UCF STIG Viewer Logo

Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide


Overview

Date Finding Count (152)
2017-07-13 CAT I (High): 5 CAT II (Med): 138 CAT III (Low): 9
STIG Description
The Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-40907 High SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission.
V-40932 High SQL Server must recover to a known state that is verifiable.
V-40941 High SQL Server must have the SQL Server Data Tools (SSDT) software component removed from SQL Server if SSDT is unused.
V-40945 High Vendor-supported software and patches must be evaluated and patched against newly found vulnerabilities.
V-40948 High Software, applications, and configuration files that are part of, or related to, the SQL Server 2012 installation must be monitored to discover unauthorized changes.
V-72415 Medium If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.
V-43196 Medium Domain accounts used to manage a SQL Server platform must be different from those used to manage other platforms.
V-40950 Medium SQL Server must support the employment of automated mechanisms supporting the auditing of the enforcement actions.
V-40951 Medium SQL Server must support the organizational requirement to employ automated mechanisms for enforcing access restrictions.
V-41044 Medium SQL Server must restrict access to system tables, other configuration information, and metadata to DBAs and other authorized users.
V-41047 Medium SQL Server processes or services must run under custom, dedicated OS or domain accounts.
V-41046 Medium SQL Server must restrict access to sensitive information to authorized user roles.
V-41038 Medium Use of the SQL Server software installation account must be restricted to SQL Server software installation.
V-41039 Medium DBA OS or domain accounts must be granted only those host system privileges necessary for the administration of SQL Server.
V-41035 Medium SQL Server must generate audit records for the DoD-selected list of auditable events.
V-41036 Medium SQL Server must be configured to use Windows Integrated Security.
V-41030 Medium SQL Server must produce audit records containing sufficient information to establish the sources (origins) of the events.
V-41031 Medium SQL Server must produce audit records containing sufficient information to establish where the events occurred.
V-41032 Medium SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-41033 Medium SQL Server must produce audit records containing sufficient information to establish what type of events occurred.
V-55805 Medium SQL Server must not grant users direct access to the View Any Database permission.
V-72413 Medium If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity.
V-41247 Medium SQL Server must not grant users direct access control to the Alter Any Availability Group permission.
V-41246 Medium SQL Server must not grant users direct access to the Alter any connection permission.
V-59915 Medium SQL Server must enforce access control policies to restrict the Alter any event notification permission to only authorized roles.
V-40922 Medium SQL Server must enforce password encryption for storage.
V-41016 Medium SQL Server must protect audit information from any type of unauthorized access.
V-41017 Medium SQL Server must protect the audit records generated as a result of remote access to privileged accounts and by the execution of privileged functions.
V-41311 Medium The number of concurrent SQL Server sessions for each system account must be limited.
V-41254 Medium SQL Server must enforce access control policies to restrict the External access assembly permission to only authorized roles.
V-41255 Medium SQL Server must enforce access control policies to restrict the Create trace event notification permission to only authorized roles.
V-41256 Medium SQL Server must enforce access control policies to restrict the Create server role permission to only authorized roles.
V-41257 Medium SQL Server must enforce access control policies to restrict the Create endpoint permission to only authorized roles.
V-41250 Medium SQL Server must not grant users direct access to the Alter any event notification permission.
V-41251 Medium SQL Server must enforce access control policies to restrict the View any database permission to only authorized roles.
V-41252 Medium SQL Server must not grant users direct access to the Alter any server audit permission.
V-41253 Medium SQL Server must enforce access control policies to restrict the Shutdown permission to only authorized roles.
V-41258 Medium SQL Server must enforce access control policies to restrict the Create DDL event notification permission to only authorized roles.
V-41259 Medium SQL Server must enforce access control policies to restrict the Create availability group permission to only authorized roles.
V-40937 Medium Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.
V-40934 Medium SQL Server must specifically prohibit or restrict the use of unauthorized functions and services in each instance.
V-41302 Medium SQL Server must enforce access control policies to restrict the Alter any event session permission to only authorized roles.
V-41303 Medium SQL Server must enforce access control policies to restrict Alter server state permissions to only authorized roles.
V-41300 Medium SQL Server must enforce access control policies to restrict the Alter any endpoint permission to only authorized roles.
V-41419 Medium The Service Master Key must be backed up, stored offline and off-site.
V-41306 Medium SQL Server must automatically audit account modification.
V-41307 Medium SQL Server must ensure that remote sessions that access an organization-defined list of security functions and security-relevant information are audited.
