| V-41399 | Medium | SQL Server job/batch queues must be reviewed regularly to detect unauthorized SQL Server job submissions. | When dealing with unauthorized SQL Server job submissions, it should be noted any unauthorized job submissions to SQL Server job/batch queues can potentially have significant effects on the... |
| V-41398 | Medium | SQL Server default account public must be removed from each database. | SQL Server's user-defined 'public' account(s) may be assigned privileges that could give data access to an attacker. Well-known SQL Server default accounts would likely be targeted by attackers... |
| V-41395 | Medium | SQL Server must be protected from unauthorized access by developers. | Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is... |
| V-41394 | Medium | SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights. | Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in... |
| V-41397 | Medium | Administrative privileges must be assigned to database accounts via database roles. | SQL Server must employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is... |
| V-41396 | Medium | SQL Server must be protected from unauthorized access by developers on shared production/development host systems. | Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is... |
| V-41391 | Medium | SQL Server must maintain and support organization-defined security labels on information in process. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-41393 | Medium | SQL Server must allow authorized users to associate security labels to information in the database. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-41392 | Medium | SQL Server must maintain and support organization-defined security labels on data in transmission. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-41422 | Medium | SQL Server must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks. | Application management includes the ability to control the number of users and user sessions utilizing an application. Limiting the number of allowed users, and sessions per user, is helpful in... |
| V-41421 | Medium | SQL Server must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on... |
| V-41420 | Medium | SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest, unless the data is otherwise protected by alternative physical measures. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. If the data is not encrypted... |
| V-41409 | Medium | Unused database components and database objects must be removed. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-41424 | Medium | SQL Server must check the validity of data inputs. | Invalid user input occurs when a user inserts data or characters into an application’s data entry fields and the application is unprepared to process that data. This results in unanticipated... |
| V-41404 | Medium | SQL Server must be monitored to discover unauthorized changes to triggers. | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant... |
| V-41407 | Medium | Database objects must be owned by accounts authorized for ownership. | SQL Server database ownership is a higher level privilege that grants full rights to everything in that database, including the right to grant privileges to others. SQL Server requires that the... |
| V-41406 | Medium | SQL Server must be monitored to discover unauthorized changes to stored procedures. | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant... |
| V-41400 | Medium | SQL Server default account guest must be removed from each database. | SQL Server's default 'guest' account and any user-defined 'public' account(s) may be assigned privileges that could give data access to an attacker. Well-known SQL Server default accounts would... |
| V-41403 | Medium | SQL Server must be monitored to discover unauthorized changes to functions. | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant... |
| V-41402 | Medium | SQL Server must provide audit record generation capability for organization-defined auditable events within the database. | Audit records can be generated from various components within the information system (e.g., network interface, hard disk, modem, etc.). From an application perspective, certain specific... |
| V-41389 | Medium | SQL Server must maintain and support organization-defined security labels on stored information. | Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These attributes are... |
| V-41419 | Medium | The Service Master Key must be backed up, stored offline and off-site. | Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery. |
| V-41412 | Medium | SQL Server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-41413 | Medium | The Database Master Key encryption password must meet DoD password complexity requirements. | Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk. |
| V-41411 | Medium | SQL Server must encrypt information stored in the database. | When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss... |
| V-41416 | Medium | Database Master Key passwords must not be stored in credentials within the database. | Storage of the Database Master Key password in a database credential allows decryption of sensitive data by privileged users who may not have a need-to-know requirement to access the
data. |
| V-41417 | Medium | Symmetric keys must use a DoD certificate to encrypt the key. | Data within the database is protected by use of encryption. The symmetric keys are critical for this process. If the symmetric keys were to be compromised the data could be disclosed to... |
| V-41415 | Medium | The Database Master Key must be encrypted by the Service Master Key where required. | When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to... |
