DBMS default account names must be changed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32246	SRG-APP-000063-DB-000023	SV-42563r1_rule		Medium

Description
Default accounts are usually accounts that have special privileges required to administer the database. Well-known DBMS account names are targeted most frequently by attackers and are thus more prone to providing unauthorized access to the database. If default account names are not changed an attacker has a predefined list of accounts to target. Since most default accounts are administrative in nature, the compromise of a default account can have catastrophic consequences including the complete loss of control over the information system.

Description

Default accounts are usually accounts that have special privileges required to administer the database. Well-known DBMS account names are targeted most frequently by attackers and are thus more prone to providing unauthorized access to the database. If default account names are not changed an attacker has a predefined list of accounts to target. Since most default accounts are administrative in nature, the compromise of a default account can have catastrophic consequences including the complete loss of control over the information system.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40755r1_chk )
Review the list of default account names provided by the DBMS. The list may be provided in vendor documentation or obtained using Internet resources. If default account names exist, this is a finding.

Fix Text (F-36170r1_fix)
Modify default DBMS accounts to use custom account names.