UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Developers should not be assigned excessive privileges on production databases.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15114 DG0089-SQLServer9 SV-24242r1_rule ECPC-1 ECPC-2 Low
Description
Developers play a unique role and represent a specific type of threat to the security of the DBMS. Where restricted resources prevent the required separation of production and development DBMS installations, developers granted elevated privileges to create and manage new database objects must also be prevented from actions that can threaten the production operation.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-13761r1_chk )
If the database is not a production database, this check is Not Applicable.

Review privileges assigned to developers:

1. Identify login name of developer DBMS accounts from the System Security Plan and/or DBA.
2. For each developer account, display the username SID and the databases where the user is defined:

EXEC SP_HELPLOGINS '[login name]'

3. Display all fixed server role membership assignments:

EXEC SP_HELPSRVROLEMEMBER

If developers are assigned privileges that allow change or alteration of database objects in any production databases, this is a Finding.

If developers are assigned membership to any DBMS server roles, this is a Finding.
Fix Text (F-24667r1_fix)
Revoke DBA privileges assigned to developers on production DBMS unless required and authorized.

Revoke database or other production object administrative privileges from developers unless required and authorized.

Restrict developer privileges to production objects to those granted to application users only where such privileges are required and authorized.