UCF STIG Viewer Logo

Microsoft SQL Server 2005 Instance Security Technical Implementation Guide


Overview

Date Finding Count (160)
2015-06-16 CAT I (High): 7 CAT II (Med): 135 CAT III (Low): 18
STIG Description
The Microsoft SQL Server 2005 Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-3812 High Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.
V-15104 High Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.
V-5658 High Vendor supported software is evaluated and patched against newly found vulnerabilities.
V-15636 High Passwords should be encrypted when transmitted across the network.
V-15635 High DBMS default accounts should be assigned custom passwords.
V-15188 High Analysis Services Required Protection Levels should be set to 1.
V-2461 High Extended stored procedure xp_cmdshell should be restricted to authorized accounts.
V-6756 Medium Only necessary privileges to the host system should be granted to DBA OS accounts.
V-3813 Medium DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.
V-3811 Medium Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.
V-3810 Medium DBMS authentication should require use of a DoD PKI certificate.
V-3815 Medium New passwords should be required to differ from old passwords by more than four characters.
V-15130 Medium Unapproved inactive or expired database accounts should not be found on the database.
V-15131 Medium Sensitive information stored in the database should be protected by encryption.
V-3819 Medium Sensitive information from production database exports should be modified after import to a development database.
V-3818 Medium Unauthorized database links should not be defined and active.
V-15134 Medium The Integration Services service account should not be assigned excess host system privileges.
V-15137 Medium Error log retention shoud be set to meet log retention policy.
V-15646 Medium Audit records should contain required information.
V-15644 Medium Attempts to bypass access controls should be audited.
V-15645 Medium Changes to configuration options should be audited.
V-15643 Medium Access to DBMS security should be audited.
V-15648 Medium Access to the DBMS should be restricted to static, default network ports.
V-15625 Medium Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner.
V-15105 Medium Unauthorized access to external database objects should be removed from application user roles.
V-15107 Medium DBMS privileges to restore database data or other DBMS configurations, features or objects should be restricted to authorized DBMS accounts.
V-15106 Medium DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.
V-15103 Medium An automated tool that monitors audit data and immediately reports suspicious activity should be employed for the DBMS.
V-15102 Medium Automated notification of suspicious activity detected in the audit trail should be implemented.
V-15109 Medium DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems.
V-15108 Medium Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes.
V-2488 Medium SQL Server Agent CmdExec or ActiveScripting jobs should be restricted to sysadmins.
V-2487 Medium SQL Server authentication mode should be set to Windows authentication mode or Mixed mode.
V-2485 Medium Remote access should be disabled if not authorized.
V-15139 Medium Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.
V-15632 Medium Use of DBA accounts should be restricted to administrative activities.
V-15631 Medium Access to DBMS system tables and other configuration or metadata should be restricted to DBAs.
V-15637 Medium DBMS passwords should not be stored in compiled, encoded or encrypted batch jobs or compiled, encoded or encrypted application source code.
V-15634 Medium DBMS account passwords should not be set to easily guessed words or values.
V-15639 Medium Unlimited account lock times should be specified for locked accounts.
V-15113 Medium SQL Server replications agents should be run under separate and dedicated OS accounts.
V-15110 Medium Use of the DBMS installation account should be logged.
V-15111 Medium Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.
V-15116 Medium The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements.
V-15117 Medium The DBMS audit logs should be included in backup operations.
V-15118 Medium Remote administrative access to the database should be monitored by the IAO or IAM.
V-15119 Medium DBMS files critical for DBMS recovery should be stored on RAID or other high-availability storage devices.
V-15211 Medium The SMO and DMO SPs option should be set to disabled if not required.
V-15210 Medium The Agent XPs option should be set to disabled if not required.
V-15132 Medium Database data files containing sensitive information should be encrypted.
V-5659 Medium The latest security patches should be installed.
V-15620 Medium OS accounts used to execute external procedures should be assigned minimum privileges.
