring are not being performed, this is a Finding.
Configure or modify applications to prohibit display of passwords in clear text on the command line if possible. Implement policy and train users to prohibit entry of passwords on the command line for applications that cannot be modified or configured to deny this. Remove any applications that can access the database if they are not being used or cannot be monitored.
If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. If the DBMS supports this functionality, review the settings and function logic or have the DBA demonstrate a password change to ensure that the function requires new passwords to differ from old passwords by more than four characters. If the review or the demonstration reveals that passwords are not checked for a difference of more than four characters, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.
Define, configure and test a password verify feature or function that authenticates passwords on change to ensure that new password differs from old password by more than four characters.
If this is not a production database, this check is Not Applicable. Note: SQL Server check DG0190 addresses authorization of all defined remote and linked databases. Review documentation for definitions of authorized external interfaces. The documentation should include: 1. Any remote access to the database 2. The purpose or function of the remote connection, 3. Any access to data or procedures stored externally to the local DBMS 4. Any network ports or protocols used by remote connections 5. Whether the remote connection is to a production, test, or development system 6. Any security accounts used by DBMS to access remote resources or objects To view remote and linked servers: SELECT name FROM [master].sys.servers WHERE server_id <> 0 ORDER BY name If any database links are defined between the production database and any test or development databases, this is a Finding. If the documentation for remote interfaces does not exist or is incomplete in the System Security Plan and AIS Functional Architecture documentation, this is a Finding.
Document all remote or external interfaces used by the DBMS to connect to or allow connections from remote or external sources in the System Security Plan and AIS Functional Architecture documentation. Include with the documentation as appropriate, any network ports or protocols, security accounts, and the sensitivity of any data exchanged. Do not define or configure database links between production databases and test or development databases. Delete any links or remote server definitions between production and test or development databases.
If the database is not a production database, this check is Not Applicable. Review procedures or restrictions for data exports from the production database. If data exports are allowed, then review procedures for protecting any sensitive data included in the exports. If sensitive data is included in the exports and no protections are taken to remove or modify the data to render it not sensitive when provided to unauthorized users, this is a Finding.
Document procedures and restrictions for production data export. Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of the export restrictions. Restrict permissions allowing use or access to database export procedures or functions to authorized users.
Review the list of instances and databases installed on the host system with the DBA. Ask which databases are production databases and which are for development. If only development or only production databases exist on this host, this is Not a Finding. Otherwise, ask the DBA to confirm that policy and procedures are in place for the IAO to review database and operating system privileges on the system. If none are in place, this is a Finding. Ask the DBA/SA if developer host accounts have been granted privileges to production database directories, files or resources. If they have been, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.
Develop, document and implement procedures to review and maintain privileges granted to developers on shared production and development host systems and databases. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.
Review procedures and implementation evidence to determine if procedures are in place for periodic review of user privileges by the IAO. Evidence may consist of email or other correspondence that acknowledges receipt of periodic reports and notification of review between the DBA and IAO or other auditors as assigned. If the procedures are incomplete or no evidence of implementation exists, this is a Finding.
Develop, document and implement procedures for periodic review of application user database privilege assignments. Include methods to provide evidence of review in the procedures to verify reviews occur in accordance with the procedures.
If no administration accounts are accessed remotely, this check is Not a Finding. Ask the DBA if access to the administration accounts is: 1. Made using remote access through a local host account 2. Made directly to the database from a remote database client If access is via a local host account, review procedures, policy, and/or evidence that remote administrative account access is performed only via an encrypted connection protocol such as SSH, Remote Desktop Connection (properly configured, of course), etc., to connect to the host. If it is not, this is a Finding. If access is via direct connection to the DBMS from a DBMS client, confirm that a dedicated database listener exists on the DBMS server and configured to encrypt communications for remote administrative connections. If it is not, this is a Finding. If there are any listeners on the DBMS host that are configured to accept unencrypted traffic, determine through review of policy and training evidence that DBAs know to use the encrypted listener for remote access to administrative accounts. If no such policy exists, the DBAs have not been instructed to use or do not use an encrypted connection, this is a Finding. Interview DBAs to confirm they use the encrypted listener for remote DBA access. If any DBAs do not, this is a Finding. Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.
Do not administer DBMS systems remotely if possible. If this is not possible, ensure that all connections to the DBMS for administrative purposes utilize encryption at all possible levels [i.e. Network (VPN), Host (SSH/RDP), and Database (Client/ODBC/listener)]. Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.
Review policy, procedures and implementation evidence for daily audit trail monitoring. For SQL Server, the audit trail data is found in audit traces, the system error logs (ERRORLOG.*) files, and the system and application event logs. If the policy, procedures and evidence are not present or complete, this is a Finding.
Develop, document and implement policy and procedures to monitor audit trail data daily.
For Windows 2000: 1. Right click on My Computer 2. Select Manage 3. Expand Local Users 4. Expand Groups For Windows 2003: 1. Click Start 2. Select All Programs 3. Select Administrative Tools 4. Click Computer Management 5. Expand System Tools 6. Expand Local Users and Groups 7. Select Groups View the list of groups defined. Verify the OS DBA group as specified in the System Security Plan exists. If the OS DBA windows group specified in the System Security Plan does not exist, this is a Finding.
Follow the steps outlined in the Check procedure above. Create a Windows OS group to use for SQL Server DBA privilege and permission assignment as documented in the System Security Plan.
For Windows 2000: 1. Right click on My Computer 2. Select Manage 3. Expand Local Users 4. Expand Groups 5. Select the OS DBA Group 6. Right click on the OS DBA Group 7. Select Properties For Windows 2003: 1. Click Start 2. Select All Programs 3. Select Administrative Tools 4. Click Computer Management 5. Expand System Tools 6. Expand Local Users and Groups 7. Select Groups 8. Select the OS DBA Group 9. Right click on the OS DBA Group 10. Select Properties Review the list of accounts assigned to the OS DBA group. Review the list of accounts assigned to the SYSADMIN role: For SQL Server: From the query prompt: exec sp_helpsrvrolemember 'sysadmin' If any accounts assigned OS DBA group membership or SYSADMIN privileges that are not DBAs as authorized and documented in the System Security Plan, this is a Finding. If the OS DBA group is not defined, this is a Finding.
Remove any OS DBA group membership assignments and assignments to the SYSADMIN role from accounts not authorized and documented in the System Security Plan by the IAO. Authorize and document in the System Security Plan all DBA accounts and assignments to the SYSADMIN role prior to assigning DBA group membership and privileges.
Check for Service Account used: For Windows 2003 (Windows 2000 is similar): 1. Click Start 2. Right click on My Computer 3. Click on Manage, 4. Expand Services and Applications 5. Select Services 6. Locate the SQL Server ([instance name]) services 7. Examine the account listed in the ‘Log On As’ column If the account listed is a builtin account (LocalSystem, Local Service, Network Service, etc.), this is a Finding. Exceptions are: 1. SQL Server Active Directory Helper (Network Service) 2. SQL Server Integration Services (Network Service) 3. SQL Server VSS Writer (Local System) If the account listed is a domain user account (does not begin with ".\" or the host computer name), then confirm that the service requires access to remote systems including for the provision of email services as documented in the System Security Plan. If network resource access is not required, use of domain account is a Finding. If the account listed is a local or domain user account, then review group membership privileges. See below for Administrator group privilege check. Note any other group membership assignments for future check analysis. For Windows 2000: 1. Right click on My Computer 2. Select Manage 3. Expand Local Users 4. Expand Groups 5. Select the Administrators Group 6. Right click on the Administrators Group 7. Select Properties For Windows 2003: 1. Click Start 2. Select All Programs 3. Select Administrative Tools 4. Click Computer Management 5. Expand System Tools 6. Expand Local Users and Groups 7. Select Groups 8. Select the Administrators Group 9. Right click on the Administrators Group 10. Select Properties If the service account is listed as a member of the Administrators group, this is a Finding. Note: SQL Server Agent cannot be configured for autorestart without assignment to the Administrator Group. SQL Server Agent must be manually restarted after the service has been interrupted. If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.
Create a local custom account for the SQL Server service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed. Assign the service accounts to the SQL Server groups created at installation (SQL Server 2005) if available. Assign the SQL Server accounts to the appropriate OS SQL Service group. Do not assign the SQL Server accounts to the OS DBA group. Note: Each service identified with an ([Instance Name]) should have its own, separate local user/domain user account. Do not add the SQL Server Agent user/domain account to the local or domain Administrators groups.
Use regedit.exe (Windows 2003) or regedt32.exe (Windows XP, Windows 2000) to review registry permissions To review registry permissions using regedit.exe, navigate to the registry key indicated, right-click on the key, and select Permissions. Select the users and groups permissions and view the assigned Permissions in the Permissions box. To view Special Permissions (From the Permissions window for the key): 1. Click on the Advanced button 2. Select the Effective Permissions tab 3. Click the Select button 4. Select the User or Group name to review 5. To see the list of users or groups: a. Click on the Advanced button b. Click on the Find Now button c. Select a user or group account d. Click OK View registry permissions for the following registry keys and sub-keys under: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server If Full Control permissions are granted to other than Administrators, the DBA group, Creator Owner, System or the SQL Server service group with the following exceptions, this is a Finding. 1. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ RS \ = Full Control to key to local group account SQLServer2005ReportServerUser$[instance name] 2. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ MSSearch \ = Full Control to keys and Subkeys to local group account SQLServer2005MSFTEUser$[instance name] 3. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ SQLServerAgent \ = Full Control to key to local group account SQLServer2005SQLAgentUser$[instance name] 4. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ SQLServerAgent \ = Full Control to key to local group account SQLServer2005SQLServerADHelperUser$[instance name] 5. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ RS \ = Read to keys and Subkeys to local group account Remote Desktop Users If other than Read permissions are granted to the custom SQL Server Users group or members of that group, this is a Finding. Note: During SQL Server 2005 installation, service group memberships are granted Read access to specific registry keys. If this Read access duplicates the custom SQL Server Users group access, this would not be a Finding. The DBA, Creator Owner, System, Administrators and SQL Server service groups should be granted Full Control.
Review permissions assigned to the SQL Server registry keys and Subkeys. Revoke Full Control permissions to accounts or groups other than DBAs, Administrators, System and Creator Owner except for keys and Subkeys listed in the check procedures. Revoke all Read permissions from any custom SQL Server users group and specific other groups as listed in the check procedures.
Review the SQL Server software library directory. The SQL Server software library is defined in the registry key: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[ #] \ Setup \ SQLProgramDir Note any custom subdirectories within the SQL Server software library directory. If any directories or files not installed with the SQL Server software exist with the SQL Server software directory, this is a Finding. Only applications that are required for the functioning and administration, not use, of the DBMS should be located on the same disk directory as the DBMS software libraries.
Install SQL Server DBMS software using directories separate from the OS and other application software library directories. Re-locate any directories or re-install other application software that currently shares the DBMS software library directory to separate directories. Recommend dedicating a separate partition for the DBMS software libraries where supported by the DBMS.
If the check for unsupported version (DG0001) returns an unsupported version or the installed version is within 6 mos. of a desupport notice, ask if migration plans are in progress to upgrade to a supported version. If plans are not in progress, this is a Finding. To check version for SQL Server: From the query prompt: SELECT CONVERT(CHAR(13), SERVERPROPERTY('ProductVersion')) Where format is in major.minor.build and we only concern ourselves with the major version: 9 = SQL Server 2005 From the query prompt: SELECT CONVERT(CHAR(3), SERVERPROPERTY('ProductLevel')) Where value: RTM = Original release version (no service packs installed) SPn = Service Pack Level View version and service pack level. If the DBMS is not at the service pack level listed for the version below and no update plan exists, this is a Finding. Product Release (as of 1 May 2009) Mainstream Support Retired Extended Support Retired Service Pack SQL Server 9 (2005) 04/12/2011 04/12/2016 SP3
Apply the latest service pack (after testing) for the supported DBMS version. Create an upgrade plan for obsolete or expiring vendor products. As soon as an expiration date is published for the product, prepare to upgrade it. The cost of the upgrade should be budgeted including any additional testing and development required supporting the upgrade. A plan for testing the upgrade should also be scheduled. Any other steps for upgrade should be included in the plan and the plan for upgrade should be scheduled for completion prior to expiration of the current product or product support contract.
From the SQL Server Enterprise Manager or SQL Server Management Studio GUI: Right-click on SQL server name, select General tab or pate, review Product Version or Version. OR From the query prompt: SELECT CONVERT(CHAR(13), SERVERPROPERTY('ProductVersion')) Where format is in major.minor.build and we only concern ourselves with the major version: 9 = SQL Server 2005 If the major version listed is not under Mainstream or Extended support from Microsoft as listed in the table below, this is a Finding. You can verify support for SQL Server at the following website: http://support.microsoft.com/gp/lifepolicy Product Release Mainstream Support Retired Extended Support Retired SQL Server 9 (2005) 04/12/2011 04/12/2016 The reviewer may want to record the version number for other checks in this review. Service patch level and HOTFIX updates are reviewed in separate checks. IAVM compliance is reviewed in Windows OS checks.
Protect the SQL Server installation from published vulnerabilities by upgrading to a supported version and installing all service packs and HOTFIXes as they become available (after testing).
From the query prompt: SELECT CONVERT(CHAR(13), SERVERPROPERTY('ProductVersion')) Where format is in major.minor.build From the query prompt: SELECT CONVERT(CHAR(3), SERVERPROPERTY('ProductLevel')) Where value: RTM = Original release version (no service packs installed) SPn = Service Pack Level Note: HOTFIXes are generated and applied to specific Service Packs and are reflected in the Product Version build segment as an incremental version. Product Release Service Pack Product Version SQL Server 9 (2005) SP3 9.00.4230 For any product listed above, if the Product Version is the same or numerically higher than what is listed above, this is Not a Finding. If the Product Version is numerically lower, this is a Finding. Note: If any update has been released that is deemed by Microsoft to be a critical update, this check should be assigned a Severity Category of I. Supported versions and Service Packs are listed on the Microsoft web sites: http://support.microsoft.com/gp/lifeselectserv http://support.microsoft.com/kb/321185/en-us (lists version numbers)
Upgrade to the latest SQL Server Service Pack. Apply all applicable Microsoft SQL Server critical updates and HOTFIXes.
