UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide


Overview

Date Finding Count (156)
2014-01-17 CAT I (High): 6 CAT II (Med): 142 CAT III (Low): 8
STIG Description
The Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-40907 High SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission, unless the transmitted data is otherwise protected by alternative physical measures.
V-40932 High SQL Server must recover to a known state that is verifiable.
V-40917 High SQL Servers data files containing sensitive information must be encrypted.
V-40941 High SQL Server must have the SQL Server Data Tools (SSDT) software component removed from SQL Server if SSDT is unused.
V-40945 High Vendor-supported software and patches must be evaluated and patched against newly found vulnerabilities.
V-40948 High Software, applications, and configuration files that are external to SQL Server must be monitored to discover unauthorized changes.
V-43196 Medium Domain accounts used to manage a SQL Server platform must be different from those used to manage other platforms.
V-40950 Medium SQL Server must support the employment of automated mechanisms supporting the auditing of the enforcement actions.
V-40951 Medium SQL Server must support the organizational requirement to employ automated mechanisms for enforcing access restrictions.
V-41047 Medium SQL Server processes or services must run under custom, dedicated OS accounts.
V-41046 Medium SQL Server must restrict access to sensitive information to authorized user roles.
V-41038 Medium Use of the SQL Server software installation account must be restricted to SQL Server software installation.
V-41039 Medium DBA OS accounts must be granted only those host system privileges necessary for the administration of SQL Server.
V-41035 Medium SQL Server must generate audit records for the DoD-selected list of auditable events.
V-41036 Medium SQL Server must be configured to use Windows Integrated Security.
V-41030 Medium SQL Server must produce audit records containing sufficient information to establish the sources (origins) of the events.
V-41031 Medium SQL Server must produce audit records containing sufficient information to establish where the events occurred.
V-41032 Medium SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-41033 Medium SQL Server must produce audit records containing sufficient information to establish what type of events occurred.
V-41247 Medium SQL Server must not grant users direct access control to the Alter any availability group permission.
V-41246 Medium SQL Server must not grant users direct access control to the Alter any connection permission.
V-41249 Medium SQL Server must enforce access control policies to restrict the Connect SQL permission to only authorized roles.
V-41248 Medium SQL Server must not grant users direct access control to the Alter server state permission.
V-40922 Medium SQL Server must enforce password encryption for storage.
V-41016 Medium SQL Server must protect audit information from any type of unauthorized access.
V-41017 Medium SQL Server must protect the audit records generated as a result of remote access to privileged accounts and by the execution of privileged functions.
V-41018 Medium SQL Server must protect the SQL Server audit tool or any other third-party audit tools from unauthorized deletion.
V-41019 Medium SQL Server must protect the SQL Server audit tool or any other third-party audit tools from unauthorized modification.
V-41311 Medium SQL Server must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
V-41310 Medium SQL Server must utilize approved cryptography when passing authentication data for remote access sessions.
V-41254 Medium SQL Server must enforce access control policies to restrict the External access assembly permission to only authorized roles.
V-41255 Medium SQL Server must enforce access control policies to restrict the Create trace event notification permission to only authorized roles.
V-41256 Medium SQL Server must enforce access control policies to restrict the Create server role permission to only authorized roles.
V-41257 Medium SQL Server must enforce access control policies to restrict the Create endpoint permission to only authorized roles.
V-41250 Medium SQL Server must not grant users direct access control to the Alter any event notification permission.
V-41251 Medium SQL Server must enforce access control policies to restrict the View any database permission to only authorized roles.
V-41252 Medium SQL Server must not grant users direct access control to the Alter any server audit permission.
V-41253 Medium SQL Server must enforce access control policies to restrict the Shutdown permission to only authorized roles.
V-41258 Medium SQL Server must enforce access control policies to restrict the Create DDL event notification permission to only authorized roles.
V-41259 Medium SQL Server must enforce access control policies to restrict the Create availability group permission to only authorized roles.
V-40934 Medium SQL Server must specifically prohibit or restrict the use of unauthorized functions and services in each instance.
V-41302 Medium SQL Server must enforce access control policies to restrict the Alter any event session permission to only authorized roles.
V-41303 Medium SQL Server must enforce access control policies to restrict Alter server state permissions to only authorized roles.
V-41300 Medium SQL Server must enforce access control policies to restrict the Alter any endpoint permission to only authorized roles.
V-41301 Medium SQL Server must enforce access control policies to restrict the Alter any event notification permission to only authorized roles.
V-41306 Medium SQL Server must automatically audit account modification.
V-41307 Medium SQL Server must ensure that remote sessions that access an organization-defined list of security functions and security-relevant information are audited.
V-41305 Medium SQL Server must notify appropriate individuals when accounts are modified.
