| V-3812 | High | Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations. | Database passwords stored in clear text are vulnerable to unauthorized disclosure. Database passwords should always be encoded or encrypted when stored internally or externally to the DBMS. |
| V-15104 | High | Sensitive data served by the DBMS should be protected by encryption when transmitted across the network. | Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review. |
| V-5658 | High | Vendor supported software is evaluated and patched against newly found vulnerabilities. | The version of MS SQL Server must be listed by Microsoft as a supported version. Microsoft discontinues fixes for unsupported versions on reported dates. In order to maintain a secure environment,... |
| V-15636 | High | Passwords should be encrypted when transmitted across the network. | DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. |
| V-15635 | High | DBMS default accounts should be assigned custom passwords. | DBMS default passwords provide a commonly known and exploited means for unauthorized access to database installations. |
| V-15188 | High | Analysis Services Required Protection Levels should be set to 1. | Sensitive data is vulnerable to unauthorized access when traversing untrusted network segments. Encryption of the data in transit helps protect the confidentiality of the data. |
| V-2461 | High | Extended stored procedure xp_cmdshell should be restricted to authorized accounts. | The xp_cmdshell extended stored procedure allows execution of host executables outside the controls of database access permissions. This access may be exploited by malicious users who have... |
| V-6756 | Medium | Only necessary privileges to the host system should be granted to DBA OS accounts. | Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system. |
| V-3813 | Medium | DBMS tools or applications that echo or require a password entry in clear text should be protected from password display. | Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if... |
| V-3811 | Medium | Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented. | New accounts authenticated by passwords that are created without a password or with an easily guessed password are vulnerable to unauthorized access. Procedures for creating new accounts with... |
| V-3810 | Medium | DBMS authentication should require use of a DoD PKI certificate. | In a properly configured DBMS, access controls defined for data access and DBMS management actions are assigned based on the user identity and job function. Unauthenticated or falsely... |
| V-3815 | Medium | New passwords should be required to differ from old passwords by more than four characters. | Changing passwords frequently can thwart password-guessing attempts or re-establish protection of a compromised DBMS account. Minor changes to passwords may not accomplish this as password... |
| V-15130 | Medium | Unapproved inactive or expired database accounts should not be found on the database. | Unused or expired DBMS accounts provide a means for undetected, unauthorized access to the database. |
| V-15131 | Medium | Sensitive information stored in the database should be protected by encryption. | Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing. |
| V-3819 | Medium | Sensitive information from production database exports should be modified after import to a development database. | Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be... |
| V-3818 | Medium | Unauthorized database links should not be defined and active. | DBMS links provide a communication and data transfer path definition between two databases that may be used by malicious users to discover and obtain unauthorized access to remote systems.... |
| V-15134 | Medium | The Integration Services service account should not be assigned excess host system privileges. | Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the Integration Service is compromised, the attack can lead to use of the privileges assigned to the... |
| V-15137 | Medium | Error log retention shoud be set to meet log retention policy. | For SQL Server, error logs are used to store system event and system error information. In addition to assisting in correcting system failures or issues that could affect system availability and... |
| V-6767 | Medium | The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable. | DBMS systems that do not follow DoD, vendor and/or public best security practices are vulnerable to related published vulnerabilities. A DoD reference document such as a security technical... |
| V-15646 | Medium | Audit records should contain required information. | Complete forensically valuable data may be unavailable or accountability may be jeopardized when audit records do not contain sufficient information. |
| V-15644 | Medium | Attempts to bypass access controls should be audited. | Detection of suspicious activity including access attempts and successful access from unexpected places, during unexpected times, or other unusual indicators can support decisions to apply... |
| V-15645 | Medium | Changes to configuration options should be audited. | The default audit trace provides a log of activity and changes primarily related to DBMS configuration options. The default audit trace option does not provide adequate auditing and should be disabled. |
