UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide


Overview

Date Finding Count (152)
2018-02-27 CAT I (High): 6 CAT II (Med): 137 CAT III (Low): 9
STIG Description
The Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-40907 High SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission.
V-40932 High SQL Server must recover to a known state that is verifiable.
V-40917 High SQL Server databases in the classified environment, containing classified or sensitive information, must be encrypted using approved cryptography.
V-40941 High SQL Server must have the SQL Server Data Tools (SSDT) software component removed from SQL Server if SSDT is unused.
V-40945 High Vendor-supported software and patches must be evaluated and patched against newly found vulnerabilities.
V-40948 High Software, applications, and configuration files that are part of, or related to, the SQL Server 2012 installation must be monitored to discover unauthorized changes.
V-72415 Medium If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.
V-43196 Medium Domain accounts used to manage a SQL Server platform must be different from those used to manage other platforms.
V-40950 Medium SQL Server must support the employment of automated mechanisms supporting the auditing of the enforcement actions.
V-40951 Medium SQL Server must support the organizational requirement to employ automated mechanisms for enforcing access restrictions.
V-41044 Medium SQL Server must restrict access to system tables, other configuration information, and metadata to DBAs and other authorized users.
V-41047 Medium SQL Server processes or services must run under custom, dedicated OS or domain accounts.
V-41046 Medium SQL Server must restrict access to sensitive information to authorized user roles.
V-41038 Medium Use of the SQL Server software installation account must be restricted to SQL Server software installation.
V-41039 Medium DBA OS or domain accounts must be granted only those host system privileges necessary for the administration of SQL Server.
V-41035 Medium SQL Server must generate audit records for the DoD-selected list of auditable events.
V-41036 Medium SQL Server must be configured to use Windows Integrated Security.
V-41030 Medium SQL Server must produce audit records containing sufficient information to establish the sources (origins) of the events.
V-41031 Medium SQL Server must produce audit records containing sufficient information to establish where the events occurred.
V-41032 Medium SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-41033 Medium SQL Server must produce audit records containing sufficient information to establish what type of events occurred.
V-55805 Medium SQL Server must not grant users direct access to the View Any Database permission.
V-72413 Medium If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity.
V-41247 Medium SQL Server must not grant users direct access control to the Alter Any Availability Group permission.
V-41246 Medium SQL Server must not grant users direct access to the Alter any connection permission.
V-59915 Medium SQL Server must enforce access control policies to restrict the Alter any event notification permission to only authorized roles.
V-40922 Medium SQL Server must enforce password encryption for storage.
V-41016 Medium SQL Server must protect audit information from any type of unauthorized access.
V-41017 Medium SQL Server must protect the audit records generated as a result of remote access to privileged accounts and by the execution of privileged functions.
V-41311 Medium The number of concurrent SQL Server sessions for each system account must be limited.
V-41254 Medium SQL Server must enforce access control policies to restrict the External access assembly permission to only authorized roles.
V-41255 Medium SQL Server must enforce access control policies to restrict the Create trace event notification permission to only authorized roles.
V-41256 Medium SQL Server must enforce access control policies to restrict the Create server role permission to only authorized roles.
V-41257 Medium SQL Server must enforce access control policies to restrict the Create endpoint permission to only authorized roles.
V-41250 Medium SQL Server must not grant users direct access to the Alter any event notification permission.
V-41251 Medium SQL Server must enforce access control policies to restrict the View any database permission to only authorized roles.
V-41252 Medium SQL Server must not grant users direct access to the Alter any server audit permission.
V-41253 Medium SQL Server must enforce access control policies to restrict the Shutdown permission to only authorized roles.
V-41258 Medium SQL Server must enforce access control policies to restrict the Create DDL event notification permission to only authorized roles.
V-41259 Medium SQL Server must enforce access control policies to restrict the Create availability group permission to only authorized roles.
V-40937 Medium Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.
V-40934 Medium SQL Server must specifically prohibit or restrict the use of unauthorized functions and services in each instance.
V-41302 Medium SQL Server must enforce access control policies to restrict the Alter any event session permission to only authorized roles.
V-41303 Medium SQL Server must enforce access control policies to restrict Alter server state permissions to only authorized roles.
V-41300 Medium SQL Server must enforce access control policies to restrict the Alter any endpoint permission to only authorized roles.
V-41419 Medium The Service Master Key must be backed up, stored offline and off-site.
V-41306 Medium SQL Server must automatically audit account modification.
