UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Unauthorized user accounts should not exist.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2508 DG0070-SQLServer9 SV-24088r2_rule IAAC-1 Medium
Description
Unauthorized user accounts provide unauthorized access to the database and may allow access to database objects. Only authorized users should be granted database accounts.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-24132r2_chk )
Review procedures for ensuring authorization of new or re-assigned DBMS user accounts. Requests for user account access to the DBMS should include documented approval by an authorized requestor. Procedures should also include notification for a change in status, particularly cause for revocation of account access, to any DBMS accounts.

Review the user accounts listed either in the script report or manually against the authorized user list.

From the query prompt:

SELECT name
FROM sys.server_principals
WHERE type IN ('S', 'U')
AND principal_id <> 1
ORDER BY name

If procedures for DBMS user account authorization are incomplete or not implemented, this is a Finding.

If any accounts listed are not clearly authorized, this is a Finding.
Fix Text (F-20403r1_fix)
Develop, document and implement procedures for authorizing creation and changes to user accounts. Monitor user accounts to verify that they remain authorized. Drop user accounts that are no longer authorized.