DBMS application users should not be granted administrative privileges to the DBMS.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15628	DG0119-SQLServer9	SV-55936r1_rule	ECLP-1	Medium

Description
DBMS privileges to issue other than Database Manipulation Language (DML) commands provide means to affect database object configuration and use of resources. Application users do not require these privileges to complete non-administrative job functions. Where applications require administrative privileges to execute non-administrative functions, exploits of the application can lead to unauthorized administrative access to the DBMS.

Description

DBMS privileges to issue other than Database Manipulation Language (DML) commands provide means to affect database object configuration and use of resources. Application users do not require these privileges to complete non-administrative job functions. Where applications require administrative privileges to execute non-administrative functions, exploits of the application can lead to unauthorized administrative access to the DBMS.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-20524r4_chk )
Review privileges assigned to application roles in the database. If any privileges other than SELECT, INSERT, UPDATE, DELETE or EXECUTE are assigned to application roles, this is a Finding.

Fix Text (F-24534r2_fix)
Revoke administrative privileges from application roles. Do not allow Database Definition Language (DDL) or other administrative privileges for operation of the application, for example, do not create and drop database objects for temporary storage of data. Consider, instead, the storage of temporary data in static database tables.