Vendor supported software is evaluated and patched against newly found vulnerabilities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-5658 | DG0001-SQLServer9 | SV-24113r2_rule | VIVM-1 | High |
| Description |
|---|
| The version of MS SQL Server must be listed by Microsoft as a supported version. Microsoft discontinues fixes for unsupported versions on reported dates. In order to maintain a secure environment, the installed version must continue to receive fixes for reported vulnerabilities. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-26056r2_chk ) |
|---|
| From the SQL Server Enterprise Manager or SQL Server Management Studio GUI: Right-click on SQL server name, select General tab or pate, review Product Version or Version. OR From the query prompt: SELECT CONVERT(CHAR(13), SERVERPROPERTY('ProductVersion')) Where format is in major.minor.build and we only concern ourselves with the major version: 9 = SQL Server 2005 If the major version listed is not under Mainstream or Extended support from Microsoft as listed in the table below, this is a Finding. You can verify support for SQL Server at the following website: http://support.microsoft.com/gp/lifepolicy Product Release Mainstream Support Retired Extended Support Retired SQL Server 9 (2005) 04/12/2011 04/12/2016 The reviewer may want to record the version number for other checks in this review. Service patch level and HOTFIX updates are reviewed in separate checks. IAVM compliance is reviewed in Windows OS checks. |
| Fix Text (F-16108r1_fix) |
|---|
| Protect the SQL Server installation from published vulnerabilities by upgrading to a supported version and installing all service packs and HOTFIXes as they become available (after testing). |