| V-15643 | Medium | Access to DBMS security should be audited. | DBMS security data is useful to malicious users to perpetrate activities that compromise DBMS operations or data integrity. Auditing of access to this data supports forensic and accountability... |
| V-15648 | Medium | Access to the DBMS should be restricted to static, default network ports. | Use of static, default ports helps management of enterprise network device security controls. Use of non-default ports makes tracking and protection of published vulnerabilities to services and... |
| V-15625 | Medium | Recovery procedures and technical system features exist to ensure that recovery is done
in a secure and verifiable manner. | A DBMS may be vulnerable to use of compromised data or other critical files during recovery. Use of compromised files could introduce maliciously altered application code, relaxed security... |
| V-15105 | Medium | Unauthorized access to external database objects should be removed from application user roles. | Access to objects stored and/or executed outside of the DBMS security context may provide an avenue of attack to host system resources not controlled by the DBMS. Any access to external resources... |
| V-15107 | Medium | DBMS privileges to restore database data or other DBMS configurations, features or objects should be restricted to authorized DBMS accounts. | Unauthorized restoration of database data, objects, or other configuration or features can result in a loss of data integrity, unauthorized configuration, or other DBMS interruption or compromise. |
| V-15106 | Medium | DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges. | Excess privilege assignment can lead to intentional or unintentional unauthorized actions. Such actions may compromise the operation or integrity of the DBMS and its data. |
| V-15102 | Medium | Automated notification of suspicious activity detected in the audit trail should be implemented. | Audit record collection may quickly overwhelm storage resources and an auditor's ability to review it in a productive manner. Automated tools can provide the means to manage the audit data... |
| V-15109 | Medium | DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems. | Developer roles should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production and development DBA and developer roles help... |
| V-15108 | Medium | Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes. | The developer role does not require Need-to-Know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise... |
| V-2488 | Medium | SQL Server Agent CmdExec or ActiveScripting jobs should be restricted to sysadmins. | SQL Server Agent CmdExec and ActiveScripting subsystems allow the execution of code by the host operating system under the security context. Allow use of these features only to SYSADMINs and use... |
| V-2487 | Medium | SQL Server authentication mode should be set to Windows authentication mode or Mixed mode. | SQL Server authentication does not provide a sufficiently robust password complexity and management capability to meet stringent security requirements. SQL Server allows use of Windows... |
| V-2485 | Medium | Remote access should be disabled if not authorized. | The remote access option determines if connections to and from other Microsoft SQL Servers are allowed. Remote connections are used to support distributed queries and other data access and command... |
| V-15139 | Medium | Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation. | Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches... |
| V-15632 | Medium | Use of DBA accounts should be restricted to administrative activities. | Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification or exposure. In particular, DBA accounts if used for... |
| V-15631 | Medium | Access to DBMS system tables and other configuration or metadata should be restricted to DBAs. | Administrative data includes DBMS metadata and other configuration and management data. Unauthorized access to this data could result in unauthorized changes to database objects, access controls,... |
| V-15637 | Medium | DBMS passwords should not be stored in compiled, encoded or encrypted batch jobs or compiled, encoded or encrypted application source code. | The storage of passwords in application source or batch job code that is compiled, encoded or encrypted prevents compliance with password expiration and other management requirements as well as... |
| V-15634 | Medium | DBMS account passwords should not be set to easily guessed words or values. | DBMS account passwords set to common dictionary words or values render accounts vulnerable to password guessing attacks and unauthorized access. |
| V-15639 | Medium | Unlimited account lock times should be specified for locked accounts. | When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access... |
| V-15113 | Medium | SQL Server replications agents should be run under separate and dedicated OS accounts. | Use of shared accounts used by replication agents require that all permissions required to support each of the separate replication agent roles (snapshot publication, distribution, log reading,... |
| V-15110 | Medium | Use of the DBMS installation account should be logged. | The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost. |
| V-15111 | Medium | Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions. | The DBMS software installation account is granted privileges not required for DBA or other functions. Use of accounts configured with excess privileges may result in unauthorized or unintentional... |
