| V-41399 | Medium | SQL Server job/batch queues must be reviewed regularly to detect unauthorized SQL Server job submissions. | When dealing with unauthorized SQL Server job submissions, it should be noted any unauthorized job submissions to SQL Server job/batch queues can potentially have significant effects on the... |
| V-41395 | Medium | SQL Server must be protected from unauthorized access by developers. | Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is... |
| V-41394 | Medium | SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights. | Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in... |
| V-41397 | Medium | Administrative privileges, built-in server roles and built-in database roles must be assigned to the DBMS login accounts that require them via custom roles, and not directly. | SQL Server must employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is... |
| V-41396 | Medium | SQL Server must be protected from unauthorized access by developers on shared production/development host systems. | Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is... |
| V-41391 | Medium | SQL Server must maintain and support organization-defined security labels on information in process. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-60781 | Medium | In a database owned by [sa], or by any other login having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF. | SQL Server's fixed (built-in) server roles, especially [sysadmin], have powerful capabilities that could cause great harm if misused, so their use must be tightly controlled.
The SQL Server... |
| V-41393 | Medium | SQL Server must allow authorized users to associate security labels to information in the database. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-41392 | Medium | SQL Server must maintain and support organization-defined security labels on data in transmission. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-41422 | Medium | SQL Server must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks. | Application management includes the ability to control the number of users and user sessions utilizing an application. Limiting the number of allowed users, and sessions per user, is helpful in... |
| V-41421 | Medium | SQL Server must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
| V-41420 | Medium | SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. If the data is not encrypted,... |
| V-41409 | Medium | Unused database components and database objects must be removed. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-41424 | Medium | SQL Server must check the validity of data inputs. | Invalid user input occurs when a user inserts data or characters into an application’s data entry fields and the application is unprepared to process that data. This results in unanticipated... |
| V-41404 | Medium | SQL Server must be monitored to discover unauthorized changes to triggers. | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant... |
| V-41407 | Medium | Database objects must be owned by accounts authorized for ownership. | SQL Server database ownership is a higher level privilege that grants full rights to everything in that database, including the right to grant privileges to others. SQL Server requires that the... |
| V-41406 | Medium | SQL Server must be monitored to discover unauthorized changes to stored procedures. | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant... |
| V-40911 | Medium | SQL Server must protect data at rest and ensure confidentiality and integrity of data. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers... |
| V-41403 | Medium | SQL Server must be monitored to discover unauthorized changes to functions. | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant... |
| V-41402 | Medium | SQL Server must provide audit record generation capability for organization-defined auditable events within the database. | Audit records can be generated from various components within the information system (e.g., network interface, hard disk, modem, etc.). From an application perspective, certain specific... |
| V-60671 | Medium | In a database owned by a login not having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF unless required and authorized. | SQL Server's fixed (built-in) server roles, especially [sysadmin], have powerful capabilities that could cause great harm if misused, so their use must be tightly controlled.
The SQL Server... |
| V-41389 | Medium | SQL Server must maintain and support organization-defined security labels on stored information. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-41412 | Medium | SQL Server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-41411 | Medium | SQL Server must encrypt information stored in the database. | When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss... |
| V-41416 | Medium | Database Master Key passwords must not be stored in credentials within the database. | Storage of the Database Master Key password in a database credential allows decryption of sensitive data by privileged users who may not have a need-to-know requirement to access the
data. |
| V-41417 | Medium | Symmetric keys (other than the database master key) must use a DoD certificate to encrypt the key. | Data within the database is protected by use of encryption. The symmetric keys are critical for this process. If the symmetric keys were to be compromised the data could be disclosed to... |
| V-41415 | Medium | The Database Master Key must be encrypted by the Service Master Key where required. | When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to... |
| V-70627 | Low | Appropriate staff must be alerted when the amount of storage space used by the SQL Server transaction log file(s) exceeds an organization-defined value. | It is important for the appropriate personnel to be aware if the system is at risk of failing to record transaction log data. The transaction log is the heart of a SQL Server database. If it... |
