UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Unauthorized access to external database objects should be removed from application user roles.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15105 DG0120-SQLServer9 SV-24104r2_rule ECLP-1 Medium
Description
Access to objects stored and/or executed outside of the DBMS security context may provide an avenue of attack to host system resources not controlled by the DBMS. Any access to external resources from the DBMS can lead to a compromise of the host system or its resources.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-20470r2_chk )
View access permissions granted to external stored procedures:

From the query prompt:

SELECT name AS [Database Name]
FROM [master].sys.databases
WHERE state = 0

Repeat for each database:

From the query prompt:

USE [Database Name]
SELECT u.name AS [Principal], o.name AS [External Procedure Name], p.permission_name AS [Permission], p.state_desc AS [State]
FROM master.sys.all_objects o
JOIN master.sys.database_permissions p ON p.major_id = o.object_id
JOIN master.sys.database_principals u ON p.grantee_principal_id = u.principal_id
WHERE o.type = 'X'
ORDER BY o.name, u.name

If no results are listed, this is Not a Finding.

Review results returned. If any Principal names returned are not listed as authorized in the System Security Plan, this is a Finding.
Fix Text (F-18420r1_fix)
Evaluate the associated risk in allowing access to external objects.

Consider the security context under which the object is accessed or whether the privileges required to access the object are available for assignment based on job function.

Where feasible, modify the application to use only objects stored internally to the database. Where not feasible, note the risk assessment and acceptance in the System Security Plan for access to external objects.

Document required access permissions in the System Security Plan and authorize with the IAO.