| V-40907 | High | SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-40932 | High | SQL Server must recover to a known state that is verifiable. | Application recovery and reconstitution constitutes executing an information system contingency plan comprising activities that restore essential missions and business functions.
SQL Server... |
| V-40941 | High | SQL Server must have the SQL Server Data Tools (SSDT) software component removed from SQL Server if SSDT is unused. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-40945 | High | Vendor-supported software and patches must be evaluated and patched against newly found vulnerabilities. | Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security... |
| V-40948 | High | Software, applications, and configuration files that are part of, or related to, the SQL Server 2012 installation must be monitored to discover unauthorized changes. | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of applications and tools related to SQL Server can potentially have... |
| V-72415 | Medium | If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime. | Windows domain/enterprise authentication and identification must be used (SQL2-00-023600). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be... |
| V-43196 | Medium | Domain accounts used to manage a SQL Server platform must be different from those used to manage other platforms. | Separate accounts used to manage the SQL Server platform help prevent a lateral move within an environment if SQL were to be compromised. |
| V-40950 | Medium | SQL Server must support the employment of automated mechanisms supporting the auditing of the enforcement actions. | Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.... |
| V-40951 | Medium | SQL Server must support the organizational requirement to employ automated mechanisms for enforcing access restrictions. | When dealing with access restrictions pertaining to change control, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or... |
| V-41044 | Medium | SQL Server must restrict access to system tables, other configuration information, and metadata to DBAs and other authorized users. | The principle of Least Privilege must be applied to the ability of users to access system tables, system management information, other configuration information, and metadata. Unauthorized access... |
| V-41047 | Medium | SQL Server processes or services must run under custom, dedicated OS or domain accounts. | Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves... |
| V-41046 | Medium | SQL Server must restrict access to sensitive information to authorized user roles. | Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is... |
| V-41038 | Medium | Use of the SQL Server software installation account must be restricted to SQL Server software installation. | This requirement is intended to limit exposure due to operating from within a privileged account. SQL Server does support the organizational requirement that users of information system accounts... |
| V-41039 | Medium | DBA OS or domain accounts must be granted only those host system privileges necessary for the administration of SQL Server. | SQL Server DBAs, if assigned excessive OS privileges, could perform actions that could endanger the information system or hide evidence of malicious activity.
This requirement is intended to... |
| V-41035 | Medium | SQL Server must generate audit records for the DoD-selected list of auditable events. | Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific... |
| V-41036 | Medium | SQL Server must be configured to use Windows Integrated Security. | SQL Server Authentication does not provide for many of the authentication requirements of the DoD. In some cases workarounds are present, but the authentication is not as robust and does not... |
| V-41030 | Medium | SQL Server must produce audit records containing sufficient information to establish the sources (origins) of the events. | Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not... |
| V-41031 | Medium | SQL Server must produce audit records containing sufficient information to establish where the events occurred. | Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not... |
| V-41032 | Medium | SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred. | Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not... |
| V-41033 | Medium | SQL Server must produce audit records containing sufficient information to establish what type of events occurred. | Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not... |
| V-55805 | Medium | SQL Server must not grant users direct access to the View Any Database permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-72413 | Medium | If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity. | Windows domain/enterprise authentication and identification must be used (SQL2-00-023600). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be... |
| V-41247 | Medium | SQL Server must not grant users direct access control to the Alter Any Availability Group permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41246 | Medium | SQL Server must not grant users direct access to the Alter any connection permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-59915 | Medium | SQL Server must enforce access control policies to restrict the Alter any event notification permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-40922 | Medium | SQL Server must enforce password encryption for storage. | SQL Server must enforce password encryption when storing passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are... |
| V-41016 | Medium | SQL Server must protect audit information from any type of unauthorized access. | If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve.... |
| V-41017 | Medium | SQL Server must protect the audit records generated as a result of remote access to privileged accounts and by the execution of privileged functions. | Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place.
