Analysis Services Security Package List should be disabled if not required.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15190	DM6103-SQLServer9	SV-25473r1_rule	DCFA-1	Medium

Description
Analysis Services Security Packages are security applications provided outside of the default Analysis Services installation. The packages may be provided by custom development or commercial third-party products used for client authentication. Use of untested or unverified security applications may introduce unknown vulnerabilities to the instance. Restrict use of non-default security packages to tested and trusted applications that meet DOD authentication requirements.

Description

Analysis Services Security Packages are security applications provided outside of the default Analysis Services installation. The packages may be provided by custom development or commercial third-party products used for client authentication. Use of untested or unverified security applications may introduce unknown vulnerabilities to the instance. Restrict use of non-default security packages to tested and trusted applications that meet DOD authentication requirements.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13800r1_chk )
If Analysis Services is not installed on the local host, this check is Not a Finding. Note: To detect installation, view the Windows Services snap-in. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host. From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Security \ SecurityPackageList If the value is not NULL and lists packages other than those documented in the System Security Plan, this is a Finding. The SecurityPackageList value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag: [SecurityPackageList] The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.

Check Text ( C-13800r1_chk )

If Analysis Services is not installed on the local host, this check is Not a Finding.

Note: To detect installation, view the Windows Services snap-in. If SQL Server Analysis Services ([instance name]) is not listed, then Analysis Services is not installed on this host.

From the SQL Server Management Studio GUI:

1. Connect to the Analysis Services instance
2. Right click on the Analysis Services instance
3. Select Properties
4. View the value listed for Security \ SecurityPackageList

If the value is not NULL and lists packages other than those documented in the System Security Plan, this is a Finding.

The SecurityPackageList value may also be viewed in the Analysis Services configuration file, msmdsrv.ini under XML tag:

[SecurityPackageList]

The configuration file may be found in the [install dir] \ MSSQL.[#] \ OLAP \ Config directory.

Fix Text (F-14820r1_fix)
From the SQL Server Management Studio GUI: 1. Connect to the Analysis Services instance 2. Right click on the Analysis Services instance 3. Select Properties 4. View the value listed for Security \ SecurityPackageList 5. Select value and delete all unauthorized packages from the list 6. Click OK