Custom and GOTS application source code stored in the database should be protected with encryption or encoding.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3823	DG0091-SQLServer9	SV-24094r2_rule	DCSL-1	Low

Description
Source code may include information on data relationships, locations of sensitive data that are otherwise obscured, or other processing information that could aid a malicious user. Encoding or encryption of the custom source code objects within the database helps protect against this type of disclosure.

STIG	Date
Microsoft SQL Server 2005 Database Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-23683r2_chk )
If this is not a production database, this check is Not a Finding. From the query prompt: SELECT name AS [Database Name] FROM [master].sys.databases WHERE name NOT IN ('tempdb', 'reportserver', 'reportservertempdb') AND state = 0 Repeat for each database: From the query prompt: USE [Database Name] SELECT USER_NAME(o.schema_id) AS [Schema], o.name AS [Object], o.type_desc AS [Type], o.create_date AS [Create Date] FROM sys.all_objects o, sys.sql_modules s WHERE o.object_id = s.object_id AND s.definition IS NOT NULL AND o.is_ms_shipped = 0 ORDER BY USER_NAME(o.schema_id), o.name Review the listed results. If any results listed are not documented in the System Security Plan and authorized by the IAO, this is a Finding.

Check Text ( C-23683r2_chk )

If this is not a production database, this check is Not a Finding.

From the query prompt:

SELECT name AS [Database Name]
FROM [master].sys.databases
WHERE name NOT IN ('tempdb', 'reportserver', 'reportservertempdb')
AND state = 0

Repeat for each database:

From the query prompt:

USE [Database Name]
SELECT USER_NAME(o.schema_id) AS [Schema], o.name AS [Object], o.type_desc AS [Type], o.create_date AS [Create Date]
FROM sys.all_objects o, sys.sql_modules s
WHERE o.object_id = s.object_id
AND s.definition IS NOT NULL
AND o.is_ms_shipped = 0
ORDER BY USER_NAME(o.schema_id), o.name

Review the listed results.

If any results listed are not documented in the System Security Plan and authorized by the IAO, this is a Finding.

Fix Text (F-19555r1_fix)
Recreate stored procedures and specify encryption using the ALTER PROCEDURE command. Example: ALTER PROCEDURE [MyProc] WITH ENCRYPTION AS SELECT [mycol1], [mycol2] FROM [mytable]... Replace objects specified between the "[]" characters with custom/GOTS procedure references. Document all exceptions to this requirement in the System Security Plan and authorize with the IAO.