UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft SQL Server 2012 Database Security Technical Implementation Guide


Overview

Date Finding Count (26)
2015-03-26 CAT I (High): 0 CAT II (Med): 26 CAT III (Low): 0
STIG Description
The Microsoft SQL Server 2012 Database Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-41399 Medium SQL Server job/batch queues must be reviewed regularly to detect unauthorized SQL Server job submissions.
V-41395 Medium SQL Server must be protected from unauthorized access by developers.
V-41394 Medium SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-41397 Medium Administrative privileges, built-in server roles and built-in database roles must be assigned to the DBMS login accounts that require them via custom roles, and not directly.
V-41396 Medium SQL Server must be protected from unauthorized access by developers on shared production/development host systems.
V-41391 Medium SQL Server must maintain and support organization-defined security labels on information in process.
V-41393 Medium SQL Server must allow authorized users to associate security labels to information in the database.
V-41392 Medium SQL Server must maintain and support organization-defined security labels on data in transmission.
V-41422 Medium SQL Server must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.
V-41421 Medium SQL Server must prevent unauthorized and unintended information transfer via shared system resources.
V-41420 Medium SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest, unless the data is otherwise protected by alternative physical measures.
V-41409 Medium Unused database components and database objects must be removed.
V-41424 Medium SQL Server must check the validity of data inputs.
V-41404 Medium SQL Server must be monitored to discover unauthorized changes to triggers.
V-41407 Medium Database objects must be owned by accounts authorized for ownership.
V-41406 Medium SQL Server must be monitored to discover unauthorized changes to stored procedures.
V-41403 Medium SQL Server must be monitored to discover unauthorized changes to functions.
V-41402 Medium SQL Server must provide audit record generation capability for organization-defined auditable events within the database.
V-41389 Medium SQL Server must maintain and support organization-defined security labels on stored information.
V-41419 Medium The Service Master Key must be backed up, stored offline and off-site.
V-41412 Medium SQL Server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-41413 Medium The Database Master Key encryption password must meet DoD password complexity requirements.
V-41411 Medium SQL Server must encrypt information stored in the database.
V-41416 Medium Database Master Key passwords must not be stored in credentials within the database.
V-41417 Medium Symmetric keys must use a DoD certificate to encrypt the key.
V-41415 Medium The Database Master Key must be encrypted by the Service Master Key where required.