UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Use of DBA accounts should be restricted to administrative activities.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15632 DG0124-SQLServer9 SV-24312r1_rule ECLP-1 Medium
Description
Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification or exposure. In particular, DBA accounts if used for non-administration application development or application maintenance can lead to miss-assignment of privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in and provided by applications.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-23586r1_chk )
Review accounts assigned fixed server roles and fixed database roles with the DBA/IAO and as documented in the System Security Plan.

Review other database or application roles assigned to the accounts assigned fixed roles as documented in the System Security Plan.

If any accounts assigned fixed roles are also assigned application roles or other application object privilege roles or own application objects used for other than DBA functions, this is a Finding.
Fix Text (F-20455r1_fix)
Create separate accounts for administration activities.

Develop, document and implement policy and procedures that require separate, unprivileged or less-privileged accounts for development, testing and application users.