| V-15116 | Medium | The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements. | The security of the data stored in the DBMS is also vulnerable to attacks against the host platform, calling applications, and other application or optional components. |
| V-15118 | Medium | Remote administrative access to the database should be monitored by the IAO or IAM. | Remote administrative access to systems provides a path for access to and exploit of DBA privileges. Where the risk has been accepted to allow remote administrative access, it is imperative to... |
| V-15119 | Medium | DBMS files critical for DBMS recovery should be stored on RAID or other high-availability storage devices. | DBMS recovery can be adversely affected by hardware storage failure. Impediments to DBMS recovery can have a significant impact on operations. |
| V-15211 | Medium | The SMO and DMO SPs option should be set to disabled if not required. | The SMO and DMO XPs are management object extended stored procedures that provide highly privileged actions that run externally to the DBMS under the security context of the SQL Server service... |
| V-15210 | Medium | The Agent XPs option should be set to disabled if not required. | The Agent XPs are extended stored procedures used by the SQL Server Agent that provide privileged actions that run externally to the DBMS under the security context of the SQL Server Agent service... |
| V-15132 | Medium | Database data files containing sensitive information should be encrypted. | Where access controls do not provide complete protection of sensitive or classified data, encryption can help to close the gap. Encryption of sensitive data helps protect disclosure to privileged... |
| V-15133 | Medium | Transaction logs should be periodically reviewed for unauthorized modification of data. | Unauthorized or malicious changes to data compromise the integrity and usefulness of the data. Auditing changes to data supports accountability and non-repudiation. Auditing changes to data may be... |
| V-5659 | Medium | The latest security patches should be installed. | Maintaining the currency of the software version protects the database from known vulnerabilities. |
| V-15620 | Medium | OS accounts used to execute external procedures should be assigned minimum privileges. | External applications spawned by the DBMS process may be executed under OS accounts assigned unnecessary privileges that can lead to unauthorized access to OS resources. Unauthorized access to OS... |
| V-15626 | Medium | Database privileged role assignments should be restricted to IAO-authorized DBMS accounts. | Roles assigned privileges to perform DDL and/or system configuration actions in the database can lead to compromise of any data in the database as well as operation of the DBMS itself. Restrict... |
| V-15627 | Medium | Administrative privileges should be assigned to database accounts via database roles. | Privileges granted outside the role of the administrative user job function are more likely to go unmanaged or without oversight for authorization. Maintenance of privileges using roles defined... |
| V-15628 | Medium | DBMS application users should not be granted administrative privileges to the DBMS. | DBMS privileges to issue other than Database Manipulation Language (DML) commands provide means to affect database object configuration and use of resources. Application users do not require... |
| V-15184 | Medium | Analysis Services Anonymous Connections should be disabled. | Anonymous connections allow unauthenticated access to the database. Although the database may not store sensitive application data, operation and data compromise may occur without accountability... |
| V-15187 | Medium | Linked server providers should not allow ad hoc access. | Ad hoc access allows undefined access to remote systems. Access to remote systems should be controlled to prevent untrusted data to be executed or uploaded to the local server. |
| V-15186 | Medium | Analysis Services Links From Objects should be disabled if not required. | Analysis Services allows other server instances to link to local analysis services objects. Where not required, enabling of this allowance can unnecessarily expose the database objects to... |
| V-15181 | Medium | Analysis Services user-defined COM functions should be disabled if not required. | Allowing user-defined COM functions can allow unauthorized code access to the Analysis Services instance. Where not required as part of the operational design, allowing user-defined COM functions... |
| V-15180 | Medium | Only authorized users should be granted access to Analysis Services data sources. | Access control applied to data sources controls user access to remotely defined systems using the authentication and authorizations defined for the data source. Unauthorized access to the data... |
| V-15183 | Medium | The Analysis Services ad hoc data mining queries configuration option should be disabled if not required. | SQL Server Ad Hoc distributed queries allow specific functions (OPENROWSET and OPENDATASOURCE) to connect to remote systems without those remote systems being defined within database. Access to... |
| V-15182 | Medium | Replication snapshot folders should be protected from unauthorized access. | Replication snapshot folders contain database data to which only authorized replication accounts require access. Unauthorized access to these folders could compromise data confidentiality and... |
