UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SQL Server must restrict access to system tables, other configuration information, and metadata to DBAs and other authorized users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-41044 SQL2-00-009400 SV-53419r1_rule Medium
Description
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of information systems. Administrative data includes SQL Server metadata and other configuration and management data. Unauthorized access to this data could result in unauthorized changes to database objects, access controls, or SQL Server configuration.
STIG Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide 2014-01-05

Details

Check Text ( C-47661r2_chk )
Obtain from system documentation or use SQL Server to determine privilege assignment of user-defined roles.

Determine which user-defined roles grant privileges to system tables and configuration data stored in SQL Server.

For each user:

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account name'> >> Properties >> User >> Securables.

If any item in the 'Permission' listing, for each highlighted item that exists in the 'Securables' listing, indicates direct permission access, this is a finding.

Navigate from 'Securables' to 'Server Roles'.

If any 'Server roles' are checked from the following listing, indicating direct permission access, this is a finding.
System administrator Server roles: "bulkadmin", "dbcreator", "diskadmin", "processadmin", "securityadmin", "serveradmin", "setupadmin", "sysadmin".

If any user-defined 'Server roles' with system table or configuration data privileges are checked that the user is not authorized to have, this is a finding.

Navigate from 'Server Roles' to 'Users mapped to the login'.

If any checked/highlighted 'Database role membership' shows any "Database role membership for:" indicating direct permission access, this is a finding.
Fix Text (F-46343r2_fix)
Remove all direct access permissions and unauthorized permissions as required using the below instructions:

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account name'> >> Properties >> User >> Securables.

Remove 'Securables' permissions from user account.

Navigate from 'Securables' to 'Server Roles'.

Remove 'Server Roles' permissions from user account.

Navigate from 'Server Roles' to 'Users mapped to the login'.

Remove 'Users mapped to the login' permissions from user account.