Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15108 | DG0194-SQLServer9 | SV-25411r1_rule | ECPC-1 ECPC-2 | Medium |
Description |
---|
The developer role does not require Need-to-Know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise of database operations. |
STIG | Date |
---|---|
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Check Text ( C-23501r1_chk ) |
---|
If the DBMS or DBMS host is not shared by production and development activities, this check is Not a Finding. Review policy, monitoring procedures and evidence of developer privileges on shared development and production DBMS and DBMS host systems with the IAO. If developer privileges are not monitored every three months or more frequently, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA. |
Fix Text (F-23490r1_fix) |
---|
Develop, document and implement policy and procedures to monitor DBMS and DBMS host privileges assigned to developers on shared production and development systems to detect unauthorized assignments every three months or more often. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor. |