V-40906 Medium SQL Server must identify potential security-relevant error conditions.
V-41308 Medium SQL Server, when providing remote access capabilities, must utilize approved cryptography to protect the integrity of remote access sessions.
V-40904 Medium SQL Server must verify there have not been unauthorized changes to SQL Server software and information.
V-41206 Medium SQL Server must enforce access control policies to restrict the Unsafe assembly permission to only authorized roles.
V-41261 Medium SQL Server must enforce access control policies to restrict the View any definition permission to only authorized roles.
V-41260 Medium SQL Server must enforce access control policies to restrict the Alter any server audit permission to only authorized roles.
V-41263 Medium SQL Server must not grant users direct access control to the Administer bulk operations permission.
V-41262 Medium SQL Server must not grant users direct access control to the Authenticate server permission.
V-41265 Medium SQL Server must not grant users direct access control to the Create DDL event notification permission.
V-41264 Medium SQL Server must not grant users direct access control to the Create endpoint permission.
V-41267 Medium SQL Server must not grant users direct access control to the Create any database permission.
V-41266 Medium SQL Server must not grant users direct access control to the Create availability group permission.
V-41269 Medium SQL Server must enforce access control policies to restrict the Administer bulk operations permission to only authorized roles.
V-41268 Medium SQL Server must not grant users direct access control to the Control server permission.
V-40935 Medium Access to xp_cmdshell must be disabled.
V-41029 Medium SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-40918 Medium SQL Server must employ NSA-approved cryptography to protect classified information.
V-40919 Medium SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-40914 Medium SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized User Mapping access.
V-40915 Medium SQL Server must protect the integrity of publicly available information and applications.
V-40916 Medium SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Securables access.
V-40910 Medium SQL Server must isolate security functions from nonsecurity functions by means of separate security domains.
V-40911 Medium SQL Server must protect data at rest and ensure confidentiality and integrity of data.
V-40913 Medium SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Server Roles access.
V-41278 Medium SQL Server must not grant users direct access control to the External access assembly permission.
V-41279 Medium SQL Server must not grant users direct access control to the Alter any login permission.
V-41276 Medium SQL Server must not grant users direct access control to the Create trace event notification permission.
V-41277 Medium SQL Server must not grant users direct access control to the Alter resources permission.
V-41274 Medium SQL Server must not grant users direct access control to the Alter trace permission.
V-41275 Medium SQL Server must not grant users direct access control to the Alter Settings permission.
V-41272 Medium SQL Server must not grant users direct access control to the Connect SQL permission.
V-41273 Medium SQL Server must not grant users direct access control to the Alter any event session permission.
V-41270 Medium SQL Server must enforce access control policies to restrict the Alter resources permission to only authorized roles.
V-41271 Medium SQL Server must not grant users direct access control to the Alter any linked server permission.
V-41283 Medium SQL Server must enforce access control policies to restrict the Alter any linked server permission to only authorized roles.
V-41281 Medium SQL Server must enforce access control policies to restrict the Alter any login permission to only authorized roles.
V-41280 Medium SQL Server must enforce access control policies to restrict the Alter any availability group permission to only authorized roles.
V-41287 Medium SQL Server must not grant users direct access control to the Unsafe assembly permission.
V-41286 Medium SQL Server must enforce access control policies to restrict the Alter trace permission to only authorized roles.
V-41285 Medium SQL Server must enforce access control policies to restrict the View server state permission to only authorized roles.
V-41284 Medium SQL Server must not grant users direct access control to the Shutdown permission.
V-41045 Medium A single SQL Server database connection configuration file (or a single set of credentials) must not be used to configure all database clients.
V-41044 Medium SQL Server must restrict access to system tables, other configuration information, and metadata to DBAs and other authorized users.
V-41289 Medium SQL Server must not grant users direct access control to the Create server role permission.
V-41288 Medium SQL Server must enforce access control policies to restrict the Control server permission to only authorized roles.
V-41041 Medium SQL Server DBA roles must not be assigned excessive or unauthorized privileges.
V-41040 Medium OS accounts utilized to run external procedures called by SQL Server must have limited privileges.
V-41043 Medium Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information within SQL Server.
V-41042 Medium Non-privileged accounts must be utilized when accessing non-administrative functions.
V-40929 Medium SQL Server backup procedures must be defined, documented, and implemented.
V-40928 Medium SQL Server recovery procedures that are documented must be implemented and periodically tested.
V-41304 Medium SQL Server must enforce non-DAC policies over users and resources where the policy rule set for each policy specifies access control information (i.e., position, nationality, age, project, time of day).
V-40937 Medium Unused database components which are integrated in SQL Server and cannot be uninstalled must be disabled.
