UCF STIG Viewer Logo

Microsoft SQL Server 2012 Database Security Technical Implementation Guide


Overview

Date Finding Count (28)
2015-12-21 CAT I (High): 0 CAT II (Med): 28 CAT III (Low): 0
STIG Description
The Microsoft SQL Server 2012 Database Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-41399 Medium SQL Server job/batch queues must be reviewed regularly to detect unauthorized SQL Server job submissions.
V-41395 Medium SQL Server must be protected from unauthorized access by developers.
V-41394 Medium SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-41397 Medium Administrative privileges, built-in server roles and built-in database roles must be assigned to the DBMS login accounts that require them via custom roles, and not directly.
V-41396 Medium SQL Server must be protected from unauthorized access by developers on shared production/development host systems.
V-41391 Medium SQL Server must maintain and support organization-defined security labels on information in process.
V-60781 Medium In a database owned by [sa], or by any other login having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF.
V-41393 Medium SQL Server must allow authorized users to associate security labels to information in the database.
V-41392 Medium SQL Server must maintain and support organization-defined security labels on data in transmission.
V-41422 Medium SQL Server must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.
V-41421 Medium SQL Server must prevent unauthorized and unintended information transfer via shared system resources.
V-41420 Medium SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest, unless the data is otherwise protected by alternative physical measures.
V-41409 Medium Unused database components and database objects must be removed.
V-41424 Medium SQL Server must check the validity of data inputs.
V-41404 Medium SQL Server must be monitored to discover unauthorized changes to triggers.
V-41407 Medium Database objects must be owned by accounts authorized for ownership.
V-41406 Medium SQL Server must be monitored to discover unauthorized changes to stored procedures.
V-41403 Medium SQL Server must be monitored to discover unauthorized changes to functions.
V-41402 Medium SQL Server must provide audit record generation capability for organization-defined auditable events within the database.
V-60671 Medium In a database owned by a login not having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF unless required and authorized.
V-41389 Medium SQL Server must maintain and support organization-defined security labels on stored information.
V-41419 Medium The Service Master Key must be backed up, stored offline and off-site.
V-41412 Medium SQL Server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-41413 Medium The Database Master Key encryption password must meet DoD password complexity requirements.
V-41411 Medium SQL Server must encrypt information stored in the database.
V-41416 Medium Database Master Key passwords must not be stored in credentials within the database.
V-41417 Medium Symmetric keys must use a DoD certificate to encrypt the key.
V-41415 Medium The Database Master Key must be encrypted by the Service Master Key where required.