Access to DBMS system tables and other configuration or metadata should be restricted to DBAs.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15631 | DG0123-SQLServer9 | SV-24309r1_rule | ECAN-1 | Medium |
| Description |
|---|
| Administrative data includes DBMS metadata and other configuration and management data. Unauthorized access to this data could result in unauthorized changes to database objects, access controls, or DBMS configuration. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-28698r1_chk ) |
|---|
| Review access controls on system tables. Review access to configuration data stored in the database. If any users not assigned DBA privileges are assigned access to the underlying tables, this is a Finding. |
| Fix Text (F-19562r1_fix) |
|---|
| Revoke access to system tables to non-DBA users. Where use of system data is required by non-DBA users, provide controlled access for authorized functions via views, procedures, or other use of controlled objects. |