V-40908 Medium SQL Server must ensure, if Database Availability Groups are being used and there is a server failure, that none of the potential failover servers would suffer from resource exhaustion.
V-40906 Medium SQL Server must identify potential security-relevant error conditions.
V-40905 Medium The system must activate an alarm and/or automatically shut SQL Server down if a failure is detected in its software components.
V-54859 Medium The OS must limit privileges to the SQL Server Data Root directory and its subordinate directories and files.
V-41261 Medium SQL Server must enforce access control policies to restrict the View any definition permission to only authorized roles.
V-41260 Medium SQL Server must enforce access control policies to restrict the Alter any server audit permission to only authorized roles.
V-41263 Medium SQL Server must not grant users direct access to the Administer bulk operations permission.
V-41262 Medium SQL Server must not grant users direct access to the Authenticate server permission.
V-41265 Medium SQL Server must not grant users direct access to the Create DDL event notification permission.
V-41264 Medium SQL Server must not grant users direct access to the Create endpoint permission.
V-41267 Medium SQL Server must not grant users direct access to the Create any database permission.
V-41266 Medium SQL Server must not grant users direct access to the Create availability group permission.
V-41269 Medium SQL Server must enforce access control policies to restrict the Administer bulk operations permission to only authorized roles.
V-41268 Medium SQL Server must not grant users direct access to the Control server permission.
V-41248 Medium SQL Server must not grant users direct access to the Alter server state permission.
V-40935 Medium Access to xp_cmdshell must be disabled.
V-41029 Medium SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-40918 Medium SQL Server must employ NSA-approved cryptography to protect classified information.
V-40919 Medium SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-40914 Medium SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized User Mapping access.
V-40915 Medium SQL Server must protect the integrity of publicly available information and applications.
V-40916 Medium SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Securables access.
V-40910 Medium SQL Server must isolate security functions from nonsecurity functions by means of separate security domains.
V-40913 Medium SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Server Roles access.
V-41278 Medium SQL Server must not grant users direct access to the External access assembly permission.
V-41279 Medium SQL Server must not grant users direct access to the Alter any login permission.
V-41276 Medium SQL Server must not grant users direct access to the Create trace event notification permission.
V-41277 Medium SQL Server must not grant users direct access to the Alter resources permission.
V-41274 Medium SQL Server must not grant users direct access to the Alter trace permission.
V-41275 Medium SQL Server must not grant users direct access to the Alter Settings permission.
V-41273 Medium SQL Server must not grant users direct control to the Alter any event session permission.
V-41270 Medium SQL Server must enforce access control policies to restrict the Alter resources permission to only authorized roles.
V-41271 Medium SQL Server must not grant users direct access to the Alter any linked server permission.
V-41283 Medium SQL Server must enforce access control policies to restrict the Alter any linked server permission to only authorized roles.
V-41281 Medium SQL Server must enforce access control policies to restrict the Alter any login permission to only authorized roles.
V-41280 Medium SQL Server must enforce access control policies to restrict the Alter any availability group permission to only authorized roles.
V-41287 Medium SQL Server must not grant users direct access to the Unsafe assembly permission.
V-41286 Medium SQL Server must enforce access control policies to restrict the Alter trace permission to only authorized roles.
V-41285 Medium SQL Server must enforce access control policies to restrict the View server state permission to only authorized roles.
V-41284 Medium SQL Server must not grant users direct access control to the Shutdown permission.
V-41045 Medium A single SQL Server database connection configuration file (or a single set of credentials) must not be used to configure all database clients.
V-69169 Medium Software, applications, and configuration files that are part of, or related to, the SQL Server 2012 installation must be audited.
V-41289 Medium SQL Server must not grant users direct access to the Create server role permission.
V-41288 Medium SQL Server must enforce access control policies to restrict the Control server permission to only authorized roles.
V-41041 Medium SQL Server DBA roles must not be assigned excessive or unauthorized privileges.
V-41040 Medium OS and domain accounts utilized to run external procedures called by SQL Server must have limited privileges.
V-41043 Medium Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information within SQL Server.
V-41042 Medium All use of privileged accounts must be audited.
V-40929 Medium SQL Server backup procedures must be defined, documented, and implemented.
V-40928 Medium SQL Server recovery procedures that are documented must be implemented and periodically tested.
V-41304 Medium SQL Server must enforce non-DAC policies over users and resources where the policy rule set for each policy specifies access control information (i.e., position, nationality, age, project, time of day).
V-54879 Medium The OS must limit privileges to the SQL Server data directories and their subordinate directories and files.
