UCF STIG Viewer Logo

Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15154 DG0190-SQLServer9 SV-24111r2_rule DCFA-1 Medium
Description
Credentials defined for access to remote databases or applications may provide unauthorized access to additional databases and applications to unauthorized or malicious users.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-23660r2_chk )
Review the list of defined database links generated from the DBMS instance.

From the query prompt:

SELECT s.name AS [Local Link Server Name], SUSER_NAME(l.local_principal_id) AS [Server Principal], l.remote_name AS [Remote User Name]
FROM [master].sys.servers s
JOIN [master].sys.linked_logins l ON s.server_id = l.server_id
WHERE l.server_id <> 0
ORDER BY l.server_id

If no linked servers are listed in the DBMS instance, this check is Not a Finding.

Compare this list with the list documented in the System Security Plan and authorized by the IAO.

If any linked servers exist that are not authorized or not listed in the System Security Plan, this is a Finding.

For each Server Principal listed, confirm in the System Security Plan that they are authorized for access to the linked server.

For any linked server login mapping that specifies a NULL Server Principal, this is a Finding.

If access to any linked server has been granted to an unauthorized account, this is a Finding.
Fix Text (F-14763r1_fix)
Grant access to linked servers to authorized accounts or applications only.

Document all linked server access authorizations in the System Security Plan and authorize with the IAO.