UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15649 DG0155-SQLServer9 SV-25382r1_rule DCSS-1 DCSS-2 Medium
Description
The DBMS opens data files and reads configuration files at system startup, system shutdown and during abort recovery efforts. If the DBMS does not verify the trustworthiness of these files, it is vulnerable to malicious alterations of its configuration or unauthorized replacement of data.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-23838r1_chk )
Ask the DBA and/or IAO to demonstrate that the DBMS system initialization, shutdown, and aborts are configured to ensure that the DBMS system remains in a secure state.

If the DBA and/or IAO has documented proof from the DBMS vendor demonstrating that the DBMS does not support this either natively or programmatically, this check is a Finding, but can be downgraded to a CAT 3 severity.

If the DBMS does support this either natively or programmatically and the configuration does not meet the requirements listed above, this is a Finding.

For all MAC 1, all MAC 2 and Classified MAC 3 systems where the DBMS supports the requirements, review documented procedures and evidence of periodic testing to ensure DBMS system state integrity.

If documented procedures do not exist or no evidence of implementation is provided, this is a Finding.
Fix Text (F-16116r1_fix)
Configure DBMS system initialization, shutdown and aborts to ensure DBMS system remains in a secure state.

For applicable DBMS systems as listed in the check, periodically test configuration to ensure DBMS system state integrity.

Where DBMS system state integrity is not supported by the DBMS vendor, obtain and apply mitigation strategies to bring risk to a DAA-acceptable level.