Fixed Database roles should have only authorized users or groups as members.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15151 | DM0531-SQLServer9 | SV-23769r1_rule | ECLP-1 | Medium |
| Description |
|---|
| Fixed database roles provide a mechanism to grant groups of privileges to users. These privilege groupings are defined by the installation or upgrade of the SQL Server software at the discretion of Microsoft. Memberships in these roles granted to users should be strictly controlled and monitored. Privileges assigned to these roles should be reviewed for change after software upgrade or maintenance to ensure that the privileges continue to be appropriate to the assigned members. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Database Security Technical Implementation Guide | 2015-04-03 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (F-19750r1_fix) |
|---|
| Grant fixed database roles only to authorized accounts. Revoke unauthorized accounts from fixed database roles. From the SQL Server Management Studio GUI: To deassign roles: 1. Expand [instance name] 2. Expand Databases 3. Expand [database type] 4. Expand [database name] 5. Expand Security 6. Expand Roles 7. Expand Database Roles 8. Double-click the role to be removed from the assigned user 9. Select the user's account under Role Members 10. Click on the Remove button Document fixed database role grants in the System Security Plan and authorize with the IAO. |