UCF STIG Viewer Logo

DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15109 DG0195-SQLServer9 SV-25413r1_rule ECPC-1 ECPC-2 Medium
Description
Developer roles should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production and development DBA and developer roles help protect the production system from unauthorized, malicious or unintentional interruption due to development activities.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-28496r1_chk )
If the DBMS host does not support both production and development operations, this check is Not a Finding.

Review the list of OS DBA group membership with the SA and DBA. Compare to the list in the System Security Plan.

If any accounts not identified in the System Security Plan for the production DBMS have been assigned DBA privileges (to include developer accounts), this is a Finding.

If OS DBA group membership is not included in the System Security Plan, this is a Finding.

NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.
Fix Text (F-23492r1_fix)
Create separate DBMS host OS groups for developer and production DBAs.

Do not assign production DBA accounts to development OS groups. Do not assign development DBA accounts to production OS groups.

Remove any unauthorized accounts from both production and development OS groups.

Document in the System Security Plan.

Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.