UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Custom and GOTS application source code stored in the database should be protected with encryption or encoding.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3823 DG0091-SQLServer9 SV-24094r2_rule DCSL-1 Low
Description
Source code may include information on data relationships, locations of sensitive data that are otherwise obscured, or other processing information that could aid a malicious user. Encoding or encryption of the custom source code objects within the database helps protect against this type of disclosure.
STIG Date
Microsoft SQL Server 2005 Database Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-23683r2_chk )
If this is not a production database, this check is Not a Finding.

From the query prompt:

SELECT name AS [Database Name]
FROM [master].sys.databases
WHERE name NOT IN ('tempdb', 'reportserver', 'reportservertempdb')
AND state = 0

Repeat for each database:

From the query prompt:

USE [Database Name]
SELECT USER_NAME(o.schema_id) AS [Schema], o.name AS [Object], o.type_desc AS [Type], o.create_date AS [Create Date]
FROM sys.all_objects o, sys.sql_modules s
WHERE o.object_id = s.object_id
AND s.definition IS NOT NULL
AND o.is_ms_shipped = 0
ORDER BY USER_NAME(o.schema_id), o.name

Review the listed results.

If any results listed are not documented in the System Security Plan and authorized by the IAO, this is a Finding.
Fix Text (F-19555r1_fix)
Recreate stored procedures and specify encryption using the ALTER PROCEDURE command.

Example:
ALTER PROCEDURE [MyProc] WITH ENCRYPTION
AS
SELECT [mycol1], [mycol2] FROM [mytable]...

Replace objects specified between the "[]" characters with custom/GOTS procedure references.

Document all exceptions to this requirement in the System Security Plan and authorize with the IAO.