Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Database applications should be restricted from using static DDL statements to modify the application schema.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3727 | DG0015-SQLServer9 | SV-24072r1_rule | ECSD-1 ECSD-2 | Low |
| Description |
|---|
| Application users by definition and job function require only the permissions to manipulate data within database objects and execute procedures within the database. The statements used to define objects in the database are referred to as Data Definition Language (DDL) statements and include the CREATE, DROP, and ALTER object statements (DDL statements do not include CREATE USER, DROP USER, or ALTER USER actions). This requirement is included here as a production system would by definition not support changes to the data definitions. Where object creation is an indirect result of DBMS operation or dynamic object structures are required by the application function as is found in some object-oriented DBMS applications, this restriction does not apply. Re-use of static data structures to recreate temporary data objects are not exempted. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Database Security Technical Implementation Guide | 2015-04-03 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (F-22643r1_fix) |
|---|
| Coordinate with the application designer to modify the application to use static objects with temporary data rather than creating and using temporary objects. Document in the System Security Plan all known object creation that supports dynamic object usage. |