If C2 Auditing is enabled (See Check DM0510: C2 audit mode), this check is Not a Finding. Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), if auditing is not enabled or not configured completely to requirements, review the System Security Plan. If this is properly explained in the System Security Plan, this is Not a Finding. If this is not documented or documented poorly in the System Security Plan, this is a Finding. If value returned is 2 (Standard Edition) or 3 (Enterprise/Developer Edition), these findings apply. Determine if trace is enabled. From the query prompt: SELECT traceid 'TraceID' FROM ::FN_TRACE_GETINFO('0') WHERE traceid <> 1 – Do not count default trace in SQL Server 2005 AND property = 5 AND value = 1 If no trace is returned, this is a Finding. If the trace returned for Check DG0145 is not returned above, this is a Finding.
Enable the trace created in Check DG0145. From the query prompt: EXEC SP_TRACE_SETSTATUS [TraceID], 1 Replace [TraceID] with the ID of the trace created for the DG0145 audit trace requirement.
Review the file permissions to all files located in the DBMS audit log directory. If any allow access to users not authorized as DBAs or auditors, this is a Finding. Review database object access permissions to any audit log data stored in the database. If permissions are granted to users not authorized as DBAs or auditors, this is a Finding. Review the directory and file permissions to all files in the directory listed and in the registry entries below: C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\LogFiles HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.3\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultLog HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\ErrorLogFile Review permissions to the sysprotects and/or sys.dm_exec_sessions view in the Master database: SELECT u.name AS [User], o.name AS [Object], p.permission_name AS [Permission] FROM [master].sys.all_objects o, [master].sys.database_principals u, [master].sys.database_permissions p WHERE p.grantee_principal_id = u.principal_id AND o.object_id = p.major_id AND (o.name = 'dm_exec_sessions' OR o.name = 'sysprotects') ORDER BY u.name, o.name, p.permission_name If any allow access to users not authorized as DBAs or auditors, this is a Finding.
Grant audit file and database audit object access to authorized DBAs and auditors. Revoke audit file and database audit object access from unauthorized database and OS accounts.
Review host system privileges assigned to the DBA accounts. If any are granted host system administrator privileges or other system privileges not required for DBMS administration, this is a Finding. The DBA should have only the OS Users group, custom SQLServer DBA group, SQL Server service groups and custom SQL Server Users groups assigned. The custom SQL Server groups should have only the Log on Locally user right assigned.
Revoke any host system privileges from DBA accounts not required DBMS administration. Revoke any OS group memberships that assign excess privileges to DBA accounts. Remove any directly applied permissions or user rights from the DBA account.
Review security and administration documentation maintained for the DBMS system for indications that security guidance has been applied to the DBMS system. If DoD security guidance is not available, the following are acceptable in descending order as available: (1) Commercially accepted practices (e.g., SANS); (2) Independent testing results (e.g., ICSA); or (3) Vendor literature If the DBMS system has not been secured using available security guidance as listed above, this is a Finding.
Apply available security guidance to the DBMS system. If DoD security guidance is not available, the following are acceptable in descending order as available: (1) Commercially accepted practices (e.g., SANS); (2) Independent testing results (e.g., ICSA); or (3) Vendor literature
Review automated tool usage for reporting of audit trail data. If automated tools are not used, this is a Finding. Automated DBMS jobs and/or procedures may be used to produce the periodic reports where supported by the DBMS.
Develop, document and implement database or host system procedures to report audit trail data in a form usable to detect unauthorized access to or usage of DBMS privileges, procedures or data.
Review evidence or operation of an automated, continuous on-line monitoring and audit trail creation capability for the DBMS is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user-configurable capability to automatically disable the system if serious IA violations are detected. If the requirements listed above are not fully met, this is a Finding.
Develop or procure, document and implement an automated, continuous on-line monitoring and audit trail creation capability for the DBMS is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user-configurable capability to automatically disable the system if serious IA violations are detected.
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. If encryption requirements are listed and specify configuration at the host system or network device level, review evidence that the configuration meets the specification with the DBA. It may be necessary to review network device configuration evidence or host communications configuration evidence with a Network and/or System Administrator. If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding. For SQL Server 2005: If encryption for sensitive data in transit is required by SQL Server configuration, then review the setting for the instance parameter ForceEncryption: From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Right-click on Protocols for [instance name] 3. Select Properties 4. Select the Flags tab 5. View the value for ForceEncryption OR From the Registry Editor: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ MSSQLServer \ SuperSocketNetLib \ ForceEncryption If the value of ForceEncryption does not equal yes or 1, this is a Finding.
Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. For SQL Server 2005: Also, see Microsoft KB article for information on using SQL Server in FIPS 140-2 compliant mode: http://support.microsoft.com/kb/920995/ To configure encryption using SQL Server features: From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Right-click on Protocols for [instance name] 3. Select Properties 4. Select the Flags tab 5. Select Yes for ForceEncryption from the pull-down options
View access permissions granted to external stored procedures: From the query prompt: SELECT name AS [Database Name] FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [Database Name] SELECT u.name AS [Principal], o.name AS [External Procedure Name], p.permission_name AS [Permission], p.state_desc AS [State] FROM master.sys.all_objects o JOIN master.sys.database_permissions p ON p.major_id = o.object_id JOIN master.sys.database_principals u ON p.grantee_principal_id = u.principal_id WHERE o.type = 'X' ORDER BY o.name, u.name If no results are listed, this is Not a Finding. Review results returned. If any Principal names returned are not listed as authorized in the System Security Plan, this is a Finding.
Evaluate the associated risk in allowing access to external objects. Consider the security context under which the object is accessed or whether the privileges required to access the object are available for assignment based on job function. Where feasible, modify the application to use only objects stored internally to the database. Where not feasible, note the risk assessment and acceptance in the System Security Plan for access to external objects. Document required access permissions in the System Security Plan and authorize with the IAO.
Review procedures and implementation evidence of DBA role privilege monitoring. If procedures are incomplete or not implemented, this is a Finding. If monitoring does not occur every 30 days or more often, this is a Finding.
Design, document and implement procedures for monitoring DBA role privilege assignments.
Review DBMS roles and accounts granted the CREATE DATABASE permission, sysadmin or dbcreator fixed server roles, and the member of each database db_owner role: 1. Accounts granted CREATE DATABASE permission or DBCREATOR server role. From the query prompt: SELECT p.name 'User', r.name 'Role' FROM [master].sys.server_principals p, [master].sys.server_principals r, [master].sys.server_role_members m WHERE p.principal_id = m.member_principal_id AND r.principal_id = m.role_principal_id AND m.role_principal_id = 9 AND m.member_principal_id <> 1 ORDER BY r.name, p.name 2. Accounts granted SYSADMIN permission or SYSADMIN server role. From the query prompt: SELECT p.name 'User', r.name 'Role' FROM [master].sys.server_principals p, [master].sys.server_principals r, [master].sys.server_role_members m WHERE p.principal_id = m.member_principal_id AND r.principal_id = m.role_principal_id AND m.role_principal_id = 3 AND m.member_principal_id <> 1 ORDER BY r.name, p.name 3. Accounts granted CREATE DATABASE permissions or granted DB_OWNER database role. From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT p.name 'User', r.name 'Role' FROM sys.database_principals p, sys.database_principals r, sys.database_role_members m WHERE p.principal_id = m.member_principal_id AND r.principal_id = m.role_principal_id AND m.role_principal_id = 16384 ORDER BY r.name, p.name If any are not authorized for RESTORE permissions, this is a Finding. The 'sa' account (SID = 0x01) and the database owner account are authorized accounts. These accounts do not require explicit authorization and do not count as a Finding.
Define DBMS roles that are authorized for database restore functions, restrict assignment of restore privileges to those roles, and assign those roles only to authorized DBMS accounts.
If the DBMS or DBMS host is not shared by production and development activities, this check is Not a Finding. Review policy, monitoring procedures and evidence of developer privileges on shared development and production DBMS and DBMS host systems with the IAO. If developer privileges are not monitored every three months or more frequently, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.
Develop, document and implement policy and procedures to monitor DBMS and DBMS host privileges assigned to developers on shared production and development systems to detect unauthorized assignments every three months or more often. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.
If the DBMS host does not support both production and development operations, this check is Not a Finding. Review the list of OS DBA group membership with the SA and DBA. Compare to the list in the System Security Plan. If any accounts not identified in the System Security Plan for the production DBMS have been assigned DBA privileges (to include developer accounts), this is a Finding. If OS DBA group membership is not included in the System Security Plan, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.
Create separate DBMS host OS groups for developer and production DBAs. Do not assign production DBA accounts to development OS groups. Do not assign development DBA accounts to production OS groups. Remove any unauthorized accounts from both production and development OS groups. Document in the System Security Plan. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.
Review and verify implementation of logging procedures defined for use of the DBMS software installation account. If procedures for logging access to the DBMS are not present or are not being followed, this is a Finding. Host system audit logs should be echoed or matched in the DBMS installation account usage log along with an indication of the person who accessed the account and an explanation for the access.
Develop and implement a logging procedure for use of the DBMS software installation account that provides accountability to individuals for any actions taken by the account.
Review the logs for usage of the DBMS software installation account. Interview personnel authorized to access the DBMS software installation account to ask how the account is used. If any usage of the account is to support daily operations or DBA responsibilities, this is a Finding.
Develop, document and implement policy and procedures and train authorized users to restrict usage of the DBMS software installation account for DBMS software installation, upgrade and maintenance actions only.
Review procedures and evidence of implementation for DBMS IA and vulnerability management compliance. This should include periodic, unannounced, in-depth monitoring and provide for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled and conducted. Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities. The results for Classified systems are required to be independently validated. If the requirments listed above are not being met, this is a Finding.
Develop, document and implement procedures for periodic testing of the DBMS for current vulnerability management and security configuration compliance as stated in the check. Coordinate 3rd-party validation testing for Classified systems.
From the query prompt: SELECT c.credential_identity, p.name FROM [master].sys.credentials c, [msdb].dbo.sysproxies p, [msdb].dbo.sysproxysubsystem s WHERE c.credential_id = p.credential_id AND s.proxy_id = p.proxy_id AND s.subsystem_id > 3 AND s.subsystem_id < 9 ORDER BY c.credential_identity, p.name If any proxies are not assigned unique credential identities, this is a Finding.
Create individual Windows accounts for each replication agent. Specify the Windows account created for the replication agent, in the Replication Agent Security settings in SQL Server. From the SQL Server Management Studio GUI: 1. Expand instance 2. Expand Replication 3. Expand Local Publications 4. For each Local Publication: a. Right-click on the publication b. Select Properties c. Select Agent Security page d. Click on Security Settings button e. Enter the dedicated Windows account for the Snapshot Agent f. Select Connect to the Publisher - By impersonating the process account g. Click OK h. Click OK
If the database is not a production database, this check is Not Applicable. Review privileges assigned to developers: 1. Identify login name of developer DBMS accounts from the System Security Plan and/or DBA. 2. For each developer account, display the username SID and the databases where the user is defined: EXEC SP_HELPLOGINS '[login name]' 3. Display all fixed server role membership assignments: EXEC SP_HELPSRVROLEMEMBER If developers are assigned privileges that allow change or alteration of database objects in any production databases, this is a Finding. If developers are assigned membership to any DBMS server roles, this is a Finding.
Revoke DBA privileges assigned to developers on production DBMS unless required and authorized. Revoke database or other production object administrative privileges from developers unless required and authorized. Restrict developer privileges to production objects to those granted to application users only where such privileges are required and authorized.
Review evidence of security hardening and auditing of the DBMS host platform with the IAO. If the DBMS host platform has not been hardened and received a security audit, this is a Finding. Review evidence of security hardening and auditing for all application(s) that store data in the database and all other separately configured components that access the database including web servers, application servers, report servers, etc. If any have not been hardened and received a security audit, this is a Finding. Review evidence of security hardening and auditing for all application(s) installed on the local DBMS host where security hardening and auditing guidance exists. If any have not been hardened and received a security audit, this is a Finding.
Configure all related application components and the DBMS host platform in accordance with the applicable DOD STIG. Regularly audit the security configuration of related applications and the host platform to confirm continued compliance with security requirements.
Audit events are logged by SQL Server to error logs, Windows event logs, and to SQL Profiler trace files. Review evidence of backups that include the default directory for SQL Server error logs and trace files. The default directory for SQL Server error logs and trace files is stored in the Windows registry under: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultLog Where [#] is the sequential number assigned to each instance. This directory is referred to below as [instance logpath]: SQL Server error logs: [instance logpath]ERRORLOG.[#] Audit trace (*.trc) files: Default is [instance logpath], but may be directed to any accessible directory. Log files of other components, e.g. SQLAGENT.[#]: [instance logpath] Audit trace results may also be directed to SQL Server tables. SQL Server data backups are addressed in a separate check; therefore, do not include audit results stored in database tables. If evidence of inclusion of audit log files in regular DBMS or host backups does not exist, this is a Finding.
Configure and ensure SQL Server audit trace files, instance and other error log files are included in regular backups.
If remote administrative access to the database is disabled, this check is Not a Finding. Review policy, procedures and implementation evidence of monitoring of remote administrative access to the database with the IAO or IAM. If policy and procedures for monitoring remote administrative access do not exist or not implemented, this is a Finding.
Develop, document and implement policy and procedures to monitor remote DBA access to the DBMS. The automated generation of a log report with automatic dissemination to the IAO and/or IAM may be used. Require and store an acknowledgement of receipt and confirmation of review for the log report.
Interview the System Administrator to determine if Failover Clustering is employed on the DBMS host and that SQL Server is using Failover Clustering. If the SQL Server instance employs Failover Clustering, this check is Not a Finding. If the instance employs other high-availability redundancy host or DBMS clustering, this check is Not a Finding. Failover clustering requires configuration of Microsoft Cluster Services (MSCS) to be running on the host (if available). View Services on the host to verify the service is active. Further, verify the Failover Cluster configuration by confirming that the MSCS service account has SYSADMIN privileges in the SQL Server instance. Review the file and disk storage specification for the SQL Server databases. From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: USE [database name] SELECT physical_name FROM sys.database_files WHERE type_desc = 'LOG' Review the host disk system configuration. 1. Start / Administrative Tools / Computer Management 2. Expand Storage 3. Select Disk Management If the Layout column for the identified volume does not display type "mirror" or "RAID-5", this is a Finding.