Auditing might not be... |
| V-41311 | Medium | The number of concurrent SQL Server sessions for each system account must be limited. | A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks. For example, boundary protection devices can filter certain types of packets to protect devices on... |
| V-41254 | Medium | SQL Server must enforce access control policies to restrict the External access assembly permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41255 | Medium | SQL Server must enforce access control policies to restrict the Create trace event notification permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41256 | Medium | SQL Server must enforce access control policies to restrict the Create server role permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41257 | Medium | SQL Server must enforce access control policies to restrict the Create endpoint permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41250 | Medium | SQL Server must not grant users direct access to the Alter any event notification permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41251 | Medium | SQL Server must enforce access control policies to restrict the View any database permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41252 | Medium | SQL Server must not grant users direct access to the Alter any server audit permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41253 | Medium | SQL Server must enforce access control policies to restrict the Shutdown permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41258 | Medium | SQL Server must enforce access control policies to restrict the Create DDL event notification permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41259 | Medium | SQL Server must enforce access control policies to restrict the Create availability group permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-40937 | Medium | Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled. | SQL Server is capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational... |
| V-40934 | Medium | SQL Server must specifically prohibit or restrict the use of unauthorized functions and services in each instance. | SQL Server is capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational... |
| V-41302 | Medium | SQL Server must enforce access control policies to restrict the Alter any event session permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41303 | Medium | SQL Server must enforce access control policies to restrict Alter server state permissions to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41300 | Medium | SQL Server must enforce access control policies to restrict the Alter any endpoint permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41419 | Medium | The Service Master Key must be backed up, stored offline and off-site. | Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery. |
| V-41306 | Medium | SQL Server must automatically audit account modification. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify... |
| V-41307 | Medium | SQL Server must ensure that remote sessions that access an organization-defined list of security functions and security-relevant information are audited. | Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the... |
| V-40908 | Medium | SQL Server must ensure, if Database Availability Groups are being used and there is a server failure, that none of the potential failover servers would suffer from resource exhaustion. | SQL Server has a feature called 'Availability Group' which provides automatic failover from a primary SQL Server to a secondary server. This concept is not new, but because SQL Server does warn... |
| V-40906 | Medium | SQL Server must identify potential security-relevant error conditions. | The structure and content of SQL Server error messages need to be carefully considered by the organization and development team. The extent to which the application is able to identify and handle... |
| V-40905 | Medium | The system must activate an alarm and/or automatically shut SQL Server down if a failure is detected in its software components. | Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining system security fail to function, then SQL Server could continue... |
| V-54859 | Medium | The OS must limit privileges to the SQL Server Data Root directory and its subordinate directories and files. | Default database file locations should be protected from unauthorized access. The system databases, essential to SQL Server operation, are typically located here. |
| V-41261 | Medium | SQL Server must enforce access control policies to restrict the View any definition permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41260 | Medium | SQL Server must enforce access control policies to restrict the Alter any server audit permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41263 | Medium | SQL Server must not grant users direct access to the Administer bulk operations permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41262 | Medium | SQL Server must not grant users direct access to the Authenticate server permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41265 | Medium | SQL Server must not grant users direct access to the Create DDL event notification permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41264 | Medium | SQL Server must not grant users direct access to the Create endpoint permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41267 | Medium | SQL Server must not grant users direct access to the Create any database permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41266 | Medium | SQL Server must not grant users direct access to the Create availability group permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41269 | Medium | SQL Server must enforce access control policies to restrict the Administer bulk operations permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41268 | Medium | SQL Server must not grant users direct access to the Control server permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41248 | Medium | SQL Server must not grant users direct access to the Alter server state permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-40935 | Medium | Access to xp_cmdshell must be disabled. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-41029 | Medium | SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events. | Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not... |
| V-40918 | Medium | SQL Server must employ NSA-approved cryptography to protect classified information. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-40919 | Medium | SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent... |
| V-40914 | Medium | SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized User Mapping access. | The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of... |
| V-40915 | Medium | SQL Server must protect the integrity of publicly available information and applications. | The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of... |
| V-40916 | Medium | SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Securables access. | The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of... |
| V-40910 | Medium | SQL Server must isolate security functions from nonsecurity functions by means of separate security domains. | Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and... |
| V-40913 | Medium | SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Server Roles access. | The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of... |
