Access to external objects should be disabled if not required and authorized.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15617 | DG0098-SQLServer9 | SV-24256r1_rule | DCFA-1 | Medium |
| Description |
|---|
| Objects defined within the database, but stored externally to the database are accessible based on authorizations defined by the local operating system or other remote system that may be under separate security authority. Access to external objects may thus be uncontrolled or not based on least privileges defined for each user job function. This in turn may provide unauthorized access to the external objects. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13790r1_chk ) |
|---|
| Review the database for definitions of application objects stored externally to the database. Determine if there are methods to disable use or access or to remove definitions for external data objects. If there are ways to prevent access to the external application data objects or the requirement for their access is not documented in the AIS functional architecture, this is a Finding. |
| Fix Text (F-25724r1_fix) |
|---|
| Include any external application data objects defined in the database that is required for authorized application use in the AIS functional architecture documentation. Disable use of or remove any external application data object definitions that are not authorized. |