Database objects must be owned by accounts authorized for ownership.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-41407	SQL2-00-015600	SV-53935r1_rule		Medium

Description
SQL Server database ownership is a higher level privilege that grants full rights to everything in that database, including the right to grant privileges to others. SQL Server requires that the owner of a database object be a user, and only one user can be the assigned owner of a database object. This tends to minimize the risk that multiple users could gain unauthorized access, except the one individual who is the owner. Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of databases can lead to unauthorized granting of privileges and database alterations.

Description

SQL Server database ownership is a higher level privilege that grants full rights to everything in that database, including the right to grant privileges to others. SQL Server requires that the owner of a database object be a user, and only one user can be the assigned owner of a database object. This tends to minimize the risk that multiple users could gain unauthorized access, except the one individual who is the owner. Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of databases can lead to unauthorized granting of privileges and database alterations.

STIG	Date
Microsoft SQL Server 2012 Database Security Technical Implementation Guide	2014-06-23

Details

Check Text ( C-47945r2_chk )
Review system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. Run the following SQL query to determine SQL Server ownership of all database objects: SELECT name AS 'Database name' , SUSER_SNAME(owner_sid) AS 'Database Owner' , state_desc AS 'Database state' FROM sys.databases

Check Text ( C-47945r2_chk )

Review system documentation to identify SQL Server accounts authorized to own database objects.

If the SQL Server database ownership list does not exist or needs to be updated, this is a finding.

Run the following SQL query to determine SQL Server ownership of all database objects:
SELECT name AS 'Database name'
, SUSER_SNAME(owner_sid) AS 'Database Owner'
, state_desc AS 'Database state'
FROM sys.databases

Fix Text (F-46835r2_fix)
Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. Reassign database ownership to authorized database owner account: Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Databases >> right click <'database name'> >> Properties >> Files. Select new database "Owner": Navigate to click on […] >> Select new Database Owner >> Browse… >> click on box to indicate account >> <'OK'> >> <'OK'> >> <'OK'>

Fix Text (F-46835r2_fix)

Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized.

Reassign database ownership to authorized database owner account:
Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Databases >> right click <'database name'> >> Properties >> Files.
Select new database "Owner":
Navigate to click on […] >> Select new Database Owner >> Browse… >> click on box to indicate account >> <'OK'> >> <'OK'> >> <'OK'>