The DBMS warning banner does not meet DoD policy requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15658	DG0179-SQLServer9	SV-25405r1_rule	ECWM-1	Medium

Description
Without sufficient warning of monitoring and access restrictions of a system, legal prosecution to assign responsibility for unauthorized or malicious access may not succeed. A warning message provides legal support for such prosecution. Access to the DBMS or the applications used to access the DBMS require this warning to help assign responsibility for database activities.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-22843r1_chk )
A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check Not Applicable. View the warning banner. If it does not contain the following text as written below, this is a Finding: [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OK [B. For Blackberries and other PDAs/PEDs with severe character limitations:] I've read & consent to terms in IS user agreem't. This User Agreement conforms to DoD Standard Notice and Consent Banner and User Agreement – JTF-GNO CTO 08-008A, May 9, 2008.

Check Text ( C-22843r1_chk )

A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check Not Applicable.

View the warning banner. If it does not contain the following text as written below, this is a Finding:

[A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."]

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
OK

[B. For Blackberries and other PDAs/PEDs with severe character limitations:]

I've read & consent to terms in IS user agreem't.

This User Agreement conforms to DoD Standard Notice and Consent Banner and User Agreement – JTF-GNO CTO 08-008A, May 9, 2008.

Fix Text (F-19763r1_fix)
Replace the DBMS banner text with the banner text as shown in this check. For all versions of SQL Server, this requirement can be fulfilled where the database user receives the warning message when authenticating or connecting to a front-end system that includes or covers the SQL Server DBMS. Mark this check as a Finding if the display of a warning banner (not necessarily this specific warning banner) cannot be confirmed. The banner text listed in the Check section supersedes that referenced in the Database STIG requirement.

Fix Text (F-19763r1_fix)

Replace the DBMS banner text with the banner text as shown in this check.

For all versions of SQL Server, this requirement can be fulfilled where the database user receives the warning message when authenticating or connecting to a front-end system that includes or covers the SQL Server DBMS. Mark this check as a Finding if the display of a warning banner (not necessarily this specific warning banner) cannot be confirmed.

The banner text listed in the Check section supersedes that referenced in the Database STIG requirement.