| V-2508 | Medium | Unauthorized user accounts should not exist. | Unauthorized user accounts provide unauthorized access to the database and may allow access to database objects. Only authorized users should be granted database accounts. |
| V-2507 | Medium | Audit trail data should be retained for one year. | Without preservation, a complete discovery of an attack or suspicious activity may not be determined. DBMS audit data also contributes to the complete investigation of unauthorized activity and... |
| V-2500 | Medium | Trace Rollover should be enabled for audit traces that have a maximum trace file size. | The majority of Microsoft SQL Server security auditing is provided by the trace facility. Traces may be created using system stored procedures or with Microsoft SQL Profiler. The trace must be... |
| V-15167 | Medium | The data directory should specify a dedicated disk partition and restricted access. | Data directories require different access controls than software file directories. Locating data directories in separate directories on a dedicated disk partition allows assign of access controls... |
| V-15166 | Medium | Database Engine Ad Hoc distributed queries should be disabled. | Adhoc queries allow undefined access to remote database sources. Access to untrusted databases could result in execution of malicious applications and/or a compromise of local data confidentiality... |
| V-15165 | Medium | Only authorized service broker endpoints should be configured on the server. | Service Broker endpoints expose the database to SQL Server messaging communication access. Where not carefully designed and implemented, messaging communication can unnecessarily expose the... |
| V-5685 | Medium | Required auditing parameters for database auditing should be set. | Auditing provides accountability for changes made to the DBMS configuration or its objects and data. It provides a means to discover suspicious activity and unauthorized changes. Without auditing,... |
| V-5686 | Medium | Audit records should be restricted to authorized individuals. | Audit data is frequently targeted by malicious users as it can provide a means to detect their activity. The protection of the audit trail data is of special concern and requires restrictions to... |
| V-15206 | Medium | Only authorized XML Web Service endpoints should be configured on the server. | XML Web Service endpoints expose the database its data to web service access. Where not carefully designed and implemented, web services can unnecessarily expose the database to additional exploit... |
| V-15204 | Medium | Analysis Services Links to Objects should be disabled if not required. | Analysis Services may make connections to external SQL Server instances. In some cases this may be required for the intended operation, however, where not required, this may introduce unnecessary... |
| V-15203 | Medium | Reporting Services Windows Integrated Security should be disabled. | Use of Windows integrated security may allow access via Report Services bypasses security controls assessed at the database level. This may be restricted by requiring that all report data source... |
| V-15169 | Medium | The SQL Server services should not be assigned excessive user rights. | Excessive or unneeded privileges allow for unauthorized actions. When application vulnerabilities are exploited, excessive privileges assigned to the application can lead to unnecessary risk to... |
| V-15201 | Medium | Cross database ownership chaining, if required, should be documented and authorized by the IAO. | Cross database ownership chaining allows permissions to objects to be assigned by users other than the Information Owner. This allows access to objects that are not authorized directly by the... |
| V-15129 | Medium | Backup and recovery procedures should be developed, documented, implemented and periodically tested. | Problems with backup procedures or backup media may not be discovered until after a recovery is needed. Testing and verification of procedures provides the opportunity to discover oversights,... |
| V-2472 | Medium | OLE Automation extended stored procedures should be restricted to sysadmin access. | Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows DLL that can be referenced as a stored... |
| V-2473 | Medium | Registry extended stored procedures should be restricted to sysadmin access. | Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows NT DLL that can be referenced as a stored... |
| V-15198 | Medium | The Web Assistant procedures configuration option should be disabled if not required. | The Web Assistant procedures are used by database applications to create web pages. This capability may easily be abused to send malicious messages to remote users or systems. Disabling its use... |
| V-15619 | Medium | Replication accounts should not be granted DBA privileges. | Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on one database could lead to the compromise of any database... |
| V-15618 | Medium | Access to external DBMS executables should be disabled or restricted. | DBMS’s may spawn additional external processes to execute procedures that are defined in the DBMS, but stored in external host files (external procedures). The spawned process used to execute the... |
