Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
DBMS application users should not be granted administrative privileges to the DBMS.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15628 | DG0119-SQLServer9 | SV-55936r1_rule | ECLP-1 | Medium |
| Description |
|---|
| DBMS privileges to issue other than Database Manipulation Language (DML) commands provide means to affect database object configuration and use of resources. Application users do not require these privileges to complete non-administrative job functions. Where applications require administrative privileges to execute non-administrative functions, exploits of the application can lead to unauthorized administrative access to the DBMS. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-20524r4_chk ) |
|---|
| Review privileges assigned to application roles in the database. If any privileges other than SELECT, INSERT, UPDATE, DELETE or EXECUTE are assigned to application roles, this is a Finding. |
| Fix Text (F-24534r2_fix) |
|---|
| Revoke administrative privileges from application roles. Do not allow Database Definition Language (DDL) or other administrative privileges for operation of the application, for example, do not create and drop database objects for temporary storage of data. Consider, instead, the storage of temporary data in static database tables. |