DBA accounts should not be assigned excessive or unauthorized role privileges.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15615 | DG0085-SQLServer9 | SV-24236r1_rule | ECLP-1 | Medium |
| Description |
|---|
| The default DBA privileges typically include all privileges defined for a DBMS. These privileges are required to configure the DBMS and to provide other users access to DBMS objects. However, DBAs may not require access to application data or other privileges to administer the DBMS. Where not required or desired, DBAs may be prevented from accessing protected data for which they have no need-to-know or from utilizing unauthorized privileges for other actions. Although DBAs may assign themselves privileges to override any restrictions, the assignment of privileges is an audit requirement and this auditable event may assist discovery of a misuse of privileges. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-2817r1_chk ) |
|---|
| Review DBA account role assignments and compare them to those listed in the System Security Plan with the IAO. If system/database roles assigned to DBAs are not listed as required assignments in the System Security Plan, this is a Finding. |
| Fix Text (F-26086r1_fix) |
|---|
| Document DBA job functions and minimum role privileges required to perform the DBA job function in the System Security Plan. Assign DBA accounts role privileges as documented and authorized in the System Security Plan. Revoke role privileges from DBA accounts where not documented and approved in the System Security Plan. |