The OS must limit privileges to change SQL Server software resident within software libraries (including privileged programs).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-40944	SQL2-00-015800	SV-53298r4_rule		Medium

Description
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. If any user were allowed to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in compromised installations. This may in turn jeopardize data stored in the DBMS and/or operation of the host system. Accordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Of particular note in this context is that any software installed for auditing and/or audit file management must be protected and monitored.

Description

When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. If any user were allowed to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in compromised installations. This may in turn jeopardize data stored in the DBMS and/or operation of the host system. Accordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Of particular note in this context is that any software installed for auditing and/or audit file management must be protected and monitored.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-47599r7_chk )
Obtain the SQL Server software directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup >> SQLBinRoot In the registry tree, the [INSTANCE NAME] for a SQL Server 2012 database engine instance is normally shown as "MSSQL11" followed by a period and the name that was specified for the SQL Server service at installation time. If multiple SQL Server instances are installed, each will have its own [INSTANCE NAME] node and subtree in the registry. The value in the Data column for the SQLBinRoot registry entry is the file system path for the SQL Server 2012 binaries. Navigate to that folder location using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. Verify that files and folders that are part of the SQL Server 2012 instance have only authorized privileges. Right-click the binaries (\binn) folder, click Properties. On the Security tab, verify that at most the following permissions are present: CREATOR OWNER (Full Control) System (Full Control) SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Full Control) [Notes 1, 2] System Administrators (Full Control) [Note 3] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. Right-click each folder under the binaries folder; click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. Right-click the \Install folder, which is a peer of \binn, under ...\MSSQL. On the Security tab, verify that at most the permissions listed in the preceding paragraphs are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. Locate the ...\Microsoft SQL Server\110\Shared folder, either by stepping up the tree in Windows Explorer or by finding the file path in the registry at: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> 110 >> SharedCode Right-click on the ...\110\Shared folder; click Properties. On the Security tab, verify that at most the following permissions are present: CREATOR OWNER (Full Control) System (Full Control) SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2] System Administrators (Full Control) [Note 3] Local Administrators (Read) SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] [MsDtsServer110 (Read & Execute) is also permitted, if SSIS/DTS is in use.] [NT AUTHORITY\NETWORK SERVICE (Read & Execute) may also be required for SQL Server Configuration Manager to operate.] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. Right-click each folder under the ...\110\Shared folder; click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.

Check Text ( C-47599r7_chk )

Obtain the SQL Server software directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location:
HKEY_LOCAL_MACHINE
>> SOFTWARE
>> Microsoft
>> Microsoft SQL Server
>> [INSTANCE NAME]
>> Setup
>> SQLBinRoot

In the registry tree, the [INSTANCE NAME] for a SQL Server 2012 database engine instance is normally shown as "MSSQL11" followed by a period and the name that was specified for the SQL Server service at installation time. If multiple SQL Server instances are installed, each will have its own [INSTANCE NAME] node and subtree in the registry.

The value in the Data column for the SQLBinRoot registry entry is the file system path for the SQL Server 2012 binaries. Navigate to that folder location using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used.

Verify that files and folders that are part of the SQL Server 2012 instance have only authorized privileges. Right-click the binaries (\binn) folder, click Properties. On the Security tab, verify that at most the following permissions are present:
CREATOR OWNER (Full Control)
System (Full Control)
SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2]
SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Full Control) [Notes 1, 2]
System Administrators (Full Control) [Note 3]
If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.

Right-click each folder under the binaries folder; click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present.
If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.

Right-click the \Install folder, which is a peer of \binn, under ...\MSSQL. On the Security tab, verify that at most the permissions listed in the preceding paragraphs are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.

Locate the ...\Microsoft SQL Server\110\Shared folder, either by stepping up the tree in Windows Explorer or by finding the file path in the registry at:
HKEY_LOCAL_MACHINE
>> SOFTWARE
>> Microsoft
>> Microsoft SQL Server
>> 110
>> SharedCode

Right-click on the ...\110\Shared folder; click Properties. On the Security tab, verify that at most the following permissions are present:
CREATOR OWNER (Full Control)
System (Full Control)
SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2]
System Administrators (Full Control) [Note 3]
Local Administrators (Read)
SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2]
SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2]
[MsDtsServer110 (Read & Execute) is also permitted, if SSIS/DTS is in use.]
[NT AUTHORITY\NETWORK SERVICE (Read & Execute) may also be required for SQL Server Configuration Manager to operate.]
If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.

Right-click each folder under the ...\110\Shared folder; click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.

Fix Text (F-46226r7_fix)
Navigate to the SQL Server software directory (\binn) location. Right-click the folder, click Properties. On the Security tab, modify the security permissions, so that files and folders that are part of the SQL Server 2012 installation have at most the following privileges. Right-click each folder under the installation folder, click Properties. On the Security tab, modify the security permissions, so that at most the following permissions are present. CREATOR OWNER (Full Control) System (Full Control) SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Full Control) [Notes 1, 2] System Administrators (Full Control) [Note 3] Repeat the above for the \Install folder. Navigate to the ...\Microsoft SQL Server\110\Shared folder. On the Security tab, modify the security permissions, so that at most the following permissions are present: CREATOR OWNER (Full Control) System (Full control) SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2] System Administrators (Full Control) [Note 3] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] [MsDtsServer110 (Read & Execute) is also permitted, if SSIS/DTS is in use.] [NT AUTHORITY\NETWORK SERVICE (Read & Execute) may also be required for SQL Server Configuration Manager to operate.]

Fix Text (F-46226r7_fix)

Navigate to the SQL Server software directory (\binn) location. Right-click the folder, click Properties. On the Security tab, modify the security permissions, so that files and folders that are part of the SQL Server 2012 installation have at most the following privileges. Right-click each folder under the installation folder, click Properties. On the Security tab, modify the security permissions, so that at most the following permissions are present.
CREATOR OWNER (Full Control)
System (Full Control)
SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2]
SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Full Control) [Notes 1, 2]
System Administrators (Full Control) [Note 3]

Repeat the above for the \Install folder.

Navigate to the ...\Microsoft SQL Server\110\Shared folder. On the Security tab, modify the security permissions, so that at most the following permissions are present:
CREATOR OWNER (Full Control)
System (Full control)
SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2]
System Administrators (Full Control) [Note 3]
SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2]
SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2]
[MsDtsServer110 (Read & Execute) is also permitted, if SSIS/DTS is in use.]
[NT AUTHORITY\NETWORK SERVICE (Read & Execute) may also be required for SQL Server Configuration Manager to operate.]