V-40923 Medium SQL Server must ensure users are authenticated with an individual authenticator prior to using a shared authenticator.
V-41305 Medium SQL Server must notify appropriate individuals when accounts are modified.
V-40925 Medium SQL Server software libraries must be periodically backed up.
V-40924 Medium SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-40927 Medium SQL Server backup and restoration files must be protected from unauthorized access.
V-40926 Medium SQL Server backups of system-level information per organization-defined frequency must be performed that is consistent with recovery time and recovery point objectives.
V-41209 Medium SQL Server must not grant users direct access to the Alter Any Credential permission.
V-41208 Medium SQL Server must not grant users direct access to the Alter any database permission.
V-41202 Medium SQL Server must enforce separation of duties through assigned information access authorizations.
V-41207 Medium SQL Server must not grant users direct access to the Alter any endpoint permission.
V-41206 Medium SQL Server must enforce access control policies to restrict the Unsafe assembly permission to only authorized roles.
V-41205 Medium SQL Server must enforce DAC policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both; limiting propagation of access rights; and including or excluding access to the granularity of a single user.
V-41204 Medium SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-54881 Medium The OS must limit privileges to the SQL Server backup directories and files.
V-40930 Medium SQL Server user-level information must be backed up based on a defined frequency.
V-40936 Medium SQL Server default account sa must be disabled.
V-41291 Medium SQL Server must enforce access control policies to restrict the Alter Settings permission to only authorized roles.
V-41292 Medium SQL Server must enforce access control policies to restrict the Authenticate server permission to only authorized roles.
V-41293 Medium SQL Server must enforce access control policies to restrict the Create any database permission to only authorized roles.
V-41294 Medium SQL Server must not grant users direct access to the View server state permission.
V-41295 Medium SQL Server must not grant users direct access to the Alter any server role permission.
V-41296 Medium SQL Server must not grant users direct access to the View any definition permission.
V-41297 Medium SQL Server must enforce access control policies to restrict the Alter any connection permission to only authorized roles.
V-41298 Medium SQL Server must enforce access control policies to restrict the Alter any credential permission to only authorized roles.
V-41299 Medium SQL Server must enforce access control policies to restrict the Alter any database permission to only authorized roles.
V-40938 Medium SQL Server must have the SQL Server Analysis Service (SSAS) software component removed from SQL Server if SSAS is unused.
V-40939 Medium SQL Server must have the SQL Server Integrated Services (SSIS) software component removed from SQL Server if SSIS is unused.
V-59857 Medium Owners of privileged accounts must use non-privileged accounts for non-administrative activities.
V-40943 Medium SQL Server must have the publicly available NorthWind sample database removed.
V-40942 Medium SQL Server must have the publicly available AdventureWorks sample database removed.
V-40940 Medium SQL Server must have the SQL Server Reporting Service (SSRS) software component removed from SQL Server if SSRS is unused.
V-40947 Medium SQL Server software installation account(s) must be restricted to authorized users.
V-40944 Medium The OS must limit privileges to change SQL Server software resident within software libraries (including privileged programs).
V-40949 Medium SQL Server must monitor for security-relevant configuration settings to discover unauthorized changes.
V-41290 Medium SQL Server must enforce access control policies to restrict the Alter any server role permission to only authorized roles.
V-40933 Medium SQL Server must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
V-41028 Medium SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
V-41027 Medium SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-41026 Medium SQL Server must have allocated audit record storage capacity to meet the organization-defined requirements for saving audit record information.
V-41025 Medium SQL Server auditing configuration maximum file size must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.
V-41024 Medium SQL Server auditing configuration maximum number of files must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.
V-41022 Medium SQL Server must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists.
V-41021 Medium SQL Server must audit attempts to bypass access controls.
V-53877 Medium SQL Server databases in the unclassified environment, containing sensitive information, must be encrypted using approved cryptography.
V-40952 Low SQL Server must protect audit information from unauthorized deletion.
V-40953 Low SQL Server must protect audit information from unauthorized modification.
V-41034 Low SQL Server must protect against an individual using a shared account from falsely denying having performed a particular action.
V-41037 Low SQL Server default account sa must have its name changed.
V-70625 Low The SQL Server Browser service must be disabled if its use is not necessary.
V-40909 Low SQL Server must limit the use of resources by priority and not impede the host from servicing processes designated as a higher priority.
V-40912 Low SQL Server must associate and maintain security labels when exchanging information between systems.
V-40946 Low Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
V-41023 Low SQL Server itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.