| V-15615 | Medium | DBA accounts should not be assigned excessive or unauthorized role privileges. | The default DBA privileges typically include all privileges defined for a DBMS. These privileges are required to configure the DBMS and to provide other users access to DBMS objects. However, DBAs... |
| V-15190 | Medium | Analysis Services Security Package List should be disabled if not required. | Analysis Services Security Packages are security applications provided outside of the default Analysis Services installation. The packages may be provided by custom development or commercial... |
| V-15196 | Medium | Only authorized SQL Server proxies should be assigned access to subsystems. | SQL Server subsystems define a set of functionality available for assignment to a SQL Server Agent proxy. These act as privileges to perform certain job tasks. Excess privilege assignment or... |
| V-15197 | Medium | Dedicated accounts should be designated for SQL Server Agent proxies. | SQL Server proxies use to execute specific job functions defined for SQL Server Agent. If proxies share a single account for multiple job functions, least privileges cannot be assigned based on... |
| V-15194 | Medium | Only authorized accounts should be assigned to one or more Analysis Services database roles. | Unauthorized group membership assignment grants unauthorized privileges to database accounts. Unauthorized may lead to a compromise of data confidentiality or integrity. |
| V-15612 | Medium | Database password changes by users should be limited to one change within 24 hours where supported by the DBMS. | Frequent password changes may indicate suspicious activity or attempts to bypass password controls based on password histories. Limiting the frequency of password changes helps to enforce password... |
| V-3803 | Medium | A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations. | Production, development and other non-production DBMS installations have different access and security requirements. Shared production/non-production DBMS installations secured at a... |
| V-15176 | Medium | SQL Server event forwarding, if enabled, should be operational. | If SQL Server is configured to forward events to an Alerts Management Server that is not available, then no alerts are issued for the server. |
| V-15170 | Medium | SQL Server services should be assigned least privileges on the SQL Server Windows host. | Exploits to SQL Server services may provide access to the host system resources within the security context of the service. Excess privileges assigned to the SQL Services can increase the threat... |
| V-15173 | Medium | Database TRUSTWORTHY status should be authorized and documented or set to off. | The TRUSTWORTHY database setting restricts access to database resources by databases that contain assemblies with the EXTERNAL_ACCESS or UNSAFE permission settings and modules that use... |
| V-15178 | Medium | Replication databases should have authorized db_owner role members. The replication monitor role should have authorized members. | Role privileges required by replication include full privileges to the databases with replicated objects. Restrict replication database db_owner role memberships and the system distribution... |
| V-15179 | Medium | The DBMS should not share a host supporting an independent security service. | The Security Support Structure is a security control function or service provided by an external system or application. An example of this would be a Windows domain controller that provides... |
| V-15127 | Medium | The IAM should review changes to DBA role assignments. | Unauthorized assignment of DBA privileges can lead to a compromise of DBMS integrity. Providing oversight to the authorization and assignment of privileges provides the separation of duty to... |
| V-2436 | Medium | MS SQL Server Instance name should not incude a SQL Server or other software version number. | The use of version numbers within the database instance name restricts the use of the instance name from meaningful use in subsequent upgrades. Changing the database instance names on a production... |
| V-15608 | Medium | Access to DBMS software files and directories should not be granted to unauthorized users. | The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables.... |
| V-15609 | Medium | Default demonstration and sample database objects and applications should be removed. | Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of... |
| V-2464 | Medium | Execute stored procedures at startup, if enabled, should have a custom audit trace defined. | The DBMS startup process may be vulnerable to introduction of malicious or unauthorized actions. Any use of automated execution of custom procedures provides an opportunity to deploy unauthorized... |
| V-3336 | Medium | SQL Server Agent email notification usage if enabled should be documented and approved by the IAO. | SQL Mail accepts incoming database commands via email. This can introduce malicious codes or viruses into the SQL server environment. |
| V-3335 | Medium | SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are required and enabled. | The SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are used by database applications to provide email messages to and from the database. This capability may easily be... |
| V-15662 | Medium | Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports. | Remote administration provides many conveniences that can assist in the maintenance of the designed security posture of the DBMS. On the other hand, remote administration of the database also... |
