Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-40923 | SQL2-00-018500 | SV-53277r1_rule | Medium |
Description |
---|
To ensure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. An example of a group authenticator is the UNIX OS 'root' user account, a Windows 'administrator' account, an 'sa' account, or a 'helpdesk' account. |
STIG | Date |
---|---|
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide | 2014-06-23 |
Check Text ( C-47578r2_chk ) |
---|
Review SQL Server users to determine whether group accounts exist. Select uid, name, roles from sys.sysusers where uid > 16000 and name not in ('db_owner', 'db_accessadmin', 'db_securityadmin', 'db_ddladmin', 'db_backupoperator', 'db_datareader', 'db_datawriter', 'db_denydatareader','db_denydatawriter') If accounts returned are determined to be group accounts, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the group account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. |
Fix Text (F-46205r3_fix) |
---|
Configure SQL Server settings to require individual authentication prior to authentication for group account access. Review SQL Server users to determine whether group accounts exist. Select uid, name, roles from sys.sysusers where uid > 16000 and name not in ('db_owner', 'db_accessadmin', 'db_securityadmin', 'db_ddladmin', 'db_backupoperator', 'db_datareader', 'db_datawriter', 'db_denydatareader', 'db_denydatawriter');Remove group accounts and use individual userids. |