UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

DBA accounts should not be assigned excessive or unauthorized role privileges.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15615 DG0085-SQLServer9 SV-24236r1_rule ECLP-1 Medium
Description
The default DBA privileges typically include all privileges defined for a DBMS. These privileges are required to configure the DBMS and to provide other users access to DBMS objects. However, DBAs may not require access to application data or other privileges to administer the DBMS. Where not required or desired, DBAs may be prevented from accessing protected data for which they have no need-to-know or from utilizing unauthorized privileges for other actions. Although DBAs may assign themselves privileges to override any restrictions, the assignment of privileges is an audit requirement and this auditable event may assist discovery of a misuse of privileges.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-04-03

Details

Check Text ( C-2817r1_chk )
Review DBA account role assignments and compare them to those listed in the System Security Plan with the IAO.

If system/database roles assigned to DBAs are not listed as required assignments in the System Security Plan, this is a Finding.
Fix Text (F-26086r1_fix)
Document DBA job functions and minimum role privileges required to perform the DBA job function in the System Security Plan.

Assign DBA accounts role privileges as documented and authorized in the System Security Plan.

Revoke role privileges from DBA accounts where not documented and approved in the System Security Plan.