UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15108 DG0194-SQLServer9 SV-25411r1_rule ECPC-1 ECPC-2 Medium
Description
The developer role does not require Need-to-Know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise of database operations.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-23501r1_chk )
If the DBMS or DBMS host is not shared by production and development activities, this check is Not a Finding.

Review policy, monitoring procedures and evidence of developer privileges on shared development and production DBMS and DBMS host systems with the IAO.

If developer privileges are not monitored every three months or more frequently, this is a Finding.

NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.
Fix Text (F-23490r1_fix)
Develop, document and implement policy and procedures to monitor DBMS and DBMS host privileges assigned to developers on shared production and development systems to detect unauthorized assignments every three months or more often.

Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.