Production databases should be protected from unauthorized access by developers on shared production/development host systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3820	DG0077-SQLServer9	SV-24228r1_rule	ECLP-1	Medium

Description
Developers granted elevated database and operating system privileges on systems that support both development and production databases can affect the operation and/or security of the production database system. Operating system and database privileges assigned to developers on shared development and production systems should be restricted.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-28573r1_chk )
Review the list of instances and databases installed on the host system with the DBA. Ask which databases are production databases and which are for development. If only development or only production databases exist on this host, this is Not a Finding. Otherwise, ask the DBA to confirm that policy and procedures are in place for the IAO to review database and operating system privileges on the system. If none are in place, this is a Finding. Ask the DBA/SA if developer host accounts have been granted privileges to production database directories, files or resources. If they have been, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Check Text ( C-28573r1_chk )

Review the list of instances and databases installed on the host system with the DBA.

Ask which databases are production databases and which are for development.

If only development or only production databases exist on this host, this is Not a Finding.

Otherwise, ask the DBA to confirm that policy and procedures are in place for the IAO to review database and operating system privileges on the system.

If none are in place, this is a Finding.

Ask the DBA/SA if developer host accounts have been granted privileges to production database directories, files or resources.

If they have been, this is a Finding.

NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Fix Text (F-24629r1_fix)
Develop, document and implement procedures to review and maintain privileges granted to developers on shared production and development host systems and databases. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.

Fix Text (F-24629r1_fix)

Develop, document and implement procedures to review and maintain privileges granted to developers on shared production and development host systems and databases.

Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110).

A dedicated host system in this case refers to an instance of the operating system at a minimum.

The operating system may reside on a virtual host machine where supported by the DBMS vendor.