UCF STIG Viewer Logo

Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15662 DG0198-SQLServer9 SV-25415r1_rule EBRP-1 Medium
Description
Remote administration provides many conveniences that can assist in the maintenance of the designed security posture of the DBMS. On the other hand, remote administration of the database also provides malicious users the ability to access from the network a highly privileged function. Remote administration needs to be carefully considered and used only when sufficient protections against its abuse can be applied. Encryption and dedication of ports to access remote administration functions can help prevent unauthorized access to it.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-28430r1_chk )
If remote administration is disabled or not configured, this check is Not a Finding.

Review configured network access interfaces for remote DBMS administration with the SA and DBA.

These may be host-based encryptions such as IPSec or may be configured for the DBMS as part of the network communications and/or in the DBMS listening process.

For DBMS listeners, verify that encrypted ports exist and are restricted to specific network addresses to access the DBMS.

View the System Security Plan to review the authorized procedures and access for remote administration.

If the configuration does not match the documented plan, this is a Finding.
Fix Text (F-23495r1_fix)
Disable remote administration where it is not required or authorized. Consider restricting administrative access to local connections only. Where necessary, configure the DBMS network communications to provide an encrypted, dedicated port for remote administration access.

Develop and provide procedures for remote administrative access to DBAs that have been authorized for remote administration. Verify during audit reviews that DBAs do not access the database remotely except through the dedicated and encrypted port.