SQL Server must not grant users direct access control to the Alter any credential permission.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-41209	SQL2-00-008100	SV-53677r1_rule		Medium

Description
The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any credential' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.

Description

The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Privileges granted outside of SQL Server's role-based account assignments are more likely to go unmanaged and without oversight of granted access. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of application user privilege assignments and helps to protect against unauthorized privilege assignment. SQL Server's 'Alter any credential' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. This administrative privilege must not be assigned directly to administrative user accounts. If administrative user accounts have direct access to administrative roles, this access must be removed.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2014-06-23

Details

Check Text ( C-47800r2_chk )
Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: Select * from sys.server_permissions where permission_name = 'Alter any credential' If any rows are returned, run the following query, substituting the with those returned in the previous query. Select * from sys.server_principals where principal_id = If any user accounts have direct access to the 'Alter any credential' permission, this is a finding.

Check Text ( C-47800r2_chk )

Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query:

Select * from sys.server_permissions where permission_name = 'Alter any credential'

If any rows are returned, run the following query, substituting the with those returned in the previous query.

Select * from sys.server_principals where principal_id =

If any user accounts have direct access to the 'Alter any credential' permission, this is a finding.

Fix Text (F-46602r1_fix)
Remove the 'Alter any credential' permission access from the account that has direct access by running the following script: USE master REVOKE ALTER ANY CREDENTIAL TO <'account name'> GO