Place SQL Server critical files including data, transaction and audit log files on fault-tolerant storage devices or employ SQL Server DBMS or OS clustering where supported by the DBMS.
Review file protections assigned to online backup and restoration files. Review access protections and procedures for offline backup and restoration files. If backup or restoration files are subject to unauthorized access, this is a Finding. It may be necessary to review backup and restoration procedures to determine ownership and access during all phases of backup and recovery. In addition to physical and host system protections, consider other methods including password protection to the files.
Develop, document and implement protection for backup and restoration files. Document personnel and the level of access authorized for each to the backup and restoration files in the System Security Plan.
Review evidence of SQL Server and dependent application files and directories. The SQL Server software directory is specified in the registry value: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ Setup \ SqlBinRoot Other SQL Server software including, but not limited to SQL Server tools and utilities, are found in the directory and subdirectories under: [drive] \ Program Files \ Microsoft SQL Server This directory is specified in the registry under: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ 90 \ Tools \ Setup \ SQLPath Other executables may be installed under the same Microsoft SQL Server path. Third-party applications may be located in other directory structures. Review the System Security Plan for a list of all DBMS application software libraries to be included in software library backups. If any software library files are not included in regular backups, this is a Finding.
Configure backups to include all DBMS application and third-party database application software libraries.
Review the System Security Plan to determine if the DBMS serves data to users or applications outside the local enclave. If the DBMS is not accessed outside of the local enclave, this check is Not a Finding. If the DBMS serves applications available from a public network (e.g. the Internet), then confirm that the application servers are located in a DMZ. If the DBMS is located inside the local enclave and is directly accessible to public users, this is a Finding. If the DBMS serves public-facing applications and is not protected from direct client connections and unauthorized networks, this is a Finding. If the DBMS serves public-facing applications and contains sensitive or classified information, this is a Finding.
Do not allow direct connections from users originating from the Internet or other public network to the DBMS. Include in the System Security Plan for the system whether the DBMS serves public-facing applications or applications serving users from other untrusted networks. Do not store sensitive or classified data on a DBMS server that serves public-facing applications.
From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Repeat for each instance: a. Select Protocols for [instance name]. b. View in the right pane, the status for Named Pipes If Named Pipes is enabled, this is a Finding.
If Named Pipes is required, document its use in the System Security Plan. Disable Named Pipes if not required and documented in the System Security Plan. From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Repeat for each instance: a. Select Protocols for [instance name] b. Double-click Named Pipes. c. Select No as the value for Enabled. d. Click OK 3. Click OK (acknowledge change won't take place until next restart) 4. Exit the SQL Server Configuration Manager GUI
Note: Access to ActiveScripting and CmdExec proxies is covered in check DM3763 From the query prompt: USE msdb EXEC SP_ENUM_PROXY_FOR_SUBSYSTEM If no records are returned, this is Not a Finding. For each proxy listed that is not for CmdExec or ActiveScripting subsystems (checked under DM3763): From the query prompt: EXEC SP_ENUM_LOGIN_FOR_PROXY @proxy_name = '[proxy name]' Replace [proxy name] with the proxy name returned above. Review the names listed in the return. Verify in the System Security Plan that any accounts or groups listed are authorized to access the proxy listed. If any are not, this is a Finding.
Note: SYSADMINs have access to all proxies by default. For each user or group granted unauthorized access to a proxy (select based on returns from the SP_ENUM_PROXY_FOR_SUBSYSTEM results): From the query prompt: EXEC SP_REVOKE_LOGIN_FROM_PROXY '[login name]' @proxy_name = '[proxy name]' Replace [proxy name] with the name of the proxy and replace [login name] with the name returned in the SP_ENUM_PROXY_FOR_SUBSYSTEM procedure.
Review the database backup procedures and implementation evidence. Evidence of implementation includes records of backup events and physical review of backup media. Evidence should match the backup plan as recorded in the System Security Plan. If backup procedures do not exist or not implemented in accordance with the procedures, this is a Finding. If backups are not performed weekly or more often, this is a Finding.
Develop, document and implement database backup procedures. Include weekly backup procedures and offline backup data storage.
Review the policy, procedures and implementation evidence for monitoring changes to DBA role assignments and procedures for notifying the IAM of the changes for review. If policy, procedures and implementation evidence do not exist, this is a Finding.
Develop, document and implement policy and procedures to monitor changes to DBA role assignments. Develop, document and implement policy and procedures to notify the IAM of changes to DBA role assignments. Include methods in the procedures that provide evidence of monitoring and notification.
Review the testing and verification procedures documented in the System Security Plan. Review evidence of implementation of testing and verification procedures by reviewing logs from backup and recovery implementation. Logs may be in electronic or hardcopy and may include email or other notification. If testing and verification of backup and recovery procedures are not documented in the System Security Plan, this is a Finding. If evidence of testing and verification of backup and recovery procedures does not exist, this is a Finding.
Develop, document and implement testing and verification procedures for database backup and recovery. Include requirements for documenting database backup and recovery testing and verification activities in the procedures.
Review procedures and implementation for monitoring the DBMS accounts for expiration or inactivity. Note: SQL Server does not maintain login statistics within the DBMS so account inactivity has to be determined manually. Review login accounts defined for the instance: SELECT SUBSTRING(name, 1, 30) AS [LoginName], CASE is_disabled WHEN 1 THEN 'true' ELSE 'false' END AS [IsDisabled], CASE CAST(LoginProperty(name, 'IsExpired') AS int) WHEN 1 THEN 'true' ELSE 'false' END AS [IsExpired], CASE CAST(LoginProperty(name, 'IsLocked') AS int) WHEN 1 THEN 'true' ELSE 'false' END AS [IsLocked] FROM [master].sys.server_principals WHERE type = 'S' AND (is_disabled <> 1 AND CAST(LoginProperty(name, 'IsExpired') AS int) = 1 OR CAST(LoginProperty(name, 'IsLocked') AS int) = 1) ORDER BY name Review the output from the command above and compare the accounts against audit records to determine account activity. Verify all accounts listed that are expired or locked are documented in the System Security Plan and authorized to remain. If any listed accounts are not documented or authorized, this is a Finding. Listed expired/locked accounts that are documented and authorized are still reported at OPEN findings, but are Documentable in VMS.
Develop, document and implement procedures to monitor database accounts for inactivity and expiration. Investigate, document and authorize if appropriate any accounts that are expired or locked or have been inactive for more than 30 days. Where appropriate, protect authorized expired or inactive accounts by disabling them or applying some other similar protection: ALTER LOGIN [NAME] DISABLE Note: DBMS accounts using Windows Authentication or linked to certificates can be monitored or managed by the host or through Active Directory for domain accounts. Ensure DBA and SA coordinate host/domain account management and host/domain account management meets host/domain-level STIG requirements.
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. Have your DBA use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan and/or AIS Functional Architecture documentation. If any sensitive data is human readable by unauthorized users, this is a Finding. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information. If a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave. Note: The result for this check may be marked as Not a Finding and the requirement of encryption in the database waived where the database has only database administrative accounts and application accounts that have a need-to-know to the data. This waiver does not preclude any requirement for encryption of the associated database data file (see DG0092).
Use third-party tools or native DBMS features to encrypt sensitive or classified data stored in the database. Use only NIST-certified or NSA-approved cryptography to provide encryption. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. Developers should consider using a record-specific encryption method to protect individual records. For example, by employing the session username or other individualized element as part of the encryption key, then decryption of a data element is only possible by that user or other data accessible only by that user. Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by users (with and/or without Need-to-Know).
Review the System Security Plan and/or the AIS Functional Architecture documentation to discover sensitive or classified data identified by the Information Owner that requires encryption. If no sensitive or classified data is identified as requiring encryption by the Information Owner, this check is Not a Finding. Have the DBA use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan and/or AIS Functional Architecture documentation. If all sensitive data as identified is encrypted within the database objects, encryption of the DBMS data files is optional and Not a Finding. If all sensitive data is not encrypted within database objects, review encryption applied to the DBMS host data files. If no encryption is applied, this is a Finding. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information. If a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave. Determine which DBMS data files contain sensitive data. Not all DBMS data files will require encryption.
Use third-party tools or native DBMS features to encrypt sensitive or classified data stored in the database. Use only NIST-certified or NSA-approved cryptography to provide encryption. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. To lessen the impact on system performance, separate sensitive data where file encryption is required into dedicated DBMS data files. Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by users (with and/or without Need-to-Know).
If the application does not require auditing using DBMS features, this check is Not Applicable. Review the application System Security Plan for requirements for database configuration for auditing changes to application data. If the application requires DBMS auditing for changes to data, review the database audit configuration against the application requirement. If the auditing does not comply with the requirement, this is a Finding.
Configure database data auditing to comply with the requirements of the application. Document auditing requirements in the System Security Plan.
Check User Rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment View the Security Settings to see user rights assigned to the service account or group. For SQL Server Integration Services service account: If any user rights are assigned to the service account other than the following, this is a Finding: 1. Log on as a service (SeServiceLogonRight) 2. Permission to write to application event log 3. Bypass traverse checking (SeChangeNotifyPrivilege) 4. Create global objects (SeCreateGlobalPrivilege) 5. Impersonate a client after authentication (SeImpersonatePrivilege) If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.
Assign the Network Services Account the privileges as listed in the Check procedures where authorized by the System Administrator. Confirm that removal of any user rights from the Network Services Account do not conflict with OS or Application STIG requirements or affect operation of the DBMS server. Document any changes made in the System Security Plan.
Review the registry key value: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.# \ MSSQLServer \ NumErrorLogs where [#] indicates the sequence number assigned to the SQL Server instance. Sequence number assignments to instances may be viewed at: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ Instance Names \ SQL \[instance name] Review the number assigned for the maximum number of error logs. Confirm this is the number documented in the System Security Plan. If the number is not documented in the System Security Plan or the assigned value does not match the System Security Plan specification, this is a Finding. Review evidence that error log retention is maintained for a minimum of one year. Error logs should be moved offline after 30 days or less depending on system storage capacity.
Review the SQL Server error log usage and determine a strategy for maintenance. The strategy should provide for the longest online retention that is considered meaningful and useful. This is determined over a period for operation and depends upon the amount of log data generated. Error logs must be maintained for a minimum of one year (DG0030). Error logs should be moved offline to satisfy this retention requirement. Design the provision for evidence of retention and allow restoration (for review) of the error logs in the System Security Plan. For SQL Server 2005: From the SQL Server Management Studio GUI: 1. Connect to and expand the SQL Server instance 2. Expand Management 3. Right-click on SQL Server Logs 4. Select Configure 5. Under the General Page, select or deselect Limit the number of error logs before they are recycled 6. Enter the number of error log files determined for the SQL Server instance 7. Click OK
Review policy, procedures and implementation evidence of annual reviews of DBMS IA policy and procedures. If policy and procedures do not exist, are incomplete, or are not implemented and followed annually or more frequently, this is a Finding.
Develop, document and implement policy and procedures to monitor audit trail data daily.
Review policy, procedures and implementation evidence for testing DBMS installations, upgrades and patches prior to production deployment. If policy and procedures do not exist, are incomplete or evidence of implementation does not exist, this is a Finding.
Develop, document and implement policy and procedures for testing DBMS installations, upgrades and patches prior to deployment on production systems.
If the database being reviewed is not a production database, this check is Not Applicable. Review procedures or restrictions for data exports from the production database. If data exports are not allowed, then review methods for preventing and monitoring of any production data export. If procedures and methods are not complete or implemented, this is a Finding. Acknowledgement of data export restrictions and procedures by individuals granted privileges that enable data export is considered sufficient protection, however, record of such acknowledgement must be filed. Privileges required for database copy and/or export commands include sysadmin, dbcreator or database owner of the source database. If DBMS export utilities are not restricted to users authorized by the IAO, this is a Finding.
Document procedures and restrictions for production data export. Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of the export restrictions. Restrict permissions allowing use or access to database export procedures or functions to authorized users.
Note: The SQL Server Service is covered in Check DG0101. View the service account properties for the SQL Server services. 1. Select Start / Administrative Tools / Services 2. View Properties / Log On for the following services: a. SQL Server Agent ([Instance Name]) b. SQL Server Analysis Services ([Instance Name]) c. SQL Server Browser ([Instance Name]) d. SQL Server FullText Search ([Instance Name]) e. SQL Server Reporting Services ([Instance Name]) 3. View Properties / Log on for the following services: a. SQL Server Active Directory Helper (Log On As Network Service) b. SQL Server Integration Services (Log On As Network Service) c. SQL Server VSS Writer (Log On As Local System) Not all of these services may exist. If some services do not exist, checks for these services are Not a Finding. If the listed services do not use a custom account (with exception to 3a – 3c above), this is a Finding. If any of the services uses a domain user account, then review the requirement for the domain user account. If the service does not require interaction with network or domain resources, this is a Finding. Note: Use of a local user account is recommended unless domain or network resources are accessed by the service. Review user rights assigned to the SQL Server service accounts. User rights may also be assigned to the service accounts via Windows groups and group policies: 1. Select Start / Run 2. Type: gpedit.msc (enter) 3. Under Group Policy Editor: a. Expand Local Computer Policy b. Expand Computer Configuration c. Expand Windows Settings d. Expand Security Settings e. Expand Local Properties f. Select User Rights Assignment g. Locate the Policies under each listed service h. Confirm the Security Setting for each policy contains the custom account assigned to the service i. Log on as a service 1. SQL Server Agent 2. SQL Server Analysis Services 3. SQL Server Browser 4. SQL Server FullText Search 5. SQL Server Reporting Services 6. SQL Server Active Directory Helper 7. SQL Server Integration Services 8. SQL Server VSS Writer ii. Act as part of the Operating System 1. SQL Server Agent iii. Log on as a batch job 1. SQL Server Agent iv. Bypass traverse checking 1. SQL Server Agent 2. SQL Server Integration Services v. Replace a process-level token 1. SQL Server Agent vi. Adjust memory quotas for a process 1. SQL Server Agent vii. Create global objects 1. SQL Server Integration Services viii. Impersonate a client after authentication 1. SQL Server Integration Services i. Exit Group Policy Editor If any user rights other than those listed above are assigned to the service accounts, this is a Finding.
