Permissions on system tables should be restricted to authorized accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2458	DM1749-SQLServer9	SV-23790r1_rule	ECLP-1	Medium

Description
Microsoft SQL Server defaults to allow all users to view the majority of the system tables. The system tables contain information such as login IDs, permissions, objects and even the text of all stored procedures. In a secure environment, any direct access granted to these tables by users bypasses security controls defined within the associated system procedures and views. The bypass of these controls can lead to unauthorized viewing of sensitive data.

Description

Microsoft SQL Server defaults to allow all users to view the majority of the system tables. The system tables contain information such as login IDs, permissions, objects and even the text of all stored procedures. In a secure environment, any direct access granted to these tables by users bypasses security controls defined within the associated system procedures and views. The bypass of these controls can lead to unauthorized viewing of sensitive data.

STIG	Date
Microsoft SQL Server 2005 Database Security Technical Implementation Guide	2015-04-03

Details

Check Text ( None )
None

Fix Text (F-24604r1_fix)
Revoke permissions granted to system tables where supported by the DBMS vendor. From the query prompt: USE [database name] REVOKE [permission] ON [object name] FROM [user name] Document permission grants in the System Security Plan and authorize with the IAO.