Replication snapshot folders should be protected from unauthorized access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15182	DM6075-SQLServer9	SV-25465r1_rule	ECAN-1	Medium

Description
Replication snapshot folders contain database data to which only authorized replication accounts require access. Unauthorized access to these folders could compromise data confidentiality and integrity, and could compromise database availability.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13792r1_chk )
View the list of databases participating in replication: EXEC SP_HELPREPLICATIONDBOPTION For each replication database: EXEC SP_HELPPUBLICATION If snapshot_in_defaultfolder is 1 for any records returned, the snapshot folder name is: [install dir]\[instance dir]\MSSQL\ReplData If the snapshot_in_defaultfolder is 0, then the snapshot folder name is listed in alt_snapshot_folder. View OS permissions to the snapshot folder: Review operating system permissions assigned to the snapshot folder using Windows Explorer. The following are required/authorized permissions by role: 1. Administrators/DBAs: Full Control 2. Snapshot Agents: Write access 3. Merge and Distribution agents: Read access If any permission other than those listed is assigned or are assigned to unauthorized accounts, this is a Finding. View database permissions to the snapshot folder: For each replication database: EXEC SP_HELPPUBLICATION_SNAPSHOT '[publication name]' If any permission is granted to accounts other than Administrators, DBAs, CREATOR OWNER, SYSTEM, or the snapshot agent account, merge, or distribution agents, this is a Finding. If merge and distribution agents have more than Read access to the snapshot folder, this is a Finding.

Check Text ( C-13792r1_chk )

View the list of databases participating in replication:

EXEC SP_HELPREPLICATIONDBOPTION

For each replication database:

EXEC SP_HELPPUBLICATION

If snapshot_in_defaultfolder is 1 for any records returned, the snapshot folder name is:

[install dir]\[instance dir]\MSSQL\ReplData

If the snapshot_in_defaultfolder is 0, then the snapshot folder name is listed in alt_snapshot_folder.

View OS permissions to the snapshot folder:

Review operating system permissions assigned to the snapshot folder using Windows Explorer.

The following are required/authorized permissions by role:

1. Administrators/DBAs: Full Control
2. Snapshot Agents: Write access
3. Merge and Distribution agents: Read access

If any permission other than those listed is assigned or are assigned to unauthorized accounts, this is a Finding.

View database permissions to the snapshot folder:

For each replication database:

EXEC SP_HELPPUBLICATION_SNAPSHOT '[publication name]'

If any permission is granted to accounts other than Administrators, DBAs, CREATOR OWNER, SYSTEM, or the snapshot agent account, merge, or distribution agents, this is a Finding.

If merge and distribution agents have more than Read access to the snapshot folder, this is a Finding.

Fix Text (F-14812r1_fix)
Restrict access to the replication snapshot folders: From Windows Explorer: 1. Administrators/DBAs: Full Control 2. Snapshot Agents: Write access 3. Merge, Subscription, and Distribution agents: Read access