V-15626 Medium Database privileged role assignments should be restricted to IAO-authorized DBMS accounts.
V-15627 Medium Administrative privileges should be assigned to database accounts via database roles.
V-15628 Medium DBMS application users should not be granted administrative privileges to the DBMS.
V-15184 Medium Analysis Services Anonymous Connections should be disabled.
V-15187 Medium Linked server providers should not allow ad hoc access.
V-15186 Medium Analysis Services Links From Objects should be disabled if not required.
V-15181 Medium Analysis Services user-defined COM functions should be disabled if not required.
V-15180 Medium Only authorized users should be granted access to Analysis Services data sources.
V-15183 Medium The Analysis Services ad hoc data mining queries configuration option should be disabled if not required.
V-15182 Medium Replication snapshot folders should be protected from unauthorized access.
V-2508 Medium Unauthorized user accounts should not exist.
V-2507 Medium Audit trail data should be retained for one year.
V-2500 Medium Trace Rollover should be enabled for audit traces that have a maximum trace file size.
V-15167 Medium The data directory should specify a dedicated disk partition and restricted access.
V-15166 Medium Database Engine Ad Hoc distributed queries should be disabled.
V-15165 Medium Only authorized service broker endpoints should be configured on the server.
V-5685 Medium Required auditing parameters for database auditing should be set.
V-5686 Medium Audit records should be restricted to authorized individuals.
V-15206 Medium Only authorized XML Web Service endpoints should be configured on the server.
V-15204 Medium Analysis Services Links to Objects should be disabled if not required.
V-15203 Medium Reporting Services Windows Integrated Security should be disabled.
V-15169 Medium The SQL Server services should not be assigned excessive user rights.
V-15201 Medium Cross database ownership chaining, if required, should be documented and authorized by the IAO.
V-3806 Medium A baseline of database application software should be documented and maintained.
V-2472 Medium OLE Automation extended stored procedures should be restricted to sysadmin access.
V-2473 Medium Registry extended stored procedures should be restricted to sysadmin access.
V-15198 Medium The Web Assistant procedures configuration option should be disabled if not required.
V-15619 Medium Replication accounts should not be granted DBA privileges.
V-15618 Medium Access to external DBMS executables should be disabled or restricted.
V-15615 Medium DBA accounts should not be assigned excessive or unauthorized role privileges.
V-15190 Medium Analysis Services Security Package List should be disabled if not required.
V-15196 Medium Only authorized SQL Server proxies should be assigned access to subsystems.
V-15197 Medium Dedicated accounts should be designated for SQL Server Agent proxies.
V-15194 Medium Only authorized accounts should be assigned to one or more Analysis Services database roles.
V-15612 Medium Database password changes by users should be limited to one change within 24 hours where supported by the DBMS.
V-3803 Medium A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations.
V-15176 Medium SQL Server event forwarding, if enabled, should be operational.
V-15170 Medium SQL Server services should be assigned least privileges on the SQL Server Windows host.
V-15173 Medium Database TRUSTWORTHY status should be authorized and documented or set to off.
V-15178 Medium Replication databases should have authorized db_owner role members. The replication monitor role should have authorized members.
V-15179 Medium The DBMS should not share a host supporting an independent security service.
V-15127 Medium The IAM should review changes to DBA role assignments.
V-2436 Medium MS SQL Server Instance name should not incude a SQL Server or other software version number.
V-15608 Medium Access to DBMS software files and directories should not be granted to unauthorized users.
V-15609 Medium Default demonstration and sample database objects and applications should be removed.
V-2464 Medium Execute stored procedures at startup, if enabled, should have a custom audit trace defined.
V-3336 Medium SQL Server Agent email notification usage if enabled should be documented and approved by the IAO.
V-3335 Medium SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are required and enabled.
V-15662 Medium Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.
V-15141 Medium DBMS processes or services should run under custom, dedicated OS accounts.
V-15140 Medium Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.
V-15143 Medium Database data encryption controls should be configured in accordance with application requirements.
