Cross database ownership chaining, if required, should be documented and authorized by the IAO.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15201	DM6150-SQLServer9	SV-23959r1_rule	ECLP-1	Medium

Description
Cross database ownership chaining allows permissions to objects to be assigned by users other than the Information Owner. This allows access to objects that are not authorized directly by the Information Owner based on job functions defined by the owner. Unauthorized access may lead to a compromise of data integrity or confidentiality.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13816r1_chk )
From the query prompt: SELECT CAST(value AS INT) AS [Config Value] FROM [master].sys.configurations WHERE name = 'cross db ownership chaining' If the value of Config Value is 0, this is Not a Finding. If the value of Config Value is 1, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding. To check assignment per individual database. From the query prompt: SELECT name AS [Database Name] FROM [master].sys.databases WHERE is_db_chaining_on = 1 AND name NOT IN ('master', 'tempdb', 'msdb') AND state = 0 If any database names are listed, are not documented in the System Security Plan and not authorized by the IAO, this is a Finding.

Check Text ( C-13816r1_chk )

From the query prompt:

SELECT CAST(value AS INT) AS [Config Value]
FROM [master].sys.configurations
WHERE name = 'cross db ownership chaining'

If the value of Config Value is 0, this is Not a Finding.

If the value of Config Value is 1, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding.

To check assignment per individual database.

From the query prompt:
SELECT name AS [Database Name]
FROM [master].sys.databases
WHERE is_db_chaining_on = 1
AND name NOT IN ('master', 'tempdb', 'msdb')
AND state = 0

If any database names are listed, are not documented in the System Security Plan and not authorized by the IAO, this is a Finding.

Fix Text (F-14836r1_fix)
Document requirements for use of cross db ownership chaining in the System Security Plan and AIS Functional Architecture documentation and authorize with the IAO. Where not authorized, disable its use. From the query prompt: EXEC SP_CONFIGURE 'cross db ownership chaining', 0 RECONFIGURE NOTE: If you have databases that require cross-database ownership chaining, the recommended practice is to turn off the cross db ownership chaining option for the instance using sp_configure; then turn on cross-database ownership chaining for individual databases that require it using the ALTER DATABASE statement.

Fix Text (F-14836r1_fix)

Document requirements for use of cross db ownership chaining in the System Security Plan and AIS Functional Architecture documentation and authorize with the IAO.

Where not authorized, disable its use.

From the query prompt:

EXEC SP_CONFIGURE 'cross db ownership chaining', 0
RECONFIGURE

NOTE: If you have databases that require cross-database ownership chaining, the recommended practice is to turn off the cross db ownership chaining option for the instance using sp_configure; then turn on cross-database ownership chaining for individual databases that require it using the ALTER DATABASE statement.