Create and assign custom local or domain user accounts to the SQL Server service accounts. Disable any services and service accounts not required for operation. Assign only required user rights to the custom service accounts. Document in the System Security Plan.
Review the System Security Plan and AIS Functional Architecture documentation and note sensitive data identified by the Information Owner as requiring encryption using DBMS features administered by the DBA. If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. Review the encryption configuration against the System Security Plan and AIS Functional Architecture documentation specification. If the specified encryption is not configured, this is a Finding.
Configure DBMS encryption features and functions as required by the System Security Plan and AIS Functional Architecture documentation. Discrepancies between what features are and are not available should be resolved with the Information Owner, Application Developer and DBA as overseen by the IAO.
Review the System Security Plan and AIS Functional Architecture documentation for the DBMS and note any sensitive data that is identified. Review database table column data or descriptions that indicate sensitive data. For example, a data column labeled "SSN" could indicate social security numbers are stored in the column. Question the IAO or DBA where any questions arise. General categories of sensitive data requiring identification include any personal identifiable information (PII) involving health, financial and security proprietary or sensitive business data or data that might be classified. If any columns in the database contain data considered sensitive and is not referenced in the System Security Plan and AIS Functional Architecture documentation, this is a Finding.
Include identification of any sensitive data in the System Security Plan and AIS Functional Architecture. Include discussions of data that appear to be sensitive and annotate why it is not marked as such.
Review the System Security Plan to discover the restoration priority assigned to the DBMS. If it is not assigned, this is a Finding.
Review the mission criticality of the DBMS in relation to the overall mission of the organization and assign it a restoration priority.
Review the list of processes/services running on the DBMS host system. For Windows, review the Services snap-in. Investigate with the DBA/SA any unknown services. If any of the services or processes are identified as supporting applications or functions not authorized in the System Security Plan, this is a Finding. Note: Only applications that are operationally required to share the same host system may be authorized to do so. Applications that share the same host for administrative, financial or other non-operational reasons may not be authorized and are a Finding.
A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine if supported by the DBMS vendor. Remove any unauthorized processes or services and install on a separate host system. Where separation is not supported, update the System Security Plan and provide the technical requirement for having the application share a host with the DBMS.
If separation of data, transaction and audit data is not supported by the DBMS, this check is Not a Finding. In the references below, replace SQL5Root with the registry path: "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server" Replace [#] with the SQL Server instance number as listed under: SQL5Root \ Instance Names \ SQL \ [instance name] Review the disk/directory specification where database data, transaction log and audit files are stored: SQL5Root \ MSSQL.[#] \ Setup \ SQLProgramDir Review the default data and log directory specifications in the registry: SQL5Root \ MSSQL.[#] \ MSSQLServer \ DefaultData SQL5Root \ MSSQL.[#] \ MSSQLServer \ DefaultLog If the program file directory and disk partition is the same as either the DefaultData or the DefaultLog directories, this is a Finding. If stored separately and access permissions for each directory is the same, this is a Finding.
Configure the DBMS to specify dedicated host system disk directories to store database and log files for each application sharing the database. Do not share the application's data disk directory with application software libraries.
From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Select Protocols for [instance name] 3. Right-click on TCP/IP 4. Select Properties 5. Select IP Addresses tab View all TCP Dynamic Ports and TCP Port values for all IP addresses. OR View the registry values: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ Tcp\IP[#] \ TCPDynamicPorts HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ Tcp\IP[#] \ TcpPort HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ IPAll \ TCPDynamicPorts HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ IPAll \ TcpPort If any value (including 0) is entered for TCP Dynamic Ports, this is a Finding. A blank value indicates dynamic ports are not enabled and is Not a Finding. For SQL Server 2005 default instance, if the TCP Port value is set to 1433, this is Not a Finding. NOTE: For SQL Server 2005 named instance (via SQL Server Browser service), UDP Port 1434 is used. If any TCP Port value is set to a different port number, verify network traffic for the DBMS does not cross network or enclave boundaries as defined in the PPS CAL or registered with the PPS: http://iase.disa.mil/ports/index.html If any do and are not registered or allowed per the PPS, this is a Finding.
From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Select Protocols for [instance name] 3. Right-click on TCP/IP 4. Select Properties 5. Select IP Addresses tab 6. Clear any value listed in TCP Dynamic Ports for all IP addresses 7. Set all TCP Port values for ports accessed across a network boundary to TCP Port 1433 Ensure port is registered in the PPS CAL for use outside the enclave: http://iase.disa.mil/ports/index.html
Review the documented procedures for approval and granting of DBA privileges. Review implementation evidence for the procedures. If procedures do not exist or evidence that they are followed does not exist, this is a Finding.
Develop, document and implement procedures to ensure all DBA role assignments are authorized and assigned by the IAO. Include methods that provide evidence of approval in the procedures.
Review the System Security Plan for the DBMS with the IAO. Review coverage of the following in the System Security Plan: 1. Technical, administrative and procedural IA program and policies that govern the DBMS 2. Identification of all IA personnel (IAM, IAO, DBA, SA) assigned responsibility to the DBMS 3. Specific IA requirements and objectives (e.g., requirements for data handling or dissemination (to include identification of sensitive data stored in the database, database application user job functions/roles and privileges), system redundancy and backup, or emergency response) If the System Security Plan does not exist, this is a Finding. If the System Security Plan does not include the information listed above at a minimum, this is a Finding.
Develop, document and implement a System Security Plan for the DBMS or include IA documentation related to the DBMS in the System Security Plan of the system that the DBMS supports. Refer to Section 3.4 in the Microsoft SQL Server Database Security Checklist for information on how to develop a System Security Plan. Include or note additional information in the System Security Plan where required in other DBMS checks.
If SQL server is configured for Windows Authentication only, this check is Not a Finding. If the server is configured to allow SQL Server Authentication, verify passwords are checked for complexity requirements where DBMS version permits: From the query prompt: SELECT name FROM [master].sys.sql_logins WHERE type = 'S' AND is_policy_checked <> '1' ORDER BY name If any rows are returned, this is a Finding.
For all DBMS accounts using SQL Server logins, set the accounts for password complexity checking: From the query prompt: ALTER LOGIN [login name] CHECK_POLICY = ON Note: This setting depends upon host system password complexity settings. The host system must be configured to comply with Windows STIG requirements.
If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. From the query prompt: SELECT name FROM [master].sys.sql_logins WHERE type = 'S' AND is_expiration_checked <> '1' ORDER BY name If any names are returned, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.
Set SQL Server logins to check password expiration. ALTER LOGIN [user name] WITH CHECK_EXPIRATION = ON
Review the list of defined database links generated from the DBMS instance. From the query prompt: SELECT s.name AS [Local Link Server Name], SUSER_NAME(l.local_principal_id) AS [Server Principal], l.remote_name AS [Remote User Name] FROM [master].sys.servers s JOIN [master].sys.linked_logins l ON s.server_id = l.server_id WHERE l.server_id <> 0 ORDER BY l.server_id If no linked servers are listed in the DBMS instance, this check is Not a Finding. Compare this list with the list documented in the System Security Plan and authorized by the IAO. If any linked servers exist that are not authorized or not listed in the System Security Plan, this is a Finding. For each Server Principal listed, confirm in the System Security Plan that they are authorized for access to the linked server. For any linked server login mapping that specifies a NULL Server Principal, this is a Finding. If access to any linked server has been granted to an unauthorized account, this is a Finding.
Grant access to linked servers to authorized accounts or applications only. Document all linked server access authorizations in the System Security Plan and authorize with the IAO.
Check User Rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment View the Security Settings to see user rights assigned to the service account or group. For SQL Server Agent service account: If any user rights are assigned to the service account other than the following, this is a Finding: 1. Log on as a service (SeServiceLogonRight) 2. Act as part of the operating system (SeTcbPrivilege) (Win2K only) 3. Log on as a batch job (SeBatchLogonRight) 4. Replace a process-level token (SeAssignPrimaryTokenPrivilege) 5. Bypass traverse checking (SeChangeNotifyPrivilege) 6. Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.
Create a local custom account for the SQL Server Agent service account. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed. Assign the account to the SQL Server Agent (group created at installation for SQL Server 2005) if available. Assign the SQL Server Agent account or group the user privileges as listed in the Check procedures.
From the query prompt: SELECT name FROM [master].sys.service_broker_endpoints Review the list of any endpoints returned. If no records are returned, this is Not a Finding. If any endpoints are returned and are not listed as a required and authorized XML web service endpoint in the System Security Plan, this is a Finding.
Authorize and document Service Broker endpoints in the System Security Plan. Where not authorized, drop Service Broker service endpoints. From the query prompt: DROP ENDPOINT [endpoint name]
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'ad hoc distributed queries' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding.
Authorize and document requirements for use of Ad hoc distributed queries in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'ad hoc distributed queries', 0 RECONFIGURE
Review the default data and log directory specifications: For SQL Server 2005 Default Instance: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ MSSQLServer \ MSSQLServer \ DefaultData HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ MSSQLServer \ MSSQLServer \ DefaultLog For SQL Server 2005 Named Instance: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultData HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ DefaultLog If the DefaultData directory lists the same directory as the DefaultLog directory, this is a Finding. Review the master database file locations: From the query prompt: SELECT physical_name, type_desc FROM [master].sys.master_files ORDER BY physical_name Review each database file locations: From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: USE [database name] SELECT physical_name, type_desc FROM sys.database_files ORDER BY physical_name If any results show more than one database using the same physical filename, this is a Finding. If any files from either the master_files or database_files show log files (*_log.ldf files) in the same directory as data files, this is a Finding. Note: Transactional log files (*.LDF) files can coexist with data files (*.MDF). A transactional log files will have a similar name or a variant name of its matching data file (ex: master.mdf vs. mastlog.ldf). Not all data files will have a corresponding transactional log file. If any databases share the same directory, verify in the System Security Plan that the databases are shared by the same application. If they are not, this is a Finding.
Create at least one dedicated disk partition to store database data and log files. Create dedicated directories to store database data files for each individual application that uses the database. Specify the dedicated database data file disk partition for the default data directory. Include this information in the System Security Plan and AIS Functional Architecture documentation.
Check User Rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment View the Security Settings to see user rights assigned to the service account or group. If any user rights are assigned to the service account other than the following, this is a Finding. If any services listed below do not exist, then do not include them in the review: 1. Analysis Server: Log on as a service 2. Report Server: Log on as a service 3. Integration Services: a. Log on as a service b. Permission to write to application event log c. Bypass traverse checking d. Create global objects e. Impersonate a client after authentication 4. Full-Text Search: Log on as a Service 5. SQL Server Browser: Log on as a Service If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.
Create local custom accounts for the SQL Server Analysis, Reporting, Full Text Search, and Browser service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed. Assign the service account to the SQL Server service group (created at installation for the service accounts for SQL Server 2005/2008) if available. Assign the service account or group the user privileges as listed in the Check procedures.
View the Windows group memberships assigned to the SQL Server service accounts: List of services: 1. SQL Server Database 2. SQL Server Agent 3. Analysis Services 4. Integration Services 5. Reporting Services 6. Notification Services 7. Full Text Search 8. SQL Server Browser 9. SQL Server Active Directory Helper 10. SQL Writer Group Membership: The service account and groups should be local unless the services access other domain or remote services. 1. Service-specific groups (e.g. SQLServer2005MSSQLUser$[host name]$[instance name]) 2. SQL Server services Users Groups - custom name, used to replace Users group permissions to SQL Server directories and files 3. Performance Monitor - for SQL Server Database service if Replication is in use and performance is monitored 4. Windows Users group If any services are assigned group membership to any groups other than: 1. A custom SQL Server service group 2. A custom SQL Server service users group, 3. Windows Users group this is a Finding. User rights and file permissions are reviewed under separate checks.
Remove unnecessary group membership from SQL Server service accounts. Review any group membership assignments other than the: 1. SQL Server service group 2. SQL Server service users group 3. Windows Users group For SQL Server Database service, Performance Monitor group membership if replication and monitoring are operationally required.
From the query prompt: SELECT name FROM [master].sys.databases WHERE is_trustworthy_on = 1 AND name <> 'msdb' AND state = 0 If any database names are returned, then verify in the System Security Plan that the TRUSTWORTHY database setting is documented as required and authorized. If it is not documented, required and authorized, this is a Finding.
Disable TRUSTWORTHY status on all databases (except the msdb database) if enabled and not authorized From the query prompt: ALTER DATABASE [database name] SET TRUSTWORTHY OFF Include in the System Security Plan all relevant settings for each database.
From RegEdit, view values: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Sever \ MSSQL.[#] \ SQLServerAgent \ AlertForwardingServer If the value is empty or NULL, this is Not a Finding. If the value is not NULL, verify that the use of alert forwarding is authorized in the System Security Plan. If alert forwarding is in use and not authorized and documented, this is a Finding.
Enable use of event forwarding only as part of a SQL Server automated management system design where careful consideration and the requirements for its use are carefully considered. The plan should include consideration for network or alert management server failure and subsequent loss of alert data. Include the alert management plan or a reference to it in the System Security Plan that includes the instance of SQL Server under review. Disable event forwarding where not required. From the SQL Server Management Studio GUI: 1. Expand instance 2. Right-click on SQL Server Agent 3. Select Properties 4. Select the Advanced page 5. Click on Forward events to a different server to remove the check from the check box 6. Click the OK button to save and close
From the query prompt: SELECT COUNT(name) FROM [master].sys.databases WHERE name = 'distribution' AND state = 0 If count = 0, the distribution database does not exist and this check is Not a Finding. From the query prompt: USE distribution EXEC SP_HELPROLEMEMBER 'replmonitor' View list of databases participating in replication: EXEC SP_HELPREPLICATIONDBOPTION For each replication database: USE [database name] EXEC SP_HELPROLEMEMBER 'db_owner' If any role members listed are not authorized for replication access in the System Security Plan, this is a Finding.
Revoke role membership for unauthorized accounts granted replication role memberships: USE [database name] EXEC SP_DROPROLEMEMBER '[replmonitor or db_owner]' FROM '[account name]'
Review the services and processes active on the DBMS host system. If the host system is acting as a Windows domain controller, this is a finding. If the host system is supporting any other directory or security service that does not use the DBMS to store the directory information, this is a Finding. Note: A local installation of Anti-virus or Firewall does not constitute a security service in this context.
