The OS must limit privileges to change SQL Server software resident within software libraries (including privileged programs).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-40944	SQL2-00-015800	SV-53298r1_rule		Medium

Description
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement is contingent upon the language in which the application is programmed, as many application architectures in use today incorporate their software libraries into, and make them inseparable from, their compiled distributions, rendering them static and version dependant. However, this requirement does apply to applications with software libraries accessible and configurable, as in the case of interpreted languages. Accordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.

Description

When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement is contingent upon the language in which the application is programmed, as many application architectures in use today incorporate their software libraries into, and make them inseparable from, their compiled distributions, rendering them static and version dependant. However, this requirement does apply to applications with software libraries accessible and configurable, as in the case of interpreted languages. Accordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2014-06-23

Details

Check Text ( C-47599r2_chk )
Obtain the SQL Server software library installation directory location. From a command prompt, type regedit.exe, and press [ENTER]. Each instance will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME]. An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server instance. Navigate to that folder location using a command prompt or Windows Explorer. Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present. ...\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) ...\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) ...\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) ...\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) 110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) If additional permissions are present, this is a finding.

Check Text ( C-47599r2_chk )

Obtain the SQL Server software library installation directory location.

From a command prompt, type regedit.exe, and press [ENTER]. Each instance will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME].

An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders.

To find the installation location of a particular instance, navigate to the following location in the Windows Registry:
HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server instance.

Navigate to that folder location using a command prompt or Windows Explorer.

Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges:
Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present.

...\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control)
...\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)
...\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control)
...\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control)
...\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)
...\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control)
...\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control)
110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)

If additional permissions are present, this is a finding.

Fix Text (F-46226r2_fix)
Navigate to the SQL Server software library directory folder location. Right click the file/folder, click Properties On the Security tab, modify the security permissions, verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present. …\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control) …\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) …\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control) 110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)

Fix Text (F-46226r2_fix)

Navigate to the SQL Server software library directory folder location.

Right click the file/folder, click Properties

On the Security tab, modify the security permissions, verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges:
Right click each folder under the installation folder, click Properties. On the Security tab, verify only the following permissions are present.

…\MSSQL\backup – SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control)
…\MSSQL\binn – SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)
…\MSSQL\data– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control)
…\MSSQL\FTData– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control)
…\MSSQL\Install– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)
…\MSSQL\Log– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control)
…\MSSQL\Repldata– SqlServerService Account (Full Control), System (Full control), System Administrators (Full Control)
110\shared– SqlServerService Account (Read, Execute), System (Full control), System Administrators (Full Control)