Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15112 | DG0088-SQLServer9 | SV-24240r1_rule | ECMT-1 ECMT-2 | Low |
Description |
---|
The DBMS security configuration may be altered either intentionally or unintentionally over time. The DBMS may also be the subject of published vulnerabilities that require the installation of a security patch or a reconfiguration to mitigate the vulnerability. If the DBMS is not monitored for required or unintentional changes that render it not compliant with requirements, it can be vulnerable to attack or compromise. |
STIG | Date |
---|---|
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Check Text ( C-22857r1_chk ) |
---|
Review procedures and evidence of implementation for DBMS IA and vulnerability management compliance. This should include periodic, unannounced, in-depth monitoring and provide for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled and conducted. Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities. The results for Classified systems are required to be independently validated. If the requirments listed above are not being met, this is a Finding. |
Fix Text (F-24495r1_fix) |
---|
Develop, document and implement procedures for periodic testing of the DBMS for current vulnerability management and security configuration compliance as stated in the check. Coordinate 3rd-party validation testing for Classified systems. |