Either move the DBMS installation to a dedicated host system or move the directory or security services to another host system. A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine if supported by the DBMS vendor.
From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. For each Analysis Services database: a. Expand the database b. Expand Roles c. For each role listed: i. Right-click on the role ii. Select Properties iii. Select the Data Sources page Review the list of data sources listed for the role against authorized roles in the System Security Plan. If access to any unauthorized data sources is assigned to the role, this is a Finding. If documentation does not exist or is insufficient to determine authorized access, this is a Finding.
Document all roles authorized to access data sources in the System Security Plan. Remove any unauthorized data sources from roles.
If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. If the System Security Plan indicates User-Defined COM Functions is required for operation, this check is Not a Finding. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ ComUdfEnabled If the value = 'true', this is a Finding. The User-Defined COM Functions value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [ComUdfEnabled] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.
If not documented as required and authorized by the IAO, set value for ComUdfEnabled to 'false'. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ ComUdfEnabled 5. Select value = 'false' 6. Click OK
View the list of databases participating in replication: EXEC SP_HELPREPLICATIONDBOPTION For each replication database: EXEC SP_HELPPUBLICATION If snapshot_in_defaultfolder is 1 for any records returned, the snapshot folder name is: [install dir]\[instance dir]\MSSQL\ReplData If the snapshot_in_defaultfolder is 0, then the snapshot folder name is listed in alt_snapshot_folder. View OS permissions to the snapshot folder: Review operating system permissions assigned to the snapshot folder using Windows Explorer. The following are required/authorized permissions by role: 1. Administrators/DBAs: Full Control 2. Snapshot Agents: Write access 3. Merge and Distribution agents: Read access If any permission other than those listed is assigned or are assigned to unauthorized accounts, this is a Finding. View database permissions to the snapshot folder: For each replication database: EXEC SP_HELPPUBLICATION_SNAPSHOT '[publication name]' If any permission is granted to accounts other than Administrators, DBAs, CREATOR OWNER, SYSTEM, or the snapshot agent account, merge, or distribution agents, this is a Finding. If merge and distribution agents have more than Read access to the snapshot folder, this is a Finding.
Restrict access to the replication snapshot folders: From Windows Explorer: 1. Administrators/DBAs: Full Control 2. Snapshot Agents: Write access 3. Merge, Subscription, and Distribution agents: Read access
If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for DataMining \ AllowAdHocOpenRowsetQueries If value = 'true', this is a Finding. The AllowAdHocOpenRowsetQueries value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [AllowAdHocOpenRowsetQueries] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.
Set value for AllowAdHocOpenRowsetQueries to 'false' From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for DataMining \ AllowAdHocOpenRowsetQueries 5. Select value = 'false' 6. Click OK
If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Security \ RequireClientAuthentication If value = 'false', this is a Finding. The RequireClientAuthentication value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [RequireClientAuthentication] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.
Set value for RequireClientAuthentication to 'true' From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Security \ RequireClientAuthentication 5. Select value = 'true' 6. Click OK
If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. If the System Security Plan indicates Links from Other instances is required for operation, this check is Not a Finding. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ LinkFromOtherInstanceEnabled If the value = 'true', this is a Finding. The LinkFromOtherInstanceEnabled value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [LinkFromOtherInstanceEnabled] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.
Set value for LinkFromOtherInstanceEnabled to 'false'. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ LinkFromOtherInstanceEnabled 5. Select value = 'false' 6. Click OK
From the SQL Server Management Studio GUI: 1. Expand Database 2. Expand Server Objects 3. Expand Linked Servers 4. Expand Providers 5. For each Provider listed: a. Right click on Provider name b. Click Properties c. View Provider options If "Disallow adhoc access" is not enabled (checked) for all Providers, this is a Finding.
Enable Disallow adhoc access for all linked servers. From the SQL Server Management Studio GUI: 1. Expand Database 2. Expand Server Objects 3. Expand Linked Servers 4. Expand Providers 5. For each Provider listed: a. Right click on Provider name b. Select Properties c. Click on the Enable check box for Name = Disallow adhoc access d. Click OK button Note: The procedure described above will disallow adhoc access for all linked servers that use the providers..
Determine if SQL Server Analysis Services is installed. View the Windows Services Snap-In. If SQL Server Analysis Services ([instance name]) is not listed, Analysis Services is not installed on this host. If SQL Server Analysis Services is not installed on the DBMS host, this check is Not a Finding. If SQL Server Analysis Services in installed on the DBMS host (regardless of whether it is actively running or not), review the msmdsrv.ini file for the SQL Server Analysis service. The value for [install dir] can be found in the Windows Registry under the parameter: HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SqlProgramDir The msmdsrv.ini configuration file may be found in the directory: [install dir]\MSSQL.2\OLAP\Config View the contens of the msmdsrv.ini file. 1. Locate the RequiredProtectionLevel XML tag under the DataProtection tag. If the RequiredProtectionLevel tag is not listed, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. 2. Locate the RequiredProtectionLevel XML tag under the AdministrativeDataProtection tag. If the RequiredProtectionLevel tag is not listed, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. 3. Locate the RequiredWebProtectionLevel XML tag under the DataProtection tag. If the RequiredWebProtectionLevel tag is not listed, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. 4. Locate the RequiredWebProtectionLevel XML tag under the AdministrativeDataProtection tag. If the RequiredWebProtectionLevel tag is not listed, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. If any parts of this check are a Finding, this check is a Finding. NOTE: Check DM6101 now combines checks from DM6101, DM6102, DM6106 and DM6107 into this single check. Checks DM6102, DM6106 and DM6107 have been inactivated.
Modify the msmdsrv.ini to set Required Protection Levels to use encryption. Make a backup copy of the msmdsrv.ini file. Edit the msmdsrv.ini file Under the DataProtection tag, set the value for RequiredProtectionLevel to 1 OR under the DataProtection tag, create the tag RequiredProtectionLevel and set the value to 1. Under the DataProtection tag, set the value for RequiredWebProtectionLevel to 1 OR under the DataProtection tag, create the tag RequiredWebProtectionLevel and set the value to 1. Under the AdministrativeDataProtection tag, set the value for RequiredProtectionLevel to 1 OR under the AdministrativeDataProtection tag, create the tag RequiredProtectionLevel and set the value to 1. Under the AdministrativeDataProtection tag, set the value for RequiredWebProtectionLevel to 1 OR under the AdministrativeDataProtection tag, create the tag RequiredWebProtectionLevel and set the value to 1. Save and exit. Restart the SQL Server Analysis Services service for the changes to take effect. NOTE: Check DM6101 now combines fixes from DM6101, DM6102, DM6106 and DM6107 into this single fix. Checks DM6102, DM6106 and DM6107 have been inactivated.
If Analysis Services is not installed on the local host, this check is Not a Finding. Note: To detect installation, view the Windows Services snap-in. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Security \ SecurityPackageList If the value is not NULL and lists packages other than those documented in the System Security Plan, this is a Finding. The SecurityPackageList value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [SecurityPackageList] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.
From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Security \ SecurityPackageList 5. Select value and delete all unauthorized packages from the list 6. Click OK
If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. Select the Security page 5. View member names assigned to the server role If any assigned members are not included as authorized in the System Security Plan, this is a Finding.
Remove unauthorized members from the Analysis Service instance. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. Select the Security page 5. Select any unauthorized user to remove 6. Click the Remove button 7. Click OK
If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Expand Databases 4. Repeat for each database: a. Click on each database role b. View the member list If any members are assigned database roles that are not documented in the System Security Plan, this is a Finding.
Authorize and document all Analysis Services database role assignments in the System Security Plan. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Expand the Analysis Services instance 3. Expand Databases 4. Repeat for each database: a. Click on each database role b. Open the member list c. Select any unauthorized users d. Click the Remove button e. Click OK
From the query prompt: SELECT p.name, sp.subsystem FROM [msdb].dbo.sysproxies p, [msdb].dbo.sysproxysubsystem s, [msdb].dbo.syssubsystems sp WHERE p.proxy_id = s.proxy_id AND s.subsystem_id = sp.subsystem_id ORDER BY p.name, sp.subsystem Review the list of subsystem assignments to proxies against the authorized list in the System Security Plan document. If unauthorized subsystems are assigned to any proxy or is not documented, this is a Finding.
Define and document in the System Security Plan the minimum subsystem assignments required by individual proxies. Assign to each proxy only those subsystems required to complete the SQL Server Agent job.
From the query prompt: SELECT c.name AS [Credential], c.credential_identity AS [Identity], p.name AS [Proxy], b.subsystem AS [Subsystem] FROM [master].sys.credentials c JOIN [msdb].dbo.sysproxies p ON c.credential_id = p.credential_id JOIN [msdb].dbo.sysproxysubsystem s ON s.proxy_id = p.proxy_id JOIN [msdb].dbo.syssubsystems b ON s.subsystem_id = b.subsystem_id JOIN (SELECT w.credential_identity FROM [master].sys.credentials w JOIN [msdb].dbo.sysproxies x ON w.credential_id = x.credential_id JOIN [msdb].dbo.sysproxysubsystem y ON x.proxy_id = y.proxy_id WHERE (y.subsystem_id < 4 OR y.subsystem_id > 8) GROUP BY w.credential_identity HAVING COUNT(*) > 1) d ON c.credential_identity = d.credential_identity WHERE (s.subsystem_id < 4 OR s.subsystem_id > 8) ORDER BY c.name, p.name, b.subsystem Review the list of proxies and assigned logins. If any Identity/Login names are listed more than once, this is a Finding.
Create Windows accounts for each proxy defined. Assign only the file permissions, subsystem access and other privileges required to run the SQL Server Agent job. Document proxy accounts in the System Security Plan and authorize with the IAO.
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'web assistant procedures' If the value of Config_Value is 1, confirm in the System Security Plan and AIS Functional Architecture documentation that Web Assistant procedures are required and approved by the IAO. If it is not documented, required and approved, this is a Finding.
Authorize and document requirements for use of Web Assistant Procedures in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable use of Web Assistant Procedures. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'Web Assistant procedures', 0 RECONFIGURE
If Reporting Services is not installed, this check is Not a Finding. Note: To detect installation, view Windows Services. If SQL Server Reporting Services ([instance name]) is not listed, then Reporting Services is not installed on this host. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Web Service Requests and HTTP Access If checked, verify that Web Service requests are HTTP access are required and the requirement is documented in the System Security Plan. If it is not, this is a Finding.
Document requirements for enabling Report Services access via web services and HTTP. If not required, disable Web Service Requests and HTTP access. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Web Service Requests and HTTP Access 5. Click on Enable Web Service Requests and HTTP access to clear the check box 6. Click OK
From the query prompt: SELECT CAST(value AS INT) AS [Config Value] FROM [master].sys.configurations WHERE name = 'cross db ownership chaining' If the value of Config Value is 0, this is Not a Finding. If the value of Config Value is 1, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding. To check assignment per individual database. From the query prompt: SELECT name AS [Database Name] FROM [master].sys.databases WHERE is_db_chaining_on = 1 AND name NOT IN ('master', 'tempdb', 'msdb') AND state = 0 If any database names are listed, are not documented in the System Security Plan and not authorized by the IAO, this is a Finding.
Document requirements for use of cross db ownership chaining in the System Security Plan and AIS Functional Architecture documentation and authorize with the IAO. Where not authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'cross db ownership chaining', 0 RECONFIGURE NOTE: If you have databases that require cross-database ownership chaining, the recommended practice is to turn off the cross db ownership chaining option for the instance using sp_configure; then turn on cross-database ownership chaining for individual databases that require it using the ALTER DATABASE statement.
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'clr enabled' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, confirm in the System Security Plan that access to CLR applications is required. If it is not, this is a Finding.
Where CLR object use is part of the designed and approved use of the SQL Server database, document the requirement in the System Security Plan. Where CLR object use is not required, disable its use. From the query prompt: EXEC SP_CONFIGURE 'clr_enabled', 0 RECONFIGURE
If Reporting Services is not installed, this check is Not a Finding. Note: To detect installation, view Windows Services. If SQL Server Reporting Services ([instance name]) is not listed, then Reporting Services is not installed on this host. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Windows Integrated Security If checked, this is a Finding.
Disable Windows Integrated Security. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Windows Integrated Security 5. Click on Windows Integrated Security to clear the check box 6. Click OK
If Analysis Services is not deployed on the local host, this check is Not a Finding. Note: To detect deployment, view Windows Services. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. If the System Security Plan indicates Links to Other instances is required for operation, this check is Not a Finding. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ LinkToOtherInstanceEnabled If the value = 'true', this is a Finding. The LinkToOtherInstanceEnabled value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [LinkToOtherInstanceEnabled] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.
Set value for LinkToOtherInstanceEnabled to 'false'. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Feature \ LinkToOtherInstanceEnabled 5. Select value = 'false' 6. Click OK
If Reporting Services is not installed, this check is Not a Finding. Note: To detect installation, view Windows Services. If SQL Server Reporting Services ([instance name]) is not listed, then Reporting Services is not installed on this host. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Scheduled events and report delivery If checked, verify that Scheduled events and report delivery is required and the requirement is documented in the System Security Plan. If it is not, this is a Finding.
Document requirements for enabling 'Report Services Scheduled events and report delivery'. If not required, disable Scheduled events and report delivery. From Surface Area Configuration for Features: 1. Connect to the Report Services instance 2. Expand the instance 3. Expand Report Services 4. Select Scheduled events and report delivery 5. Click on the Scheduled events and report delivery to clear the check box 6. Click OK
From the query prompt: SELECT name FROM [master].sys.http_endpoints WHERE (is_integrated_auth_enabled = 0 AND is_kerberos_auth_enabled = 0 AND is_ntlm_auth_enabled = 0) AND state = 0 ORDER BY name Review the list of any endpoints returned. If no records are returned, this is Not a Finding. If any endpoints are returned and not listed as a required and authorized XML web service endpoint in the System Security Plan and AIS Functional Architecture documentation, this is a Finding. If listed endpoints are: 1. Not using integrated authentication (is_integrated_auth_enabled = 0) 2. Not using Kerberos authentication (is_kerberos_auth_enabled = 0) and 3. Not using NT LAN Manager (NTLM) authentication (is_ntlm_auth_enabled = 0) 4. Are STARTED, listening and processing requests (state = 0) this is a Finding. If listed endpoints are required to use SSL (is_ssl_port_enabled = 1 and is_clear_port_enabled = 0) and are not, this is a Finding. If listed endpoints are enabled to use anonymous access (is_anonymous_enabled = 1) and is not documented and authorized, this is a Finding.
