Software, applications, and configuration files that are external to SQL Server must be monitored to discover unauthorized changes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-40948	SQL2-00-015350	SV-53302r1_rule		High

Description
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant effects on the overall security of the system. Only qualified and authorized individuals shall be allowed to obtain access to SQL Server components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the SQL Server software libraries or configuration can lead to unauthorized or compromised installations.

Description

When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of SQL Server and/or application can potentially have significant effects on the overall security of the system. Only qualified and authorized individuals shall be allowed to obtain access to SQL Server components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the SQL Server software libraries or configuration can lead to unauthorized or compromised installations.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2014-06-23

Details

Check Text ( C-47603r2_chk )
Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click the file/folder, click Properties. On the Security tab, verify only the following permissions are applied: Trusted Installer (Full Control) SYSTEM (FULL CONTROL) Administrators (FULL CONTROL) Users (READ & EXECUTE, READ) Creator Owner (Special Permissions - Full control - Subfolders and files only) If any file or folder permissions are not as stated or more restrictive, this is a finding. Note: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately (such as SQLCMD), and this is considered acceptable where those permissions are required. All files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory. Verify that files and folders that are part of the SQL Server 2012 installation have auditing enabled: Right click on the file/folder, click Properties. On the Security tab, click Advanced. On the Auditing tab, verify that the following is set up on at least one audit: Type: All Principal: Everyone Access: Modify Applies to: This Folder, subfolder, and files* *where applicable If the required audit settings are not configured, there is a risk that unauthorized changes to the software will go undetected, and this is a finding. If a third-party security and data integrity tool is not used for monitoring and alerting files and folders based on cryptographic hashes, this is a finding. If the tool does not verify files/folder locations as listed in the documentation, this is a finding.

Check Text ( C-47603r2_chk )

Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges:

Right click the file/folder, click Properties.

On the Security tab, verify only the following permissions are applied:

Trusted Installer (Full Control)
SYSTEM (FULL CONTROL)
Administrators (FULL CONTROL)
Users (READ & EXECUTE, READ)
Creator Owner (Special Permissions - Full control - Subfolders and files only)

If any file or folder permissions are not as stated or more restrictive, this is a finding.

Note: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately (such as SQLCMD), and this is considered acceptable where those permissions are required. All files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory.

Verify that files and folders that are part of the SQL Server 2012 installation have auditing enabled:

Right click on the file/folder, click Properties.

On the Security tab, click Advanced.

On the Auditing tab, verify that the following is set up on at least one audit:

Type: All
Principal: Everyone
Access: Modify
Applies to: This Folder, subfolder, and files*

*where applicable

If the required audit settings are not configured, there is a risk that unauthorized changes to the software will go undetected, and this is a finding.

If a third-party security and data integrity tool is not used for monitoring and alerting files and folders based on cryptographic hashes, this is a finding.
If the tool does not verify files/folder locations as listed in the documentation, this is a finding.

Fix Text (F-46230r2_fix)
Include locations of all files, libraries, scripts, and executables that are considered to be part of the SQL Server installation in the documentation. Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges: Right click the file/folder, click Properties. On the Security tab, verify only the following permissions are applied: Trusted Installer (Full Control) SYSTEM (FULL CONTROL) Administrators (FULL CONTROL) Users (READ & EXECUTE, READ) Creator Owner (Special Permissions - Full control - Subfolders and files only) Note: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately (such as SQLCMD), and this is considered acceptable where those permissions are required. All files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory. Restrict use of this to only the minimum necessary files/folders.

Fix Text (F-46230r2_fix)

Include locations of all files, libraries, scripts, and executables that are considered to be part of the SQL Server installation in the documentation.

Verify that files and folders that are part of the SQL Server 2012 installation have only the following privileges:

Right click the file/folder, click Properties.

On the Security tab, verify only the following permissions are applied:

Trusted Installer (Full Control)
SYSTEM (FULL CONTROL)
Administrators (FULL CONTROL)
Users (READ & EXECUTE, READ)
Creator Owner (Special Permissions - Full control - Subfolders and files only)

Note: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately (such as SQLCMD), and this is considered acceptable where those permissions are required. All files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory. Restrict use of this to only the minimum necessary files/folders.