| V-15141 | Medium | DBMS processes or services should run under custom, dedicated OS accounts. | Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of... |
| V-15140 | Medium | Procedures and restrictions for import of production data to development databases should be documented, implemented and followed. | Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be... |
| V-15143 | Medium | Database data encryption controls should be configured in accordance with application requirements. | Authorizations may not sufficiently protect access to sensitive data and may require encryption. In some cases, the required encryption may be provided by the application accessing the database.... |
| V-15144 | Medium | Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation. | A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned stands the chance of not being secured at a level appropriate to the risk it poses. |
| V-15147 | Medium | The DBMS data files, transaction logs and audit files should be stored in dedicated directories or disk partitions separate from software or other application files. | Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database process, resource... |
| V-15146 | Medium | The DBMS should not be operated without authorization on a host system supporting other application services. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and... |
| V-15148 | Medium | DBMS network communications should comply with PPS usage restrictions. | Non-standard network ports, protocol or services configuration or usage could lead to bypass of network perimeter security controls and protections. |
| V-4758 | Medium | An upgrade/migration plan should be developed to address an unsupported DBMS software version. | Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Developing and implementing an upgrade plan... |
| V-3820 | Medium | Production databases should be protected from unauthorized access by developers on shared production/development host systems. | Developers granted elevated database and operating system privileges on systems that support both development and production databases can affect the operation and/or security of the production... |
| V-3821 | Medium | Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy. | Users granted privileges not required to perform their assigned functions are able to make unauthorized modifications to the production data or database. Monthly or more frequent periodic review... |
| V-3827 | Medium | Audit trail data should be reviewed daily or more frequently. | Review of audit trail data provides a means for detection of unauthorized access or attempted access. Frequent and regularly scheduled reviews ensures that such access is discovered in a timely manner. |
| V-3825 | Medium | Remote adminstrative connections to the database should be encrypted. | Communications between a client and database service across the network may contain sensitive information including passwords. Encryption of remote administrative connections to the database... |
| V-15649 | Medium | The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions. | The DBMS opens data files and reads configuration files at system startup, system shutdown and during abort recovery efforts. If the DBMS does not verify the trustworthiness of these files, it is... |
| V-15658 | Medium | The DBMS warning banner does not meet DoD policy requirements. | Without sufficient warning of monitoring and access restrictions of a system, legal prosecution to assign responsibility for unauthorized or malicious access may not succeed. A warning message... |
| V-15651 | Medium | Remote DBMS administration is not authorized and is not disabled. | Remote administration may expose configuration and sensitive data to unauthorized viewing during transit across the network or allow unauthorized administrative access to the DBMS to remote users. |
| V-15652 | Medium | DBMS remote administration should be audited. | When remote administration is available, the vulnerability to attack for administrative access is increased. An audit of remote administrative access provides additional means to discover... |
| V-15656 | Medium | The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level. | Applications that access databases and databases connecting to remote databases that differ in their assigned classification levels may expose sensitive data to unauthorized clients. Any... |
| V-15154 | Medium | Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users. | Credentials defined for access to remote databases or applications may provide unauthorized access to additional databases and applications to unauthorized or malicious users. |
| V-15155 | Medium | The SQL Server Agent service account should not be assigned excess user rights. | Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the SQL Server Agent service is compromised, the attack can lead to use of the privileges assigned to... |
| V-15152 | Medium | DBMS login accounts require passwords to meet complexity requirements. | Weak passwords are a primary target for attack to gain unauthorized access to databases and other systems. Where username/password is used for identification and authentication to the database,... |
| V-15153 | Medium | DBMS account passwords should be set to expire every 60 days or more frequently. | Unchanged passwords provide a means for compromised passwords to be used for unauthorized access to DBMS accounts over a long time. |