V-41307 Medium SQL Server must ensure that remote sessions that access an organization-defined list of security functions and security-relevant information are audited.
V-40908 Medium SQL Server must ensure, if Database Availability Groups are being used and there is a server failure, that none of the potential failover servers would suffer from resource exhaustion.
V-40906 Medium SQL Server must identify potential security-relevant error conditions.
V-40905 Medium The system must activate an alarm and/or automatically shut SQL Server down if a failure is detected in its software components.
V-54859 Medium The OS must limit privileges to the SQL Server Data Root directory and its subordinate directories and files.
V-41261 Medium SQL Server must enforce access control policies to restrict the View any definition permission to only authorized roles.
V-41260 Medium SQL Server must enforce access control policies to restrict the Alter any server audit permission to only authorized roles.
V-41263 Medium SQL Server must not grant users direct access to the Administer bulk operations permission.
V-41262 Medium SQL Server must not grant users direct access to the Authenticate server permission.
V-41265 Medium SQL Server must not grant users direct access to the Create DDL event notification permission.
V-41264 Medium SQL Server must not grant users direct access to the Create endpoint permission.
V-41267 Medium SQL Server must not grant users direct access to the Create any database permission.
V-41266 Medium SQL Server must not grant users direct access to the Create availability group permission.
V-41269 Medium SQL Server must enforce access control policies to restrict the Administer bulk operations permission to only authorized roles.
V-41268 Medium SQL Server must not grant users direct access to the Control server permission.
V-41248 Medium SQL Server must not grant users direct access to the Alter server state permission.
V-40935 Medium Access to xp_cmdshell must be disabled.
V-41029 Medium SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-40918 Medium SQL Server must employ NSA-approved cryptography to protect classified information.
V-40919 Medium SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-40914 Medium SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized User Mapping access.
V-40915 Medium SQL Server must protect the integrity of publicly available information and applications.
V-40916 Medium SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Securables access.
V-40910 Medium SQL Server must isolate security functions from nonsecurity functions by means of separate security domains.
V-40913 Medium SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Server Roles access.
V-41278 Medium SQL Server must not grant users direct access to the External access assembly permission.
V-41279 Medium SQL Server must not grant users direct access to the Alter any login permission.
V-41276 Medium SQL Server must not grant users direct access to the Create trace event notification permission.
V-41277 Medium SQL Server must not grant users direct access to the Alter resources permission.
V-41274 Medium SQL Server must not grant users direct access to the Alter trace permission.
V-41275 Medium SQL Server must not grant users direct access to the Alter Settings permission.
V-41273 Medium SQL Server must not grant users direct control to the Alter any event session permission.
V-41270 Medium SQL Server must enforce access control policies to restrict the Alter resources permission to only authorized roles.
V-41271 Medium SQL Server must not grant users direct access to the Alter any linked server permission.
V-41283 Medium SQL Server must enforce access control policies to restrict the Alter any linked server permission to only authorized roles.
V-41281 Medium SQL Server must enforce access control policies to restrict the Alter any login permission to only authorized roles.
V-41280 Medium SQL Server must enforce access control policies to restrict the Alter any availability group permission to only authorized roles.
V-41287 Medium SQL Server must not grant users direct access to the Unsafe assembly permission.
V-41286 Medium SQL Server must enforce access control policies to restrict the Alter trace permission to only authorized roles.
V-41285 Medium SQL Server must enforce access control policies to restrict the View server state permission to only authorized roles.
V-41284 Medium SQL Server must not grant users direct access control to the Shutdown permission.
V-41045 Medium A single SQL Server database connection configuration file (or a single set of credentials) must not be used to configure all database clients.
V-69169 Medium Software, applications, and configuration files that are part of, or related to, the SQL Server 2012 installation must be audited.
V-41289 Medium SQL Server must not grant users direct access to the Create server role permission.
V-41288 Medium SQL Server must enforce access control policies to restrict the Control server permission to only authorized roles.
V-41041 Medium SQL Server DBA roles must not be assigned excessive or unauthorized privileges.
V-41040 Medium OS and domain accounts utilized to run external procedures called by SQL Server must have limited privileges.
V-41043 Medium Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information within SQL Server.
V-41042 Medium All use of privileged accounts must be audited.
V-40929 Medium SQL Server backup procedures must be defined, documented, and implemented.
V-40928 Medium SQL Server recovery procedures that are documented must be implemented and periodically tested.
V-41304 Medium SQL Server must enforce non-DAC policies over users and resources where the policy rule set for each policy specifies access control information (i.e., position, nationality, age, project, time of day).
