All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2424	DG0060-SQLServer9	SV-7382r2_rule	IAGA-1	Medium

Description
Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual account ability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users.

Description

Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual account ability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-24129r2_chk )
Review a list of database usernames against those listed in the System Security Plan or authorized user list. From the query prompt: SELECT name FROM [master].sys.server_principals WHERE type IN ('S', 'U') AND sid <> 0x01 ORDER BY name Consult the IAO or DBA to make a final determination on whether accounts listed are shared accounts. If shared accounts are not documented and approved as shared accounts, this is a Finding.

Check Text ( C-24129r2_chk )

Review a list of database usernames against those listed in the System Security Plan or authorized user list.

From the query prompt:

SELECT name
FROM [master].sys.server_principals
WHERE type IN ('S', 'U')
AND sid <> 0x01
ORDER BY name

Consult the IAO or DBA to make a final determination on whether accounts listed are shared accounts.

If shared accounts are not documented and approved as shared accounts, this is a Finding.

Fix Text (F-20400r1_fix)
Use accounts assigned to individual users where feasible. Design applications to provide individual accountability (audit logs) for actions performed under a single database account. Implement other DBMS automated procedures that provide individual accountability. Where appropriate, implement manual procedures to use manual logs and monitor entries against account usage to ensure procedures are followed.

Fix Text (F-20400r1_fix)

Use accounts assigned to individual users where feasible. Design applications to provide individual accountability (audit logs) for actions performed under a single database account. Implement other DBMS automated procedures that provide individual accountability. Where appropriate, implement manual procedures to use manual logs and monitor entries against account usage to ensure procedures are followed.