| V-3838 | Medium | SQL Server registry keys should be properly secured. | Registry keys contain configuration data for the SQL Server services and applications. Unrestricted access or access unnecessary for operation can lead to a compromise of the application or... |
| V-3833 | Medium | Windows OS DBA group should contain only authorized users. | The host DBA group is assigned permissions to the DBMS system libraries and may also be used to assign DBA privileges within the database. Unauthorized DBA privilege assignment leaves the DBMS... |
| V-3832 | Medium | A Windows OS DBA group should exist. | The DBA job function differs from the host system administrator job function. Without a separate host OS group to assign necessary privileges on the operating system, separation of duties is not... |
| V-3835 | Medium | The SQL Server service should use a least-privileged local or domain user account. | The Windows builtin Administrators group and LocalSystem account are assigned full privileges to the Windows operating system. These privileges are not required by the SQL Server service accounts... |
| V-2424 | Medium | All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO. | Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary... |
| V-2427 | Medium | Fixed Server roles should have only authorized users or groups assigned as members. | Fixed server roles provide a mechanism to grant groups of privileges to users. These privilege groupings are defined by the installation or upgrade of the SQL Server software at the discretion of... |
| V-2426 | Medium | C2 Audit mode should be enabled or custom audit traces defined. | The C2 audit mode uses a system-defined trace to collect audit information for MS SQL Server 2000 and higher. It utilizes all security event categories defined within SQL Server, not all of which... |
| V-2423 | Medium | Database software, applications and configuration files should be monitored to discover unauthorized changes. | Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations. |
| V-2422 | Medium | The DBMS software installation account should be restricted to authorized users. | DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a greater impact on database security and operation. It is especially... |
| V-3806 | Medium | A baseline of database application software should be documented and maintained. | Without maintenance of a baseline of current DBMS application software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to the DBMS... |
| V-3807 | Medium | All applications that access the database should be logged in the audit trail. | Protections and privileges are designed within the database to correspond to access via authorized software. Use of unauthorized software to access the database could indicate an attempt to bypass... |
| V-15193 | Medium | The Analysis Services server role should be restricted to authorized users. | The Analysis Services server role grants server-wide security privileges to the assigned user. An unauthorized user could compromise database and analysis server data and operational integrity or... |
| V-15122 | Medium | The database should not be directly accessible from public or unauthorized networks. | Databases often store critical and/or sensitive information used by the organization. For this reason, databases are targeted for attacks by malicious users. Additional protections provided by... |
| V-15121 | Medium | DBMS software libraries should be periodically backed up. | The DBMS application depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of DBMS... |
| V-15120 | Medium | DBMS backup and restoration files should be protected from unauthorized access. | Lost or compromised DBMS backup and restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. Backup files need the same protections against... |
| V-3808 | Medium | Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions. | Unauthorized users may bypass security mechanisms by submitting jobs to job queues managed by the database to be run under a more privileged security context of the database or host system. These... |
| V-15126 | Medium | Database backup procedures should be defined, documented and implemented. | Database backups provide the required means to restore databases after compromise or loss. Backups help reduce the vulnerability to unauthorized access or hardware loss. |
| V-15125 | Medium | Only authorized users should be assigned permissions to SQL Server Agent proxies. | Database accounts granted access to SQL Server Agent proxies are granted permissions to create and submit specific function job steps to be executed by SQL Server Agent. Unauthorized users may use... |
| V-15124 | Medium | The Named Pipes network protocol should be documented and approved if enabled. | The named pipes network protocol requires more ports to be opened on firewalls than TCP/IP. Managing and administering multiple network protocols may unnecessarily complicate network controls. |
| V-4754 | Medium | Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications. | Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security... |
| V-15610 | Medium | DBMS should use NIST FIPS 140-2 validated cryptography. | Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken... |