V-54879 Medium The OS must limit privileges to the SQL Server data directories and their subordinate directories and files.
V-40923 Medium SQL Server must ensure users are authenticated with an individual authenticator prior to using a shared authenticator.
V-41305 Medium SQL Server must notify appropriate individuals when accounts are modified.
V-40925 Medium SQL Server software libraries must be periodically backed up.
V-40924 Medium SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-40927 Medium SQL Server backup and restoration files must be protected from unauthorized access.
V-40926 Medium SQL Server backups of system-level information per organization-defined frequency must be performed that is consistent with recovery time and recovery point objectives.
V-41209 Medium SQL Server must not grant users direct access to the Alter Any Credential permission.
V-41208 Medium SQL Server must not grant users direct access to the Alter any database permission.
V-41202 Medium SQL Server must enforce separation of duties through assigned information access authorizations.
V-41207 Medium SQL Server must not grant users direct access to the Alter any endpoint permission.
V-41206 Medium SQL Server must enforce access control policies to restrict the Unsafe assembly permission to only authorized roles.
V-41205 Medium SQL Server must enforce DAC policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both; limiting propagation of access rights; and including or excluding access to the granularity of a single user.
V-41204 Medium SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-54881 Medium The OS must limit privileges to the SQL Server backup directories and files.
V-40930 Medium SQL Server user-level information must be backed up based on a defined frequency.
V-40936 Medium SQL Server default account sa must be disabled.
V-41291 Medium SQL Server must enforce access control policies to restrict the Alter Settings permission to only authorized roles.
V-41292 Medium SQL Server must enforce access control policies to restrict the Authenticate server permission to only authorized roles.
V-41293 Medium SQL Server must enforce access control policies to restrict the Create any database permission to only authorized roles.
V-41294 Medium SQL Server must not grant users direct access to the View server state permission.
V-41295 Medium SQL Server must not grant users direct access to the Alter any server role permission.
V-41296 Medium SQL Server must not grant users direct access to the View any definition permission.
V-41297 Medium SQL Server must enforce access control policies to restrict the Alter any connection permission to only authorized roles.
V-41298 Medium SQL Server must enforce access control policies to restrict the Alter any credential permission to only authorized roles.
V-41299 Medium SQL Server must enforce access control policies to restrict the Alter any database permission to only authorized roles.
V-40938 Medium SQL Server must have the SQL Server Analysis Service (SSAS) software component removed from SQL Server if SSAS is unused.
V-40939 Medium SQL Server must have the SQL Server Integrated Services (SSIS) software component removed from SQL Server if SSIS is unused.
V-59857 Medium Owners of privileged accounts must use non-privileged accounts for non-administrative activities.
V-40943 Medium SQL Server must have the publicly available NorthWind sample database removed.
V-40942 Medium SQL Server must have the publicly available AdventureWorks sample database removed.
V-40940 Medium SQL Server must have the SQL Server Reporting Service (SSRS) software component removed from SQL Server if SSRS is unused.
V-40947 Medium SQL Server software installation account(s) must be restricted to authorized users.
V-40944 Medium The OS must limit privileges to change SQL Server software resident within software libraries (including privileged programs).
V-40949 Medium SQL Server must monitor for security-relevant configuration settings to discover unauthorized changes.
V-41290 Medium SQL Server must enforce access control policies to restrict the Alter any server role permission to only authorized roles.
V-40933 Medium SQL Server must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
V-41028 Medium SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.
V-41027 Medium SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-41026 Medium SQL Server must have allocated audit record storage capacity to meet the organization-defined requirements for saving audit record information.
V-41025 Medium SQL Server auditing configuration maximum file size must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.
V-41024 Medium SQL Server auditing configuration maximum number of files must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.
V-41022 Medium SQL Server must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists.
V-41021 Medium SQL Server must audit attempts to bypass access controls.
V-40952 Low SQL Server must protect audit information from unauthorized deletion.
V-40953 Low SQL Server must protect audit information from unauthorized modification.
V-41034 Low SQL Server must protect against an individual using a shared account from falsely denying having performed a particular action.
V-41037 Low SQL Server default account sa must have its name changed.
V-70625 Low The SQL Server Browser service must be disabled if its use is not necessary.
V-40909 Low SQL Server must limit the use of resources by priority and not impede the host from servicing processes designated as a higher priority.
V-40912 Low SQL Server must associate and maintain security labels when exchanging information between systems.
V-40946 Low Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
V-41023 Low SQL Server itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.