Authorized and document XML web service endpoints in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, drop XML web service endpoints. From the query prompt: DROP ENDPOINT [endpoint name] Where documented and authorized, set each endpoint to use the appropriate authentication protocol, SSL if required and disable anonymous access if not authorized. If a clear port is also required and authorized, ensure the value for clear_port is set to a known value (i.e. HTTP port 80 or other IAO authorized port value).
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'agent xps' If the value of Config_Value is 1, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding. Note: If you are using SQL Server Management Studio to administer the SQL Server DBMS, document, approve and enable this option in the System Security Plan.
Authorize and document requirements for use of the Agent XPs option in the System Security Plan and AIS Functional Architecture documentation. Where not required and authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'Agent XPs', 0 RECONFIGURE
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'smo and dmo xps' If the value of Config_Value is 1, confirm in the System Security Plan and AIS Functional Architecture documentation that this option is documented and is required and approved by the IAO. If it is not documented, required and approved, this is a Finding. Note: If you are using SQL Server Management Studio to administer the SQL Server DBMS, document, approve and enable this option in the System Security Plan.
Authorize and document requirements for use of the SMO and DMO XPs option in the System Security Plan and AIS Functional Architecture documentation. Where not required and authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'SMO and DMO XPs', 0 RECONFIGURE
SQL Server program files are installed in two places: 1. A subdirectory of Program Files directory named Microsoft SQL Server ( specified here as [PFdir]) 2. The directory created for the specific instance (specified here as [InstDir]). This directory is specified in the registry for database engine instances under: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ SQL Instances for Reporting Services and Analysis Services are listed under the registry keys: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ RS HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ OLAP File permissions may be reviewed individually using Windows explorer by navigating to the directory specified and viewing the Security properties. There are also tools available that are designed to streamline review of file permissions. Verify that the permissions are equal to or more restrictive than listed below: The following groups may have Full Control assigned to any or all directories or files: 1. Administrators (builtin group) 2. DBAs (custom group) 3. CREATOR OWNER (builtin) 4. SYSTEM (builtin) 5. SQL Server Service Account If permission assignments are less restrictive than listed, this is a Finding. If permission assignments are granted to the Builtin USERS group, this is a Finding. Retain the SQL Server specific groups installed by Microsoft, any file permissions assigned to them and document in the System Security Plan.
Restrict access to SQL Server files and directories as directed in the check.
Review the list of databases defined for the instance: From the query prompt: SELECT name FROM [master].sys.databases WHERE name IN ('Northwind', 'Pubs', 'AdventureWorks', 'AdventureWorksDW', 'AdventureWorksAS', 'DataEncryptDemo') If any results are displayed, this is a Finding.
Drop sample or demonstration databases from production instances. Verify that no production objects have been stored in demonstration or sample databases prior to dropping. DROP DATABASE [database name]
Review the DBMS documentation to determine where cryptography may be used and/or configured. If DBMS data/network encryption is not required, this check is Not a Finding. The following product versions and editions are FIPS 140-2 certified: SQL Server 2005 SP1, SP2 & SP3 Standard, Enterprise & Developer Editions (KB 920995) SQL Server 2008 RTM & SP1 Standard, Enterprise & Developer Editions (KB 955720) Review DBMS network communication encryption options, data object encryption (both tables and application code objects), and encryption key management. Where cryptography is employed and configured by the database, review the configuration settings to see if they use: 1. Compliant algorithms (AES (128, 192 or 256), Triple DES or TDEA (3 distinct 56-bit keys), Skipjack) 2. Compliant hash functions (SHA-1, SHA-224, SHA-256, SHA-384 and SHA-5122) 3) validated cryptographic modules (whether native to the database or not) 3. Validated cryptographic modules (whether native to the DBMS or not) Detailed information on the FIPS 140-2 standard is available at the following website: http://csrc.nist.gov/groups/STM/index.html From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT name, algorithm_desc FROM sys.symmetric_keys WHERE key_algorithm NOT IN ('D3','A1','A2','A3') ORDER BY name, algorithm_desc If any records are returned, this is a Finding.
Upgrade to a FIPS 140-2 certified SQL Server version if encryption is required by the Information Owner. Configure cryptographic functions to use FIPS 140-2 compliant algorithms and hashing functions. If the DBMS does not employ validated cryptographic modules, consider obtaining and using a third-party FIPS 140-2 validated solution. Note: FIPS 140-2 compliance or non-compliance for the host and network is outside the purview of the Database STIG/Checklist. FIPS 140-2 non-compliance at the host/network level does not negate this requirement. Configure symmetric keys to use approved encryption algorithms. Existing keys are not re-configurable to use different algorithms. This may only be specified at key creation time: CREATE SYMMETRIC KEY [key name] WITH ALGORITHM = AES_256 ENCRYPTION BY [certificate or asymmetric key] Other approved algorithms that may be specified are TRIPLE_DES, AES_128 and AES_192. The symmetric key must specify a certificate or asymmetric for encryption. The certificate may be the code-signing certificate used by the application.
Review procedures for and evidence of monitoring the audit log to detect access by unauthorized applications in the System Security Plan. If procedures or implementation evidence do not exist, this is a Finding. If alerts are not generated automatically, manual reviews should occur weekly or more frequently. If manual reviews are required and implementation evidence does not exist, this is a Finding.
Develop, document and implement procedures for monitoring application access to the database to detect access meant to bypass security controls. Where alerts are not implemented or available, establish weekly or more frequent review of queue activity.
If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. If the DBMS supports this functionality, review the settings and function logic or have the DBA demonstrate a password change to ensure that the function does not allow user changes to database passwords to occur more than once within a 24-hour period. If the review or demonstration reveals that database passwords can be changed by users more than once within a 24-hour period, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.
Develop, configure and test a password verify feature or function that authenticates passwords on change to ensure that changes to database passwords do not occur more than once within a 24-hour period where supported by the DBMS.
Review DBMS account names against the list of authorized DBMS accounts in the System Security Plan. If any accounts indicate use by mulitiple persons that are not mapped to a specific person, this is a Finding. If any applications or processes share an account that could be assigned an individual account or are not specified as requiring a shared account, this is a Finding. Note: Privileged installation accounts may be required to be accessed by DBA or other administrators for system maintenance. In these cases, each use of the account must be logged in some manner to assign accountability for any actions taken during the use of the account.
Create individual accounts for each user, application, or other process that requires a database connection. Document any accounts that are shared where separation is not supported by the application or for maintenance support. Design, develop and implement a method to log use of any account to which more than one person has access. Restrict interactive access to shared accounts to the fewest persons possible.
Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition), 2 (Standard Edition) or 4 (Express Edition), this check is Not Applicable. From the query prompt: SELECT CAST(value AS INT) FROM [master].sys.configurations WHERE name = 'common criteria compliance enabled' If the value = 0, confirm in the System Security Plan that common criteria compliance is documented as not required by the IAO. If it is not documented or is required and approved, this is a Finding.
Authorize and document requirements for use of the common criteria compliance option in the System Security Plan and AIS Functional Architecture documentation. Where authorized, enable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'common criteria compliance enabled', 1 RECONFIGURE
Review DBA account role assignments and compare them to those listed in the System Security Plan with the IAO. If system/database roles assigned to DBAs are not listed as required assignments in the System Security Plan, this is a Finding.
Document DBA job functions and minimum role privileges required to perform the DBA job function in the System Security Plan. Assign DBA accounts role privileges as documented and authorized in the System Security Plan. Revoke role privileges from DBA accounts where not documented and approved in the System Security Plan.
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If the DBMS does not provide the capability to mark or label sensitive data within the DBMS, this check is Not a Finding. Review the DBMS configuration for marking and labeling of sensitive data. If sensitive data is not marked and labeled in accordance with the System Security Plan, this is a Finding. http://www.microsoft.com/technet/prodtechnol/sql/2005/multisec.mspx
Employ DBMS capabilities to mark or label sensitive data stored within the DBMS where supported. Document the appropriate markings of sensitive data in the System Security Plan.
Review the database for definitions of application objects stored externally to the database. Determine if there are methods to disable use or access or to remove definitions for external data objects. If there are ways to prevent access to the external application data objects or the requirement for their access is not documented in the AIS functional architecture, this is a Finding.
Include any external application data objects defined in the database that is required for authorized application use in the AIS functional architecture documentation. Disable use of or remove any external application data object definitions that are not authorized.
From the query prompt: SELECT o.name AS [External Procedure Name] FROM master.sys.all_objects o LEFT JOIN master.sys.database_permissions p ON p.major_id = o.object_id LEFT JOIN master.sys.database_principals u ON p.grantee_principal_id = u.principal_id WHERE o.type = 'X' AND u.name IS NULL ORDER BY o.name Review the list of extended stored procedures returned. Verify that any extended stored procedures listed are documented in the System Security Plan as required for current or future operation and authorized by the IAO. If any extended stored procedures listed are not documented and authorized, this is a Finding.
Document extended stored procedures in the System Security Plan and authorize with the IAO. Restrict access of extended stored procedures to SYSADMINs and application owner accounts where authorized for use. Note: Use of some extended stored procedures is required for common use and removal may affect SQL Server operations. The requirement differs based on SQL Server usage. To determine required extended stored procedures for a specific SQL Server installation, enable auditing on execute of the procedures. Review the audit data after a sufficient period to capture all operational usage, and then restrict access to unused extended stored procedures. If no operational issues arise after a sufficient time (you should double the period used before), remove the unused extended stored procedures where supported by the DBMS vendor. By default, the public role is granted execute access to many system-supplied extended stored procedures. It is recommended these execute privileges to extended stored procedures (the ones being retained for system use) be transferred from the public role and re-assigned to a custom all-user group. Redesign applications to use CLR integration.
From the query prompt: USE master EXEC SP_GET_DISTRIBUTOR If the value of installed is 0, and a review of the System Security Plan confirms the use of replication is not required and not allowed, this check is Not a Finding. If the value of installed is 1, and a review of the System Security Plan confirms the use of replication is required and allowed, this is Not a Finding. If it is not required or not allowed, this is a Finding. The following steps determine if the security of the configured Replication follows best practices: From the query prompt: EXEC SP_HELPREPLICATIONDBOPTION 1. Ensure replication data is encrypted in transit Review documentation and evidence of configuration for encrypted connections between remote databases participating in replication where transmissions cross untrusted (support connections that do not have a need-to-know access requirement to the data being replicated) networks. 2. Confirm replication agents use dedicated accounts This is covered individually under check DM6065 and is not included in Finding status here. To view replication agent accounts: USE msdb SELECT p.name 'Proxy Name', c.credential_identity FROM sys.credentials c, sysproxies p, sysproxysubsystem s WHERE c.credential_id = p.proxy_id AND s.proxy_id = p.proxy_id AND s.subsysstem_id > 3 AND s.subsystem_id < 9 3. Confirm Replication Agent accounts are assigned minimum privileges For each database, review assigned roles/permissions for each agent account: USE [database name] For each agent account listed under #2 above: EXEC SP_HELPUSER '[user name]' If any GroupName other than db_owner is listed in any database, this is a Finding. If any GroupName is listed in any database other than replication databases, this is a Finding EXEC SP_HELPROTECT '[user name]' If any permission is listed, this is a Finding. Perform once: EXEC SP_HELPSRVROLEMEMBER If any replication agent accounts are listed, this is a Finding. 4. Confirm only authorized Merge and Distribution Agent accounts are listed in the Publication Access List (PAL) For each replication database: EXEC SP_HELPPUBLICATION For each publication listed: EXEC SP_HELP_PUBLICATION_ACCESS '[publication name]' If any accounts are listed under publications that are not SYSADMINs, replication merge (category REPL-Merge) or replication distributor (category REPL-Distribution) agent accounts, this is a Finding. 5. Confirm minimum permissions are assigned to any local snapshot folders Results for this security check are recorded individually under DM6075. 6. (cont from 5) Confirm snapshot Agent accounts are granted only write permissions to the snapshot folder If the snapshot agent account has more than write access to the snapshot folder, this is a Finding. 7. Verify network shares are used for snapshot folders accessed by pull subscriptions If the server does not have a Publisher database, this check is Not a Finding. For each publisher database: USE [database name] EXEC SP_HELPSUBSCRIPTION If any subscribers listed indicate a remote database (a database on a different server), then confirm the snapshot folder is defined as a network share. If it is not, this is a Finding. Note: See folder information for the publication listed for the subscriber under the SP_HELPPUBLICATION results. Windows shares are indicated with a share icon and are indicated as shared in the directory properties \ share tab. 8. Verify Agent accounts use Windows authentication See Agent accounts returned from #2 above If any accounts listed are not Windows accounts (display [domain or computername]\[account name]), this is a Finding.
Disable replication if replication is not required. From the SQL Server Management Studio GUI: 1. Expand SQL Server 2. Right-click on Replication 3. Click Disable Publishing and Distribution 4. Complete the steps presented Secure replication if required, authorized and documented. 1. Create and use dedicated Windows-authenticated database accounts for Replication Agent use 2. Assign minimum database and file permissions to the Replication Agent accounts 3. Add only authorized Replication Merge and Distribution Agent accounts (and SYSADMIN accounts) to the PAL 4. Use network shared for snapshot folders access by pull subscriptions Document replication in the System Security Plan, AIS Functional Architecture documentation and authorize with the IAO regardless of requirement.
View the Security Settings of the SQL Server service account to see user rights assigned to the service account or group. To view assigned user rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment For SQL Server Service account: If any user rights are assigned to the service account other than the following, this is a Finding: 1. Log on as a service (SeServiceLogonRight) 2. Act as part of the operating system (SeTcbPrivilege) (Win2K only) 3. Log on as a batch job (SeBatchLogonRight) 4. Replace a process-level token (SeAssignPrimaryTokenPrivilege) 5. Bypass traverse checking (SeChangeNotifyPrivilege) 6. Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) The following user rights are applicable for SQL Server 2005 only: 1. Permission to start SQL Server Active Directory Helper 2. Permission to Start SQL Write
Create a local custom account for the SQL Server service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for detailed information. Assign the account to the SQL Server group (created at installation for SQL Server 2005) if available. Assign the SQL Server account or group the user privileges as listed in the Check procedures.