| V-15613 | Medium | Each database user, application or process should have an individually assigned account. | Use of accounts shared by multiple users, applications, or processes limit the accountability for actions taken in or on the data or database. Individual accounts provide an opportunity to limit... |
| V-15617 | Medium | Access to external objects should be disabled if not required and authorized. | Objects defined within the database, but stored externally to the database are accessible based on authorizations defined by the local operating system or other remote system that may be under... |
| V-15138 | Low | The DBMS IA policies and procedures should be reviewed annually or more frequently. | A regular review of current database security policies and procedures is necessary to maintain the desired security posture of the DBMS. Policies and procedures should be measured against current... |
| V-15638 | Low | DBMS default account names should be changed. | Well-known DBMS account names are targeted most frequently by attackers and are thus more prone to providing unauthorized access to the database. |
| V-15112 | Low | The DBMS should be periodically tested for vulnerability management and IA compliance. | The DBMS security configuration may be altered either intentionally or unintentionally over time. The DBMS may also be the subject of published vulnerabilities that require the installation of a... |
| V-15114 | Low | Developers should not be assigned excessive privileges on production databases. | Developers play a unique role and represent a specific type of threat to the security of the DBMS. Where restricted resources prevent the required separation of production and development DBMS... |
| V-15622 | Low | DBMS service identification should be unique and clearly identifies the service. | Local or network services that do not employ unique or clearly identifiable targets can lead to inadvertent or unauthorized connections. |
| V-15205 | Low | Reporting Services scheduled events and report delivery should be disabled if not required. | Where not required, Scheduled events and report delivery unnecessarily exposes the report server to attack via Report Service event handling and report delivery. |
| V-15202 | Low | Use of Command Language Runtime objects should be disabled if not required. | The clr_enabled parameter configures SQL Server to allow or disallow use of Command Language Runtime objects. CLR objects is managed code that integrates with the .NET Framework. This is a more... |
| V-15199 | Low | Reporting Services Web service requests and HTTP access should be disabled if not required. | Where not required, SOAP and URL access to the web service unnecessarily exposes the report server to attack via the SOAP and HTTP protocols. |
| V-15614 | Low | The DBMS should be configured to clear residual data from memory, data objects or files, or other storage locations. | Database storage locations may be reassigned to different objects during normal operations. If not cleared of residual data, sensitive data may be exposed to unauthorized access. |
| V-15616 | Low | Sensitive data should be labeled. | The sensitivity marking or labeling of data items promotes the correct handling and protection of the data. Without such notification, the user may unwittingly disclose sensitive data to... |
| V-3728 | Low | Unused database components, database application software and database objects should be removed from the DBMS system. | Unused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the... |
| V-3726 | Low | Configuration management procedures should be defined and implemented for database software modifications. | Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All changes to software libraries related to the database and its use need to be reviewed, considered, and... |
| V-15145 | Low | The DBMS restoration priority should be assigned. | When DBMS service is disrupted, the impact it has on the overall mission of the organization can be severe. Without the proper assignment of the priority to be placed on restoration of the DBMS... |
| V-15149 | Low | DBA roles assignments should be assigned and authorized by the IAO. | The DBA role and associated privileges provide complete control over the DBMS operation and integrity. DBA role assignment without authorization could lead to the assignment of these privileges to... |
| V-15150 | Low | The DBMS requires a System Security Plan containing all required information. | A System Security Plan identifies security control applicability and configuration for the DBMS. It also contains security control documentation requirements. Security controls applicable to the... |
| V-2420 | Low | Database executable and configuration files should be monitored for unauthorized modifications. | Changes to files in the DBMS software directory including executable, configuration, script, or batch files can indicate malicious compromise of the software files. Changes to non-executable... |
| V-3805 | Low | Application software should be owned by a Software Application account. | File and directory ownership imparts full privileges to the owner. These privileges should be restricted to a single, dedicated account to preserve proper chains of ownership and privilege... |
| V-15611 | Low | The audit logs should be periodically monitored to discover DBMS access using unauthorized applications. | Regular and timely reviews of audit records increases the likelihood of early discovery of suspicious activity. Discovery of suspicious behavior can in turn trigger protection responses to... |