V-15144 Medium Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.
V-15147 Medium The DBMS data files, transaction logs and audit files should be stored in dedicated directories or disk partitions separate from software or other application files.
V-15146 Medium The DBMS should not be operated without authorization on a host system supporting other application services.
V-15148 Medium DBMS network communications should comply with PPS usage restrictions.
V-4758 Medium An upgrade/migration plan should be developed to address an unsupported DBMS software version.
V-3820 Medium Production databases should be protected from unauthorized access by developers on shared production/development host systems.
V-3821 Medium Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
V-3825 Medium Remote adminstrative connections to the database should be encrypted.
V-15649 Medium The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions.
V-15658 Medium The DBMS warning banner does not meet DoD policy requirements.
V-15651 Medium Remote DBMS administration is not authorized and is not disabled.
V-15652 Medium DBMS remote administration should be audited.
V-15656 Medium The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level.
V-15154 Medium Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users.
V-15155 Medium The SQL Server Agent service account should not be assigned excess user rights.
V-15152 Medium DBMS login accounts require passwords to meet complexity requirements.
V-15153 Medium DBMS account passwords should be set to expire every 60 days or more frequently.
V-3838 Medium SQL Server registry keys should be properly secured.
V-3833 Medium Windows OS DBA group should contain only authorized users.
V-3832 Medium A Windows OS DBA group should exist.
V-3835 Medium The SQL Server service should use a least-privileged local or domain user account.
V-2424 Medium All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.
V-2427 Medium Fixed Server roles should have only authorized users or groups assigned as members.
V-2426 Medium C2 Audit mode should be enabled or custom audit traces defined.
V-2423 Medium Database software, applications and configuration files should be monitored to discover unauthorized changes.
V-2422 Medium The DBMS software installation account should be restricted to authorized users.
V-15129 Medium Backup and recovery procedures should be developed, documented, implemented and periodically tested.
V-3807 Medium All applications that access the database should be logged in the audit trail.
V-15193 Medium The Analysis Services server role should be restricted to authorized users.
V-15121 Medium DBMS software libraries should be periodically backed up.
V-15120 Medium DBMS backup and restoration files should be protected from unauthorized access.
V-3808 Medium Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions.
V-15617 Medium Access to external objects should be disabled if not required and authorized.
V-15125 Medium Only authorized users should be assigned permissions to SQL Server Agent proxies.
V-15124 Medium The Named Pipes network protocol should be documented and approved if enabled.
V-4754 Medium Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications.
V-15610 Medium DBMS should use NIST FIPS 140-2 validated cryptography.
V-15613 Medium Each database user, application or process should have an individually assigned account.
V-15138 Low The DBMS IA policies and procedures should be reviewed annually or more frequently.
V-15638 Low DBMS default account names should be changed.
V-15112 Low The DBMS should be periodically tested for vulnerability management and IA compliance.
V-15114 Low Developers should not be assigned excessive privileges on production databases.
V-15622 Low DBMS service identification should be unique and clearly identifies the service.
V-15205 Low Reporting Services scheduled events and report delivery should be disabled if not required.
V-15202 Low Use of Command Language Runtime objects should be disabled if not required.
V-15199 Low Reporting Services Web service requests and HTTP access should be disabled if not required.
V-15614 Low The DBMS should be configured to clear residual data from memory, data objects or files, or other storage locations.
V-15616 Low Sensitive data should be labeled.
V-3728 Low Unused database components, database application software and database objects should be removed from the DBMS system.
V-3726 Low Configuration management procedures should be defined and implemented for database software modifications.
V-15145 Low The DBMS restoration priority should be assigned.
V-15149 Low DBA roles assignments should be assigned and authorized by the IAO.
V-15150 Low The DBMS requires a System Security Plan containing all required information.
V-2420 Low Database executable and configuration files should be monitored for unauthorized modifications.
V-3805 Low Application software should be owned by a Software Application account.
V-15611 Low The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.