The DBMS should be configured to clear residual data from memory, data objects or files, or other storage locations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15614 | DG0084-SQLServer9 | SV-20971r1_rule | ECRC-1 | Low |
| Description |
|---|
| Database storage locations may be reassigned to different objects during normal operations. If not cleared of residual data, sensitive data may be exposed to unauthorized access. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-22799r1_chk ) |
|---|
| Determine the SQL Server Edition: From the query prompt: SELECT CONVERT(INT, SERVERPROPERTY('EngineEdition')) If value returned is 1 (Personal or Desktop Edition), 2 (Standard Edition) or 4 (Express Edition), this check is Not Applicable. From the query prompt: SELECT CAST(value AS INT) FROM [master].sys.configurations WHERE name = 'common criteria compliance enabled' If the value = 0, confirm in the System Security Plan that common criteria compliance is documented as not required by the IAO. If it is not documented or is required and approved, this is a Finding. |
| Fix Text (F-19723r1_fix) |
|---|
| Authorize and document requirements for use of the common criteria compliance option in the System Security Plan and AIS Functional Architecture documentation. Where authorized, enable its use. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'common criteria compliance enabled', 1 RECONFIGURE |