| V-15654 | Medium | DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes. | Symmetric keys used for encryption protect data from unauthorized access. However, if not protected in accordance with acceptable standards, the keys themselves may be compromised and used for... |
| V-15177 | Medium | The Service Master Key should be backed up, stored offline and off site. | Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. |
| V-15172 | Medium | Object permissions should not be assigned to PUBLIC or GUEST. | The guest account is available to users that do not have authorized accounts on the database. The PUBLIC role is granted to all users of the database regardless of assigned job function.... |
| V-15159 | Medium | The Database Master key encryption password should meet DoD password complexity requirements. | Weak passwords may be easily guessed. When passwords used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk. |
| V-2498 | Medium | Permissions using the WITH GRANT OPTION should be granted only to DBA or application administrator accounts. | The WITH GRANT option assigned with privileges, allows the grantee of the privilege to re-grant the privilege to other accounts. Unauthorized or unmanaged assignment of privileges may result in a... |
| V-15151 | Medium | Fixed Database roles should have only authorized users or groups as members. | Fixed database roles provide a mechanism to grant groups of privileges to users. These privilege groupings are defined by the installation or upgrade of the SQL Server software at the discretion... |
| V-2463 | Medium | DDL permissions should be granted only to authorized accounts. | Data Definition Language (DDL) commands include CREATE, ALTER, and DROP object actions. These actions cause changes to the structure, definition and configuration of the DBMS as well as to the... |
| V-15185 | Medium | Asymmetric private key encryption should use an authorized encryption type. | Asymmetric keys stored in the database that also include storage of the private key require protection from any unauthorized user. To protect unauthorized access and use of any asymmetric key by... |
| V-15629 | Medium | Application users privileges should be restricted to assignment using application user roles. | Privileges granted outside the role of the application user job function are more likely to go unmanaged or without oversight for authorization. Maintenance of privileges using roles defined for... |
| V-15607 | Medium | Application objects should be owned by accounts authorized for ownership. | Database object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of... |
| V-15164 | Medium | Asymmetric keys should be derived from DoD PKI certificates. | Asymmetric keys derived from self-signed certificates or self-generated by other means do not meet the security requirements of DOD that require validation by DOD trusted certificate authorities. |
| V-15128 | Medium | DBMS application user roles should not be assigned unauthorized privileges. | Unauthorized access to the data can lead to loss of confidentiality and integrity of the data. |
| V-15162 | Medium | Database Master Key passwords shoud not be stored in credentials within the database. | Storage of the database master key password in a database credential allows decryption of sensitive data by privileged users who may not have a need-to-know requirement to access the data. |
| V-15161 | Medium | The Database Master Key should be encrypted by the Service Master Key where required. | Protection of the Database Master Key is necessary to protect the confidentiality of sensitive data. When encrypted by the Service Master Key, SYSADMINs may access and use the key to view... |
| V-15168 | Medium | Symmetric keys should use a master key, certificate, or asymmetric key to encrypt the key. | Symmetric keys are vulnerable if the symmetric key encryption is not protected from disclosure. Symmetric keys are well protected by use of either the database or the service master key. Where... |
| V-15142 | Medium | Asymmetric keys used by the DBMS for encryption of sensitive data should use DoD PKI Certificates. Private keys used by the DBMS should be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes. | Encryption is only effective if the encryption method is robust and the keys used to provide the encryption are not easily discovered. Without effective encryption, sensitive data is vulnerable to... |
| V-5683 | Medium | Application object owner accounts should be disabled when not performing installation or maintenance actions. | Object ownership provides all database object permissions to the owned object. Access to the application object owner accounts requires special protection to prevent unauthorized access and use of... |
| V-2458 | Medium | Permissions on system tables should be restricted to authorized accounts. | Microsoft SQL Server defaults to allow all users to view the majority of the system tables. The system tables contain information such as login IDs, permissions, objects and even the text of all... |
| V-2457 | Medium | Object permission assignments should be authorized. | Securely designed applications require only that database application user accounts have permissions to access and manipulate only the application data assigned to them in accordance with the... |
| V-2451 | Medium | The guest user account should be disabled. | The guest user ID in a database allows access by all Windows login IDs without requiring an individual database account. This allows unauthorized access to the database. |
| V-3727 | Low | Database applications should be restricted from using static DDL statements to modify the application schema. | Application users by definition and job function require only the permissions to manipulate data within database objects and execute procedures within the database. The statements used to define... |
| V-3823 | Low | Custom and GOTS application source code stored in the database should be protected with encryption or encoding. | Source code may include information on data relationships, locations of sensitive data that are otherwise obscured, or other processing information that could aid a malicious user. Encoding or... |
