Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15154 | DG0190-SQLServer9 | SV-24111r2_rule | DCFA-1 | Medium |
| Description |
|---|
| Credentials defined for access to remote databases or applications may provide unauthorized access to additional databases and applications to unauthorized or malicious users. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-23660r2_chk ) |
|---|
| Review the list of defined database links generated from the DBMS instance. From the query prompt: SELECT s.name AS [Local Link Server Name], SUSER_NAME(l.local_principal_id) AS [Server Principal], l.remote_name AS [Remote User Name] FROM [master].sys.servers s JOIN [master].sys.linked_logins l ON s.server_id = l.server_id WHERE l.server_id <> 0 ORDER BY l.server_id If no linked servers are listed in the DBMS instance, this check is Not a Finding. Compare this list with the list documented in the System Security Plan and authorized by the IAO. If any linked servers exist that are not authorized or not listed in the System Security Plan, this is a Finding. For each Server Principal listed, confirm in the System Security Plan that they are authorized for access to the linked server. For any linked server login mapping that specifies a NULL Server Principal, this is a Finding. If access to any linked server has been granted to an unauthorized account, this is a Finding. |
| Fix Text (F-14763r1_fix) |
|---|
| Grant access to linked servers to authorized accounts or applications only. Document all linked server access authorizations in the System Security Plan and authorize with the IAO. |