UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SQL Server must monitor for security-relevant configuration settings to discover unauthorized changes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-40949 SQL2-00-015300 SV-53303r2_rule Medium
Description
When dealing with change control issues, it should be noted, any changes to security-relevant configuration settings of SQL Server can potentially have significant effects on the overall security of the system. If SQL Server were to allow any user to make changes to configuration settings, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement is contingent upon the configuration of SQL Server's hosted application and the security-relevant configuration settings of SQL Server. Accordingly, only qualified and authorized individuals shall be allowed to obtain access to these security-relevant configuration settings for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to SQL Server software libraries or configuration can lead to unauthorized or compromised installations.
STIG Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide 2017-12-01

Details

Check Text ( C-47604r2_chk )
Verify within the system documentation that SQL Server is monitoring for security-relevant configuration settings to discover unauthorized changes.

This can be done by a third-party tool or a SQL script that does baselining and then comparisons.

If the monitoring of security-relevant configuration settings to discover unauthorized changes is not implemented on SQL Server, this is a finding.
Fix Text (F-46231r2_fix)
Document the monitoring of security-relevant configuration settings to discover unauthorized changes within the system documentation.

Document the specific users or types of security personnel that are able to monitor security-relevant configuration settings to discover unauthorized changes.

Deploy and implement a third-party tool or some other SQL Server method of monitoring security-relevant configuration settings to discover unauthorized changes.