Unauthorized user accounts should not exist.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2508 | DG0070-SQLServer9 | SV-24088r2_rule | IAAC-1 | Medium |
| Description |
|---|
| Unauthorized user accounts provide unauthorized access to the database and may allow access to database objects. Only authorized users should be granted database accounts. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-24132r2_chk ) |
|---|
| Review procedures for ensuring authorization of new or re-assigned DBMS user accounts. Requests for user account access to the DBMS should include documented approval by an authorized requestor. Procedures should also include notification for a change in status, particularly cause for revocation of account access, to any DBMS accounts. Review the user accounts listed either in the script report or manually against the authorized user list. From the query prompt: SELECT name FROM sys.server_principals WHERE type IN ('S', 'U') AND principal_id <> 1 ORDER BY name If procedures for DBMS user account authorization are incomplete or not implemented, this is a Finding. If any accounts listed are not clearly authorized, this is a Finding. |
| Fix Text (F-20403r1_fix) |
|---|
| Develop, document and implement procedures for authorizing creation and changes to user accounts. Monitor user accounts to verify that they remain authorized. Drop user accounts that are no longer authorized. |