SQL Server must restrict access to system tables, other configuration information, and metadata to DBAs and other authorized users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-41044	SQL2-00-009400	SV-53419r1_rule		Medium

Description
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of information systems. Administrative data includes SQL Server metadata and other configuration and management data. Unauthorized access to this data could result in unauthorized changes to database objects, access controls, or SQL Server configuration.

Description

Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of information systems. Administrative data includes SQL Server metadata and other configuration and management data. Unauthorized access to this data could result in unauthorized changes to database objects, access controls, or SQL Server configuration.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2014-01-17

Details

Check Text ( C-47661r2_chk )
Obtain from system documentation or use SQL Server to determine privilege assignment of user-defined roles. Determine which user-defined roles grant privileges to system tables and configuration data stored in SQL Server. For each user: Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account name'> >> Properties >> User >> Securables. If any item in the 'Permission' listing, for each highlighted item that exists in the 'Securables' listing, indicates direct permission access, this is a finding. Navigate from 'Securables' to 'Server Roles'. If any 'Server roles' are checked from the following listing, indicating direct permission access, this is a finding. System administrator Server roles: "bulkadmin", "dbcreator", "diskadmin", "processadmin", "securityadmin", "serveradmin", "setupadmin", "sysadmin". If any user-defined 'Server roles' with system table or configuration data privileges are checked that the user is not authorized to have, this is a finding. Navigate from 'Server Roles' to 'Users mapped to the login'. If any checked/highlighted 'Database role membership' shows any "Database role membership for:" indicating direct permission access, this is a finding.

Check Text ( C-47661r2_chk )

Obtain from system documentation or use SQL Server to determine privilege assignment of user-defined roles.

Determine which user-defined roles grant privileges to system tables and configuration data stored in SQL Server.

For each user:

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account name'> >> Properties >> User >> Securables.

If any item in the 'Permission' listing, for each highlighted item that exists in the 'Securables' listing, indicates direct permission access, this is a finding.

Navigate from 'Securables' to 'Server Roles'.

If any 'Server roles' are checked from the following listing, indicating direct permission access, this is a finding.
System administrator Server roles: "bulkadmin", "dbcreator", "diskadmin", "processadmin", "securityadmin", "serveradmin", "setupadmin", "sysadmin".

If any user-defined 'Server roles' with system table or configuration data privileges are checked that the user is not authorized to have, this is a finding.

Navigate from 'Server Roles' to 'Users mapped to the login'.

If any checked/highlighted 'Database role membership' shows any "Database role membership for:" indicating direct permission access, this is a finding.

Fix Text (F-46343r2_fix)
Remove all direct access permissions and unauthorized permissions as required using the below instructions: Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account name'> >> Properties >> User >> Securables. Remove 'Securables' permissions from user account. Navigate from 'Securables' to 'Server Roles'. Remove 'Server Roles' permissions from user account. Navigate from 'Server Roles' to 'Users mapped to the login'. Remove 'Users mapped to the login' permissions from user account.

Fix Text (F-46343r2_fix)

Remove all direct access permissions and unauthorized permissions as required using the below instructions:

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account name'> >> Properties >> User >> Securables.

Remove 'Securables' permissions from user account.

Navigate from 'Securables' to 'Server Roles'.

Remove 'Server Roles' permissions from user account.

Navigate from 'Server Roles' to 'Users mapped to the login'.

Remove 'Users mapped to the login' permissions from user account.