Review the SQL Server database names on the DBMS host: Go to Start / Administrative Tools / Services View service names that begin with "SQL Server". The database name is in parenthesis (NAME). If database names as listed do not clearly identify the use of the database or clearly differentiate individual databases, this is a Finding. An example of database naming that meets the requirement: prdinv01 (Production Inventory Database #1) dvsales02 (Development Sales Database #2) msfindb1 (Microsoft Financials Database #1) Examples of instance naming that do not meet the requirement: database1, MyDatabase, SQL7 Interview the DBA to get an understanding of the naming scheme used to determine if the names are clear differentiations.
Follow instructions for renaming a database instance: Review the sp_dropserver and sp_addserver procedures Set the value so that it does not identify the SQL Server version and clearly identifies its purpose.
Review DBMS recovery procedures or technical system features to determine if mechanisms exist and are in place to specify use of trusted files during DBMS recovery. If recovery procedures do not exist or are not sufficient to ensure recovery is done in a secure and verifiable manner, this is a Finding. If system features exist and are not employed or not employed sufficiently, this is a Finding. If circumstances that can inhibit a trusted recovery are not documented and appropriate mitigating procedures have not been put in place, this is a Finding.
Develop, document and implement DBMS recovery procedures and employ technical system features where supported by the DBMS to specify trusted files during DBMS recovery. Ensure circumstances that can inhibit a trusted recovery are documented and appropriate mitigating procedures have been put in place.
View SYSADMIN group membership: From the query prompt: SELECT p.name FROM [master].sys.server_principals p, [master].sys.server_role_members m WHERE p.principal_id = m.member_principal_id AND m.member_principal_id <> 1 AND m.role_principal_id = 3 ORDER BY p.name Verify with the DBA that all users listed under System Administrators are authorized DBAs and authorized to manage the database system audit configuration. Authorized application object owner accounts are Not a Finding unless they are not disabled (DG0004). If any authorized application object owner accounts are enabled, this is a Finding (for DG0116). If this is a production environment, verify with the DBA that none of the users listed under the SYSADMIN fixed server role are application administrators. If the BUILTIN/Administrators group is listed as a member of the SYSADMIN fixed server role, this is a Finding. Note: Removing BUILTIN/Administrators without creating an appropriate group to administer SQL Server will result in a ‘lock out’ condition within SQL Server. Ensure the proper steps have been taken to create a new group that is added to SYSADMIN fixed server role before removing BUILTIN/Administrators. Also, ensure the SA password is known before making this change.
Document IAO-authorized privileged role assignments in the System Security Plan. Remove assignments where not authorized. If BUILTIN\Administrators is part of the SYSADMIN fixed server role, create a custom group for SYSADMIN functions, add authorized users to the custom group, add the group to the SYSADMIN fixed server role, remove BUILTIN\Administrators from the role. If other unauthorized users exist, remove them from the role. To remove BUILTIN\Administrators from the SYSADMIN fixed server role: 1. Create a custom group for SYSADMIN functions 2. Add authorized users to the custom group 3. Add the group to the SYSADMIN fixed server role 4. Remove BUILTIN\Administrators from the role
Review administrative accounts for direct privilege assignment. If any administrative privileges have been assigned directly to a database account, this is a Finding.
Create roles for administrative function assignments. Assign the necessary privileges for the administrative function to a role. Assign administrative roles to authorized administrative users. Document administrative job functions, roles, and required permissions in the System Security Plan. Maintain evidence of administrative role authorizations.
Review privileges assigned to application roles in the database. If any privileges other than SELECT, INSERT, UPDATE, DELETE or EXECUTE are assigned to application roles, this is a Finding.
Revoke administrative privileges from application roles. Do not allow Database Definition Language (DDL) or other administrative privileges for operation of the application, for example, do not create and drop database objects for temporary storage of data. Consider, instead, the storage of temporary data in static database tables.
Review access controls on system tables. Review access to configuration data stored in the database. If any users not assigned DBA privileges are assigned access to the underlying tables, this is a Finding.
Revoke access to system tables to non-DBA users. Where use of system data is required by non-DBA users, provide controlled access for authorized functions via views, procedures, or other use of controlled objects.
Review accounts assigned fixed server roles and fixed database roles with the DBA/IAO and as documented in the System Security Plan. Review other database or application roles assigned to the accounts assigned fixed roles as documented in the System Security Plan. If any accounts assigned fixed roles are also assigned application roles or other application object privilege roles or own application objects used for other than DBA functions, this is a Finding.
Create separate accounts for administration activities. Develop, document and implement policy and procedures that require separate, unprivileged or less-privileged accounts for development, testing and application users.
If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. Review methods for protecting accounts from assignment of easily guessed passwords. If methods do not include at least one of the following or a viable alternate means to prevent use of easily guessed passwords, this is a Finding. 1. Password cracker run frequently to report easily guessed passwords 2. Automated routine to check passwords against password dictionaries at password assignment time 3. User training and understanding of the risk of easily guessed passwords 4. Using Windows Authentication for database accounts NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.
Employ preventative means, user training and/or password cracking routines to discover and prevent easily guessed passwords in the database.
From the query prompt: SELECT name AS [User], type_desc AS [Type], create_date AS [Create Date] FROM [master].sys.sql_logins WHERE PWDCOMPARE ('', password_hash) = 1 If any user accounts are listed, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.
Assign a password to accounts that meet DoD complexity requirements. From the query prompt: USE master ALTER LOGIN [name] WITH PASSWORD = '[new password]' Replace [new password] with a password and [name] with the account name. Use the SQL Server Enterprise Manager GUI to change the assigned password of any SQL Server–related service. Each service must be changed individually.
SQL Server natively encrypts passwords in transit when using SQL Server connection protocols and products (i.e. SQL Server Client). Where other connection products and protocols are used, review configuration options for encrypting passwords during login events across the network. If passwords are not encrypted, this is a Finding. Where only SQL Server connection protocols and products are used and password encryption is not purposely disabled and enabled where applicable, this is Not a Finding. If determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a Finding.
Utilize SQL Server connection protocols and products (i.e. SQL Server Client) where possible. Where other connection products and protocols are used, ensure configuration options for encrypting passwords during login events across the network are used. If the database does not provide encryption for login events natively, employ encryption at the OS or network level. Ensure passwords remain encrypted from source to destination.
Ask the DBA to review application source code that is required by Check DG0091 to be encoded or encrypted for database accounts used by applications or batch jobs to access the database. Ask the DBA to review source batch job code prior to compiling, encoding or encrypting for database accounts used by applications or the batch jobs themselves to access the database. Ask the DBA and/or IAO to determine if the compiled, encoded or encrypted application source code or batch jobs contain passwords used for authentication to the database. If none of the identified compiled, encoded or encrypted application source code or batch job code contain passwords used for authentication, this check is Not a Finding. If any of the identified compiled, encoded or encrypted application source code or batch job code do contain passwords used for authentication to the database, this is a Finding. NOTE: This check only applies to application source code or batch job code that is compiled, encoded or encrypted in a production environment. Application source code or batch job code that is not compiled, encoded or encrypted would fall under Check DG0067 for determination of compliance.
Design DBMS application code and batch job code that is compiled, encoded or encrypted to NOT contain passwords. Consider alternatives to using password authentication for compiled, encoded or encrypted batch jobs and DBMS application code.
From the query prompt: SELECT name FROM [master].sys.sql_logins WHERE name = 'sa' If the value returned for Name is 'sa', this is a Finding.
From the query prompt: ALTER LOGIN sa WITH NAME = '[new sa name]' Replace [new sa name] with a custom-supplied name.
If the DBMS does not provide a method or means for configuration of account lock times, this check is Not a Finding. Review the account lock time configuration setting. If the lock time is not set to unlimited or is set to allow the DBMS to unlock the account after a pre-determined amount of time, this is a Finding. For DBMS accounts using Windows Authentication: 1. Launch the Group Policy Editor on the DBMS Server 2. Under Computer Configuration: a. Expand Windows Settings b. Expand Security Settings c. Expand Account Policies d. Select Account Lockout Policy 3. Review Account Lockout Duration, Account Lockout Threshold and Reset Account Lockout Counter After policies If Account Lockout Duration is not set or set to a value greater than 0, this is a Finding. If Account Lockout Threshold is not set or set to a value greater than 3, this is a Finding. If Reset Account Lockout Counter After is not set to its maximum value (For Windows 2003, this is 99999), this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.
Configure the database to maintain an account lock time until the account is manually unlocked by an authorized account administrator. For DBMS accounts using Windows Authentication: 1. Launch the Group Policy Editor on the DBMS Server 2. Under Computer Configuration: a. Expand Windows Settings b. Expand Security Settings c. Expand Account Policies d. Select Account Lockout Policy 3. Set "Account Lockout Threshold" = 3 4. Set or Reset "Account Lockout Duration" = 0 5. Set or Reset "Reset Account Lockout Counter After" = 99999 (about 69 days, which is max for this policy setting) 6. Close Group Policy Editor Document these settings in the System Security Plan.
Note: Checks DG0029, DG0145, DM0510 and DM5267 cover auditing of data within SQL Server and should not be included in this check. Determine locations of DBMS audit, configuration, credential and other security data using the registry keys provided below: Audit Trace = HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultData Log = C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\LogFiles HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.3\CPE\ErrorDumpDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\DefaultLog HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\ErrorLogFile Config = C:\Program Files\Microsoft SQL Server\90\Shared\ASConfig HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\{INSTANCE NAME}\Setup\SQLPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\BackupDirectory HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\FullTextDefaultPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Replication\WorkingDirectory HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLBinRoot HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLDataRoot HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SQLProgramDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\SQLServerAgent\WorkingDirectory HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\DataDir HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLBinRoot HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLPath HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\Setup\SQLProgramDir Review audit settings for these directories, files or data objects. If the security data is not audited for access, consider the operational impact and appropriateness for access that is not audited. If the risk for incomplete auditing of the security files is reasonable and documented in the System Security Plan, do not include this as a Finding.
Enable auditing for access to any security data where supported by the OS. If audit for access results in an unacceptable adverse impact on application operation, scale back the audit to a reasonable and acceptable level. Document any incomplete audit with acceptance of the risk of incomplete audit in the System Security Plan. Auditing for Access via OS should include, at a minimum, the User ID, date and time of the event and the event type per Check DG0145.
From the query prompt: EXEC XP_LOGINCONFIG 'audit level' If the config_value returned is not 'All' or 'Failure', this is a finding.
Enable Auditing level. From the SQL Server Management Studio GUI: 1. Navigate to the SQL Server instance name 2. Right-click on it 3. Select Properties 4. Select Security tab or page 5. Review Login Auditing selection 6. Select "Failed logins only" or "Both failed and successful logins" from the Login Auditing section 7. Apply changes 8. Exit the SQL Server Management Studio GUI
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'default trace enabled' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, confirm in the System Security Plan and AIS Functional Architecture documentation that this option is documented as required and approved by the IAO. If it is not documented and is required and approved, this is a Finding.
Authorize and document requirements for use of the default trace option in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'default trace enabled', 0 RECONFIGURE
If C2 Auditing is enabled (See Check DM0510: C2 audit mode), this check is Not a Finding. Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition) or 4 (Express Edition), if auditing is not enabled or not configured completely to requirements, review the System Security Plan. If this is properly explained in the System Security Plan, this is Not a Finding. If this is not documented or documented poorly in the System Security Plan, this is a Finding. If value returned is 2 (Standard Edition) or 3 (Enterprise/Developer Edition), findings in all steps apply. Note: Complete all checks to determine final Finding results. 1. Check to see that all required events are being audited From the query prompt: SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0') All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a Finding. 2. For each traceid listed, replacing # with a traceid From the query prompt: SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO('#') The required eventid’s 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177 and 178 should be listed. If any of the audit events or eventid’s required above are not listed, this is a Finding. 3. Check to see that auditing is set to shutdown the database system if auditing fails (For each traceid listed, replacing # with a traceid) From the query prompt: SELECT CAST(value AS INT) FROM ::FN_TRACE_GETINFO('#') WHERE property = 1 AND value > 4 If value returned is not greater than 4 for any traceid, this is a Finding.
