SQL Server backup and restoration files must be protected from unauthorized access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-40927	SQL2-00-018100	SV-53281r2_rule		Medium

Description
SQL Server backups are a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user generated data is backed up at a defined frequency. This includes data stored on file systems, within databases or within any other storage media. Applications performing backups must be capable of backing up user-level information per the DoD-defined frequency. Lost or compromised SQL Server backup or restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. SQL Server can maintain local copies of critical control files to provide transparent or easy recovery from hard disk loss or other interruptions to database operation. Backup files, both local to the SQL Server machine and not local to the machine, need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss.

Description

SQL Server backups are a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user generated data is backed up at a defined frequency. This includes data stored on file systems, within databases or within any other storage media. Applications performing backups must be capable of backing up user-level information per the DoD-defined frequency. Lost or compromised SQL Server backup or restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. SQL Server can maintain local copies of critical control files to provide transparent or easy recovery from hard disk loss or other interruptions to database operation. Backup files, both local to the SQL Server machine and not local to the machine, need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2017-07-13

Details

Check Text ( C-47582r2_chk )
Obtain authorized access list for backup and restoration procedures from system documentation. If documented procedures are insufficient to show or describe authorized personnel, this is a finding. Review file protections assigned to online backup and restoration files. Review access protections and procedures for offline backup and restoration files. If backup or restoration files are subject to unauthorized access, this is a finding. It may be necessary to review backup and restoration procedures to determine ownership and access during all phases of backup and recovery. In addition to physical and host system protections, consider other methods including encryption protection of the files.

Check Text ( C-47582r2_chk )

Obtain authorized access list for backup and restoration procedures from system documentation.

If documented procedures are insufficient to show or describe authorized personnel, this is a finding.

Review file protections assigned to online backup and restoration files.

Review access protections and procedures for offline backup and restoration files.

If backup or restoration files are subject to unauthorized access, this is a finding.

It may be necessary to review backup and restoration procedures to determine ownership and access during all phases of backup and recovery. In addition to physical and host system protections, consider other methods including encryption protection of the files.

Fix Text (F-46209r1_fix)
Develop, document, and implement protection against unauthorized access of backup and restoration files. Document personnel and the level of access authorized for each to the backup and restoration files in the system documentation.