V-40921 Medium SQL Server must enforce password encryption for transmission.
V-40920 Medium SQL Server default account sa must have its password changed.
V-40923 Medium SQL Server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
V-40908 Medium SQL Server must ensure, if Database Availability Groups are being used and there is a server failure, that none of the potential failover servers would suffer from resource exhaustion.
V-40925 Medium SQL Server software libraries must be periodically backed up.
V-40924 Medium SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-40927 Medium SQL Server backup and restoration files must be protected from unauthorized access.
V-40926 Medium SQL Server backups of system-level information per organization-defined frequency must be performed that is consistent with recovery time and recovery point objectives.
V-41209 Medium SQL Server must not grant users direct access control to the Alter any credential permission.
V-41208 Medium SQL Server must not grant users direct access control to the Alter any database permission.
V-41203 Medium SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
V-41202 Medium SQL Server must enforce separation of duties through assigned information access authorizations.
V-41207 Medium SQL Server must not grant users direct access control to the Alter any endpoint permission.
V-40905 Medium SQL Server must support the requirement to activate an alarm and/or automatically shut down the information system if an application component failure is detected. This can include conducting a graceful application shutdown to avoid losing information.
V-41205 Medium SQL Server must enforce DAC policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both; limiting propagation of access rights; and including or excluding access to the granularity of a single user.
V-41204 Medium SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-41309 Medium SQL Server, when providing remote access capabilities, must utilize organization-defined cryptography to protect the confidentiality of data passing over remote access sessions.
V-40930 Medium SQL Server user-level information must be backed up based on a defined frequency.
V-40931 Medium SQL Server must have transaction logging enabled.
V-40936 Medium SQL Server default account sa must be disabled.
V-41291 Medium SQL Server must enforce access control policies to restrict the Alter Settings permission to only authorized roles.
V-41292 Medium SQL Server must enforce access control policies to restrict the Authenticate server permission to only authorized roles.
V-41293 Medium SQL Server must enforce access control policies to restrict the Create any database permission to only authorized roles.
V-41294 Medium SQL Server must not grant users direct access control to the View server state permission.
V-41295 Medium SQL Server must not grant users direct access control to the Alter any server role permission.
V-41296 Medium SQL Server must not grant users direct access control to the View any definition permission.
V-41297 Medium SQL Server must enforce access control policies to restrict the Alter any connection permission to only authorized roles.
V-41298 Medium SQL Server must enforce access control policies to restrict the Alter any credential permission to only authorized roles.
V-41299 Medium SQL Server must enforce access control policies to restrict the Alter any database permission to only authorized roles.
V-40938 Medium SQL Server must have the SQL Server Analysis Service (SSAS) software component removed from SQL Server if SSAS is unused.
V-40939 Medium SQL Server must have the SQL Server Integrated Services (SSIS) software component removed from SQL Server if SSIS is unused.
V-40943 Medium SQL Server must have the publicly available NorthWind sample database removed.
V-40942 Medium SQL Server must have the publicly available AdventureWorks sample database removed.
V-40940 Medium SQL Server must have the SQL Server Reporting Service (SSRS) software component removed from SQL Server if SSRS is unused.
V-40947 Medium SQL Server software installation account(s) must be restricted to authorized users.
V-40944 Medium The OS must limit privileges to change SQL Server software resident within software libraries (including privileged programs).
V-40949 Medium SQL Server must monitor for security-relevant configuration settings to discover unauthorized changes.
V-41290 Medium SQL Server must enforce access control policies to restrict the Alter any server role permission to only authorized roles.
V-40933 Medium SQL Server must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
V-41028 Medium SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
V-41027 Medium SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-41026 Medium SQL Server must have allocated audit record storage capacity to meet the organization-defined requirements for saving audit record information.
V-41025 Medium SQL Server auditing configuration maximum file size must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.
V-41024 Medium SQL Server auditing configuration maximum number of files must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.
V-41022 Medium SQL Server must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists.
V-41021 Medium SQL Server must audit attempts to bypass access controls.
V-41020 Medium SQL Server must protect the SQL Server audit tool or any other third-party audit tools from unauthorized access.
V-40952 Low SQL Server must protect audit information from unauthorized deletion.
V-40953 Low SQL Server must protect audit information from unauthorized modification.
V-41034 Low SQL Server must protect against an individual using a group account from falsely denying having performed a particular action.
V-41037 Low SQL Server default account sa must have its name changed.
V-40909 Low SQL Server must limit the use of resources by priority and not impede the host from servicing processes designated as a higher priority.
V-40912 Low SQL Server must associate and maintain security labels when exchanging information between systems.
V-40946 Low Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
V-41023 Low SQL Server itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.