Create and start an audit trace that audits required events. CREATE PROCEDURE fso_audit AS -- Create a Queue DECLARE @rc INT DECLARE @TraceID INT DECLARE @maxfilesize BIGINT DECLARE @fso_audit_log NVARCHAR(128) SET @maxfilesize = 5 -- Define custom @fso_audit_log to path\filename SET @fso_audit_log = 'd:\sqlserver\audit\fsoauditlog.log' EXEC @rc = SP_TRACE_CREATE @TraceID output, 6, @fso_audit_log, @maxfilesize, NULL IF (@rc != 0) GOTO Error -- Client side File and Table cannot be scripted. -- Set the events: DECLARE @on BIT SET @on = 1 -- Logins are audited based on SQL Server instance -- setting Audit Level stored in registry -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.[#]\MSSQLServer\AuditLevel -- Audit Login -- Occurs when a user successfully logs in to SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 14, 1, @on -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 14, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 14, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 14, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 14, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 14, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 14, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 14, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 14, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 14, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 14, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 14, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 14, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 14, 64, @on -- SessionLoginName -- Audit Logout -- Occurs when a user logs out of SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 15, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 15, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 15, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 15, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 15, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 15, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 15, 13, @on -- Duration EXEC SP_TRACE_SETEVENT @TraceID, 15, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 15, @on -- EndTime EXEC SP_TRACE_SETEVENT @TraceID, 15, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 15, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 15, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 15, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 15, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 15, 64, @on -- SessionLoginName -- Audit Server Starts and Stops -- Occurs when the SQL Server service state is modified. EXEC SP_TRACE_SETEVENT @TraceID, 18, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 18, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 18, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 18, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 18, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 18, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 18, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 18, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 18, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 18, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 18, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 18, 64, @on -- SessionLoginName -- Audit Login Failed -- Indicates that a login attempt to SQL Server from a client failed. EXEC SP_TRACE_SETEVENT @TraceID, 20, 1, @on -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 20, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 20, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 20, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 20, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 20, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 20, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 20, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 20, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 20, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 20, 31, @on -- Error EXEC SP_TRACE_SETEVENT @TraceID, 20, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 20, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 20, 64, @on -- SessionLoginName -- Audit Statement GDR Event -- Occurs every time a GRANT, DENY, REVOKE for a statement -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 102, 1, @on -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 102, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 102, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 102, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 102, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 102, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 19, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 102, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 102, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 28, @on -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 102, 34, @on -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 102, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 102, 37, @on -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 102, 39, @on -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 40, @on -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 102, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 42, @on -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 102, 43, @on -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 102, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 102, 64, @on -- SessionLoginName -- Audit Object GDR Event -- Occurs every time a GRANT, DENY, REVOKE for an object -- permission is issued by any user in SQL Server. EXEC SP_TRACE_SETEVENT @TraceID, 103, 1, @on -- TextData EXEC SP_TRACE_SETEVENT @TraceID, 103, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 103, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 103, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 103, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 103, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 19, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 103, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 103, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 28, @on -- ObjectType EXEC SP_TRACE_SETEVENT @TraceID, 103, 34, @on -- ObjectName EXEC SP_TRACE_SETEVENT @TraceID, 103, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 103, 37, @on -- OwnerName EXEC SP_TRACE_SETEVENT @TraceID, 103, 39, @on -- TargetUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 40, @on -- DBUserName EXEC SP_TRACE_SETEVENT @TraceID, 103, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 42, @on -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 103, 43, @on -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 103, 44, @on -- ColumnPermissions EXEC SP_TRACE_SETEVENT @TraceID, 103, 59, @on -- ParentName EXEC SP_TRACE_SETEVENT @TraceID, 103, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 103, 64, @on -- SessionLoginName -- Audit AddLogin Event -- Occurs when a SQL Server login is added or removed; -- for sp_addlogin and sp_droplogin. EXEC SP_TRACE_SETEVENT @TraceID, 104, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 104, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 104, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 104, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 104, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 104, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 104, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 104, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 104, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 104, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 42, @on -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 104, 43, @on -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 104, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 104, 64, @on -- SessionLoginName -- Audit Login GDR Event -- Occurs when a Windows login right is added or removed; -- for sp_grantlogin, sp_revokelogin, and sp_denylogin. EXEC SP_TRACE_SETEVENT @TraceID, 105, 6, @on -- NTUserName EXEC SP_TRACE_SETEVENT @TraceID, 105, 7, @on -- NTDomainName EXEC SP_TRACE_SETEVENT @TraceID, 105, 8, @on -- HostName EXEC SP_TRACE_SETEVENT @TraceID, 105, 10, @on -- ApplicationName EXEC SP_TRACE_SETEVENT @TraceID, 105, 11, @on -- LoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 12, @on -- SPID EXEC SP_TRACE_SETEVENT @TraceID, 105, 14, @on -- StartTime EXEC SP_TRACE_SETEVENT @TraceID, 105, 23, @on -- Success EXEC SP_TRACE_SETEVENT @TraceID, 105, 26, @on -- ServerName EXEC SP_TRACE_SETEVENT @TraceID, 105, 35, @on -- DatabaseName EXEC SP_TRACE_SETEVENT @TraceID, 105, 41, @on -- LoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 42, @on -- TargetLoginName EXEC SP_TRACE_SETEVENT @TraceID, 105, 43, @on -- TargetLoginSid EXEC SP_TRACE_SETEVENT @TraceID, 105, 60, @on -- IsSystem EXEC SP_TRACE_SETEVENT @TraceID, 105, 64, @on -- SessionLoginName -- Audit Login Change Property Event -- Occurs when a property of a login, except passwords, -- is modified; for sp_defaultdb and sp_defaultlanguage. EXEC SP_TRACE_SETEVENT @TraceID, 106, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 106, 64, @on -- Audit Login Change Password Event -- Occurs when a SQL Server login password is changed. -- Passwords are not recorded. EXEC SP_TRACE_SETEVENT @TraceID, 107, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 107, 64, @on -- Audit Add Login to Server Role Event -- Occurs when a login is added or removed from a fixed server role; -- for sp_addsrvrolemember, and sp_dropsrvrolemember. EXEC SP_TRACE_SETEVENT @TraceID, 108, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 108, 64, @on -- Audit Add DB User Event -- Occurs when a login is added or removed as a database user -- (Windows or SQL Server) to a database; for sp_grantdbaccess, -- sp_revokedbaccess, sp_adduser, and sp_dropuser. EXEC SP_TRACE_SETEVENT @TraceID, 109, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 21, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 44, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 51, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 109, 64, @on -- Audit Add Member to DB Role Event -- Occurs when a login is added or removed as a database user -- (fixed or user-defined) to a database; for sp_addrolemember, -- sp_droprolemember, and sp_changegroup. EXEC SP_TRACE_SETEVENT @TraceID, 110, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 110, 64, @on -- Audit Add Role Event -- Occurs when a login is added or removed as a database user to a -- database; for sp_addrole and sp_droprole. EXEC SP_TRACE_SETEVENT @TraceID, 111, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 111, 64, @on -- Audit App Role Change Password Event -- Occurs when a password of an application role is changed. EXEC SP_TRACE_SETEVENT @TraceID, 112, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 112, 64, @on -- Audit Statement Permission Event -- Occurs when a statement permission (such as CREATE TABLE) is used. EXEC SP_TRACE_SETEVENT @TraceID, 113, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 19, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 113, 64, @on -- Audit Backup/Restore Event -- Occurs when a BACKUP or RESTORE command is issued. EXEC SP_TRACE_SETEVENT @TraceID, 115, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 115, 64, @on -- Audit DBCC Event -- Occurs when DBCC commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 116, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 44, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 116, 64, @on -- Audit Change Audit Event -- Occurs when audit trace modifications are made. EXEC SP_TRACE_SETEVENT @TraceID, 117, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 44, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 117, 64, @on -- Audit Object Derived Permission Event -- Occurs when a CREATE, ALTER, and DROP object commands are issued. EXEC SP_TRACE_SETEVENT @TraceID, 118, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 118, 64, @on -- Audit Database Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 128, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 128, 64, @on -- Audit Database Object Management Event -- Occurs when a CREATE, ALTER, or DROP statement executes on -- database objects, such as schemas. EXEC SP_TRACE_SETEVENT @TraceID, 129, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 129, 64, @on -- Audit Database Principal Management Event -- Occurs when principals, such as users, are created, altered, or -- dropped from a database. EXEC SP_TRACE_SETEVENT @TraceID, 130, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 130, 64, @on -- Audit Schema Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 131, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 59, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 131, 64, @on -- Audit Server Principal Impersonation Event -- Occurs when there is an impersonation within server scope, such -- as EXECUTE AS LOGIN. EXEC SP_TRACE_SETEVENT @TraceID, 132, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 132, 64, @on -- Audit Database Principal Impersonation Event -- Occurs when an impersonation occurs within the database scope, -- such as EXECUTE AS USER or SETUSER. EXEC SP_TRACE_SETEVENT @TraceID, 133, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 38, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 133, 64, @on -- Audit Server Object Take Ownership Event -- Occurs when the owner is changed for objects in server scope. EXEC SP_TRACE_SETEVENT @TraceID, 134, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 134, 64, @on -- Audit Database Object Take Ownership Event -- Occurs when a change of owner for objects within database scope -- occurs. EXEC SP_TRACE_SETEVENT @TraceID, 135, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 135, 64, @on -- Audit Change Database Owner -- Occurs when ALTER AUTHORIZATION is used to change the owner of a -- database and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 152, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 152, 64, @on -- Audit Schema Object Take Ownership Event -- Occurs when ALTER AUTHORIZATION is used to assign an owner to an -- object and permissions are checked to do that. EXEC SP_TRACE_SETEVENT @TraceID, 153, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 59, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 153, 64, @on -- Audit Server Scope GDR Event -- Indicates that a grant, deny, or revoke event for permissions in -- server scope occurred, such as creating a login. EXEC SP_TRACE_SETEVENT @TraceID, 170, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 19, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 170, 64, @on -- Audit Server Object GDR Event -- Indicates that a grant, deny, or revoke event for a schema object, -- such as a table or function, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 171, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 19, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 171, 64, @on -- Audit Database Object GDR Event -- Indicates that a grant, deny, or revoke event for database -- objects, such as assemblies and schemas, occurred. EXEC SP_TRACE_SETEVENT @TraceID, 172, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 19, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 172, 64, @on -- Audit Server Operation Event -- Occurs when Security Audit operations such as altering settings, -- resources, external access, or authorization are used. EXEC SP_TRACE_SETEVENT @TraceID, 173, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 173, 64, @on -- Audit Server Alter Trace Event -- Occurs when a statement checks for the ALTER TRACE permission. EXEC SP_TRACE_SETEVENT @TraceID, 175, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 175, 64, @on -- Audit Server Object Management Event -- Occurs when server objects are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 176, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 45, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 46, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 176, 64, @on -- Audit Server Principal Management Event -- Occurs when server principals are created, altered, or dropped. EXEC SP_TRACE_SETEVENT @TraceID, 177, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 39, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 42, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 43, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 45, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 177, 64, @on -- Audit Database Operation Event -- Occurs when database operations occur, such as checkpoint or -- subscribe query notification. EXEC SP_TRACE_SETEVENT @TraceID, 178, 1, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 6, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 7, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 8, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 10, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 11, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 12, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 14, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 23, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 26, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 28, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 34, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 35, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 37, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 40, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 41, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 60, @on EXEC SP_TRACE_SETEVENT @TraceID, 178, 64, @on -- Set the Filters. DECLARE @intfilter INT DECLARE @bigintfilter bigint -- Set the trace status to start. EXEC SP_TRACE_SETSTATUS @TraceID, 1 -- Display trace ID for future references. SELECT TraceID = @TraceID GOTO Finish Error: SELECT ErrorCode = @rc Finish: GO EXEC SP_PROCOPTION 'fso_audit', 'startup', 'true' GO Note: Replace ['d:\sqlserver\audit\fsoauditlog.log'] with the PATH and file name to your audit file.
From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Port If the value = 0, this is a Finding (Dynamic port assignment in use). If the value = 2383, this is Not a Finding. The Port value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [Port] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory. If a different port is assigned, verify that the port reassignment requirement is documented and approved in the System Security Plan and AIS Functional Architecture documentation.
Use static, default network ports. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Port 5. Set value = 2383 or IAO-approved value 6. Click OK
Ask the DBA and/or IAO to demonstrate that the DBMS system initialization, shutdown, and aborts are configured to ensure that the DBMS system remains in a secure state. If the DBA and/or IAO has documented proof from the DBMS vendor demonstrating that the DBMS does not support this either natively or programmatically, this check is a Finding, but can be downgraded to a CAT 3 severity. If the DBMS does support this either natively or programmatically and the configuration does not meet the requirements listed above, this is a Finding. For all MAC 1, all MAC 2 and Classified MAC 3 systems where the DBMS supports the requirements, review documented procedures and evidence of periodic testing to ensure DBMS system state integrity. If documented procedures do not exist or no evidence of implementation is provided, this is a Finding.
Configure DBMS system initialization, shutdown and aborts to ensure DBMS system remains in a secure state. For applicable DBMS systems as listed in the check, periodically test configuration to ensure DBMS system state integrity. Where DBMS system state integrity is not supported by the DBMS vendor, obtain and apply mitigation strategies to bring risk to a DAA-acceptable level.
From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'remote admin connections' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, confirm in the System Security Plan that remote admin connection access is required and approved by the IAO. If it is not documented, required and approved, this is a Finding.
Where remote admin connection access is part of the designed and approved use of the SQL Server database, document the requirement in the System Security Plan. Where remote admin connection access is not required, disable its use. From the query prompt: EXEC SP_CONFIGURE 'remote admin connections', 0 RECONFIGURE
If the DBMS does not provide auditing of remote administrative actions, this check is Not a Finding. Review settings for actions taken during remote administration sessions. If auditing of remote administration sessions and actions is not enabled, this is a Finding. If audit logs do not include all actions taken by database administrators during remote sessions, this is a Finding. Actions should be tied to a specific user.
Develop, document and implement policy and procedures for remote administration auditing. Configure the DBMS to provide an audit trail for remote administrative sessions. Include all actions taken by database administrators during remote sessions. Actions should be tied to a specific user.
Review database links or other connections defined for the database (See Check DG0075 for list). If any interconnections show differences in the DBMS and remote system classification levels, this is a Finding.
Disassociate or remove connection definitions to remote systems of differing classification levels.
A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check Not Applicable. View the warning banner. If it does not contain the following text as written below, this is a Finding: [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OK [B. For Blackberries and other PDAs/PEDs with severe character limitations:] I've read & consent to terms in IS user agreem't. This User Agreement conforms to DoD Standard Notice and Consent Banner and User Agreement – JTF-GNO CTO 08-008A, May 9, 2008.
Replace the DBMS banner text with the banner text as shown in this check. For all versions of SQL Server, this requirement can be fulfilled where the database user receives the warning message when authenticating or connecting to a front-end system that includes or covers the SQL Server DBMS. Mark this check as a Finding if the display of a warning banner (not necessarily this specific warning banner) cannot be confirmed. The banner text listed in the Check section supersedes that referenced in the Database STIG requirement.
If remote administration is disabled or not configured, this check is Not a Finding. Review configured network access interfaces for remote DBMS administration with the SA and DBA. These may be host-based encryptions such as IPSec or may be configured for the DBMS as part of the network communications and/or in the DBMS listening process. For DBMS listeners, verify that encrypted ports exist and are restricted to specific network addresses to access the DBMS. View the System Security Plan to review the authorized procedures and access for remote administration. If the configuration does not match the documented plan, this is a Finding.
Disable remote administration where it is not required or authorized. Consider restricting administrative access to local connections only. Where necessary, configure the DBMS network communications to provide an encrypted, dedicated port for remote administration access. Develop and provide procedures for remote administrative access to DBAs that have been authorized for remote administration. Verify during audit reviews that DBAs do not access the database remotely except through the dedicated and encrypted port.