UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft SQL Server 2012 Database Security Technical Implementation Guide


Overview

Date Finding Count (28)
2018-03-01 CAT I (High): 0 CAT II (Med): 27 CAT III (Low): 1
STIG Description
The Microsoft SQL Server 2012 Database Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-41399 Medium SQL Server job/batch queues must be reviewed regularly to detect unauthorized SQL Server job submissions.
V-41395 Medium SQL Server must be protected from unauthorized access by developers.
V-41394 Medium SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-41397 Medium Administrative privileges, built-in server roles and built-in database roles must be assigned to the DBMS login accounts that require them via custom roles, and not directly.
V-41396 Medium SQL Server must be protected from unauthorized access by developers on shared production/development host systems.
V-41391 Medium SQL Server must maintain and support organization-defined security labels on information in process.
V-60781 Medium In a database owned by [sa], or by any other login having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF.
V-41393 Medium SQL Server must allow authorized users to associate security labels to information in the database.
V-41392 Medium SQL Server must maintain and support organization-defined security labels on data in transmission.
V-41422 Medium SQL Server must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.
V-41421 Medium SQL Server must prevent unauthorized and unintended information transfer via shared system resources.
V-41420 Medium SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest.
V-41409 Medium Unused database components and database objects must be removed.
V-41424 Medium SQL Server must check the validity of data inputs.
V-41404 Medium SQL Server must be monitored to discover unauthorized changes to triggers.
V-41407 Medium Database objects must be owned by accounts authorized for ownership.
V-41406 Medium SQL Server must be monitored to discover unauthorized changes to stored procedures.
V-40911 Medium SQL Server must protect data at rest and ensure confidentiality and integrity of data.
V-41403 Medium SQL Server must be monitored to discover unauthorized changes to functions.
V-41402 Medium SQL Server must provide audit record generation capability for organization-defined auditable events within the database.
V-60671 Medium In a database owned by a login not having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF unless required and authorized.
V-41389 Medium SQL Server must maintain and support organization-defined security labels on stored information.
V-41412 Medium SQL Server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-41411 Medium SQL Server must encrypt information stored in the database.
V-41416 Medium Database Master Key passwords must not be stored in credentials within the database.
V-41417 Medium Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key.
V-41415 Medium The Database Master Key must be encrypted by the Service Master Key where required.
V-70627 Low Appropriate staff must be alerted when the amount of storage space used by the SQL Server transaction log file(s) exceeds an organization-defined value.