| V-41278 | Medium | SQL Server must not grant users direct access to the External access assembly permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41279 | Medium | SQL Server must not grant users direct access to the Alter any login permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41276 | Medium | SQL Server must not grant users direct access to the Create trace event notification permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41277 | Medium | SQL Server must not grant users direct access to the Alter resources permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41274 | Medium | SQL Server must not grant users direct access to the Alter trace permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41275 | Medium | SQL Server must not grant users direct access to the Alter Settings permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41273 | Medium | SQL Server must not grant users direct control to the Alter any event session permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41270 | Medium | SQL Server must enforce access control policies to restrict the Alter resources permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41271 | Medium | SQL Server must not grant users direct access to the Alter any linked server permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41283 | Medium | SQL Server must enforce access control policies to restrict the Alter any linked server permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41281 | Medium | SQL Server must enforce access control policies to restrict the Alter any login permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41280 | Medium | SQL Server must enforce access control policies to restrict the Alter any availability group permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41287 | Medium | SQL Server must not grant users direct access to the Unsafe assembly permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41286 | Medium | SQL Server must enforce access control policies to restrict the Alter trace permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41285 | Medium | SQL Server must enforce access control policies to restrict the View server state permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41284 | Medium | SQL Server must not grant users direct access control to the Shutdown permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41045 | Medium | A single SQL Server database connection configuration file (or a single set of credentials) must not be used to configure all database clients. | Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is... |
| V-69169 | Medium | Software, applications, and configuration files that are part of, or related to, the SQL Server 2012 installation must be audited. | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of applications and tools related to SQL Server can potentially have... |
| V-41289 | Medium | SQL Server must not grant users direct access to the Create server role permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41288 | Medium | SQL Server must enforce access control policies to restrict the Control server permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41041 | Medium | SQL Server DBA roles must not be assigned excessive or unauthorized privileges. | This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control... |
| V-41040 | Medium | OS and domain accounts utilized to run external procedures called by SQL Server must have limited privileges. | This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control... |
| V-41043 | Medium | Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information within SQL Server. | This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control... |
| V-41042 | Medium | All use of privileged accounts must be audited. | This is intended to limit exposure, by making it possible to trace any unauthorized access to other data or functionality by a privileged user account or role that has permissions on security... |
| V-40929 | Medium | SQL Server backup procedures must be defined, documented, and implemented. | SQL Server backup is a critical step in maintaining data assurance and availability.
User-level information is data generated by the information system and/or application users. In order to... |
| V-40928 | Medium | SQL Server recovery procedures that are documented must be implemented and periodically tested. | SQL Server backups are a critical step in maintaining data assurance and availability.
User-level information is data generated by the information system and/or application users. In order to... |
| V-41304 | Medium | SQL Server must enforce non-DAC policies over users and resources where the policy rule set for each policy specifies access control information (i.e., position, nationality, age, project, time of day). | Non-DAC controls are determined by policy makers and are managed centrally or by a central authority. These controls must not be changed at the discretion of ordinary application users. Data... |
| V-54879 | Medium | The OS must limit privileges to the SQL Server data directories and their subordinate directories and files. | Database files must be protected from unauthorized access. Although default data locations are created at installation time, sites can, and will, use other directories for site-created database... |
| V-40923 | Medium | SQL Server must ensure users are authenticated with an individual authenticator prior to using a shared authenticator. | To ensure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individually identified and authenticated.
A shared... |
| V-41305 | Medium | SQL Server must notify appropriate individuals when accounts are modified. | Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an... |
| V-40925 | Medium | SQL Server software libraries must be periodically backed up. | SQL Server backups are a critical step in maintaining data assurance and availability.
System-level information includes system-state information, operating system and application software, and... |
| V-40924 | Medium | SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthorized SQL Server access, organizational users shall be identified and authenticated.
Organizational users include organizational employees or... |
| V-40927 | Medium | SQL Server backup and restoration files must be protected from unauthorized access. | SQL Server backups are a critical step in maintaining data assurance and availability.
User-level information is data generated by information system and/or application users. In order to assure... |
| V-40926 | Medium | SQL Server backups of system-level information per organization-defined frequency must be performed that is consistent with recovery time and recovery point objectives. | SQL Server backups are a critical step in maintaining data assurance and availability.
System-level information includes: system-state information, operating system and application software, and... |
| V-41209 | Medium | SQL Server must not grant users direct access to the Alter Any Credential permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41208 | Medium | SQL Server must not grant users direct access to the Alter any database permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41202 | Medium | SQL Server must enforce separation of duties through assigned information access authorizations. | Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves... |
| V-41207 | Medium | SQL Server must not grant users direct access to the Alter any endpoint permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41206 | Medium | SQL Server must enforce access control policies to restrict the Unsafe assembly permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41205 | Medium | SQL Server must enforce DAC policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both; limiting propagation of access rights; and including or excluding access to the granularity of a single user. | Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices,... |
| V-41204 | Medium | SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights. | Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in... |
| V-54881 | Medium | The OS must limit privileges to the SQL Server backup directories and files. | Backups must be protected from unauthorized deletion and modification. They must also be protected from unauthorized use in database restoration. |
| V-40930 | Medium | SQL Server user-level information must be backed up based on a defined frequency. | SQL Server backups are a critical step in maintaining data assurance and availability.
