UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Database objects must be owned by accounts authorized for ownership.


Overview

Finding ID Version Rule ID IA Controls Severity
V-41407 SQL2-00-015600 SV-53935r1_rule Medium
Description
SQL Server database ownership is a higher level privilege that grants full rights to everything in that database, including the right to grant privileges to others. SQL Server requires that the owner of a database object be a user, and only one user can be the assigned owner of a database object. This tends to minimize the risk that multiple users could gain unauthorized access, except the one individual who is the owner. Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of databases can lead to unauthorized granting of privileges and database alterations.
STIG Date
Microsoft SQL Server 2012 Database Security Technical Implementation Guide 2014-06-23

Details

Check Text ( C-47945r2_chk )
Review system documentation to identify SQL Server accounts authorized to own database objects.

If the SQL Server database ownership list does not exist or needs to be updated, this is a finding.

Run the following SQL query to determine SQL Server ownership of all database objects:
SELECT name AS 'Database name'
, SUSER_SNAME(owner_sid) AS 'Database Owner'
, state_desc AS 'Database state'
FROM sys.databases
Fix Text (F-46835r2_fix)
Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized.

Reassign database ownership to authorized database owner account:
Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Databases >> right click <'database name'> >> Properties >> Files.
Select new database "Owner":
Navigate to click on […] >> Select new Database Owner >> Browse… >> click on box to indicate account >> <'OK'> >> <'OK'> >> <'OK'>