Access to DBMS software files and directories should not be granted to unauthorized users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15608	DG0009-SQLServer9	SV-24070r1_rule	DCSL-1	Medium

Description
The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-20509r1_chk )
SQL Server program files are installed in two places: 1. A subdirectory of Program Files directory named Microsoft SQL Server ( specified here as [PFdir]) 2. The directory created for the specific instance (specified here as [InstDir]). This directory is specified in the registry for database engine instances under: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ SQL Instances for Reporting Services and Analysis Services are listed under the registry keys: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ RS HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ OLAP File permissions may be reviewed individually using Windows explorer by navigating to the directory specified and viewing the Security properties. There are also tools available that are designed to streamline review of file permissions. Verify that the permissions are equal to or more restrictive than listed below: The following groups may have Full Control assigned to any or all directories or files: 1. Administrators (builtin group) 2. DBAs (custom group) 3. CREATOR OWNER (builtin) 4. SYSTEM (builtin) 5. SQL Server Service Account If permission assignments are less restrictive than listed, this is a Finding. If permission assignments are granted to the Builtin USERS group, this is a Finding. Retain the SQL Server specific groups installed by Microsoft, any file permissions assigned to them and document in the System Security Plan.

Check Text ( C-20509r1_chk )

SQL Server program files are installed in two places:

1. A subdirectory of Program Files directory named Microsoft SQL Server ( specified here as [PFdir])
2. The directory created for the specific instance (specified here as [InstDir]).

This directory is specified in the registry for database engine instances under:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ SQL

Instances for Reporting Services and Analysis Services are listed under the registry keys:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ RS

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ Instance Names \ OLAP

File permissions may be reviewed individually using Windows explorer by navigating to the directory specified and viewing the Security properties. There are also tools available that are designed to streamline review of file permissions.

Verify that the permissions are equal to or more restrictive than listed below:

The following groups may have Full Control assigned to any or all directories or files:

1. Administrators (builtin group)
2. DBAs (custom group)
3. CREATOR OWNER (builtin)
4. SYSTEM (builtin)
5. SQL Server Service Account

If permission assignments are less restrictive than listed, this is a Finding.

If permission assignments are granted to the Builtin USERS group, this is a Finding.

Retain the SQL Server specific groups installed by Microsoft, any file permissions assigned to them and document in the System Security Plan.

Fix Text (F-24677r1_fix)
Restrict access to SQL Server files and directories as directed in the check.