User-level information is data generated by information system and/or application users. In order to assure... |
| V-40936 | Medium | SQL Server default account sa must be disabled. | SQL Server's 'sa' account has special privileges required to administer the database. The 'sa' account is a well-known SQL Server account and is likely to be targeted by attackers and thus more... |
| V-41291 | Medium | SQL Server must enforce access control policies to restrict the Alter Settings permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41292 | Medium | SQL Server must enforce access control policies to restrict the Authenticate server permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41293 | Medium | SQL Server must enforce access control policies to restrict the Create any database permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41294 | Medium | SQL Server must not grant users direct access to the View server state permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41295 | Medium | SQL Server must not grant users direct access to the Alter any server role permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41296 | Medium | SQL Server must not grant users direct access to the View any definition permission. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41297 | Medium | SQL Server must enforce access control policies to restrict the Alter any connection permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41298 | Medium | SQL Server must enforce access control policies to restrict the Alter any credential permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-41299 | Medium | SQL Server must enforce access control policies to restrict the Alter any database permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-40938 | Medium | SQL Server must have the SQL Server Analysis Service (SSAS) software component removed from SQL Server if SSAS is unused. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-40939 | Medium | SQL Server must have the SQL Server Integrated Services (SSIS) software component removed from SQL Server if SSIS is unused. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-59857 | Medium | Owners of privileged accounts must use non-privileged accounts for non-administrative activities. | Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification, or exposure. In particular, DBA accounts, if used for... |
| V-40943 | Medium | SQL Server must have the publicly available NorthWind sample database removed. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-40942 | Medium | SQL Server must have the publicly available AdventureWorks sample database removed. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-40940 | Medium | SQL Server must have the SQL Server Reporting Service (SSRS) software component removed from SQL Server if SSRS is unused. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-40947 | Medium | SQL Server software installation account(s) must be restricted to authorized users. | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have... |
| V-40944 | Medium | The OS must limit privileges to change SQL Server software resident within software libraries (including privileged programs). | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on... |
| V-40949 | Medium | SQL Server must monitor for security-relevant configuration settings to discover unauthorized changes. | When dealing with change control issues, it should be noted, any changes to security-relevant configuration settings of SQL Server can potentially have significant effects on the overall security... |
| V-41290 | Medium | SQL Server must enforce access control policies to restrict the Alter any server role permission to only authorized roles. | The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational... |
| V-40933 | Medium | SQL Server must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential... |
| V-41028 | Medium | SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. | Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps,... |
| V-41027 | Medium | SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. | SQL Server auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and... |
| V-41026 | Medium | SQL Server must have allocated audit record storage capacity to meet the organization-defined requirements for saving audit record information. | SQL Server does not have the ability to be cognizant of potential audit log storage capacity issues. During the installation and/or configuration process, SQL Server should detect and determine if... |
| V-41025 | Medium | SQL Server auditing configuration maximum file size must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements. | Configure SQL Server during the installation and/or configuration process to determine if adequate storage capacity has been allocated for audit logs.
If SQL Server audit logs that are being... |
| V-41024 | Medium | SQL Server auditing configuration maximum number of files must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements. | Configure SQL Server during the installation and/or configuration process to determine if adequate storage capacity has been allocated for audit logs.
If SQL Server audit logs that are being... |
| V-41022 | Medium | SQL Server must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists. | It is critical that, when SQL Server is at risk of failing to process audit logs as required, it takes action to mitigate the failure. If the system were to continue processing without auditing... |
| V-41021 | Medium | SQL Server must audit attempts to bypass access controls. | Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps,... |
| V-53877 | Medium | SQL Server databases in the unclassified environment, containing sensitive information, must be encrypted using approved cryptography. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-40952 | Low | SQL Server must protect audit information from unauthorized deletion. | If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve.
To ensure the... |
| V-40953 | Low | SQL Server must protect audit information from unauthorized modification. | If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve.
To ensure the... |
| V-41034 | Low | SQL Server must protect against an individual using a shared account from falsely denying having performed a particular action. | Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message,... |
| V-41037 | Low | SQL Server default account sa must have its name changed. | SQL Server's 'sa' account has special privileges required to administer the database. The 'sa' account is a well-known SQL Server account name and is likely to be targeted by attackers, and is... |
| V-70625 | Low | The SQL Server Browser service must be disabled if its use is not necessary. | The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexist on the same computer. It avoids the need to hard-assign port numbers... |
| V-40909 | Low | SQL Server must limit the use of resources by priority and not impede the host from servicing processes designated as a higher priority. | Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does not apply to components... |
| V-40912 | Low | SQL Server must associate and maintain security labels when exchanging information between systems. | When data is exchanged between information systems, the security attributes associated with said data need to be maintained.
Security attributes are an abstraction representing the basic... |
| V-40946 | Low | Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications. | When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have... |
| V-41023 | Low | SQL Server itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures... |
