Attempts to bypass access controls should be audited.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15644 | DG0141-SQLServer9 | SV-25374r2_rule | ECAR-2 ECAR-3 | Medium |
| Description |
|---|
| Detection of suspicious activity including access attempts and successful access from unexpected places, during unexpected times, or other unusual indicators can support decisions to apply countermeasures to deter an attack. Without detection, malicious activity may proceed without impedance. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-28695r2_chk ) |
|---|
| From the query prompt: EXEC XP_LOGINCONFIG 'audit level' If the config_value returned is not 'All' or 'Failure', this is a finding. |
| Fix Text (F-20143r1_fix) |
|---|
| Enable Auditing level. From the SQL Server Management Studio GUI: 1. Navigate to the SQL Server instance name 2. Right-click on it 3. Select Properties 4. Select Security tab or page 5. Review Login Auditing selection 6. Select "Failed logins only" or "Both failed and successful logins" from the Login Auditing section 7. Apply changes 8. Exit the SQL Server Management Studio GUI |