Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-79107 | SQL6-D0-002900 | SV-93813r1_rule | Medium |
Description |
---|
In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. Privilege elevation must be utilized only where necessary and protected from misuse. |
STIG | Date |
---|---|
MS SQL Server 2016 Database Security Technical Implementation Guide | 2018-03-09 |
Check Text ( C-78699r1_chk ) |
---|
Review the system documentation to obtain a listing of stored procedures and functions that utilize impersonation. Execute the following query: SELECT S.name AS schema_name, O.name AS module_name, USER_NAME( CASE M.execute_as_principal_id WHEN -2 THEN COALESCE(O.principal_id, S.principal_id) ELSE M.execute_as_principal_id END ) AS execute_as FROM sys.sql_modules M JOIN sys.objects O ON M.object_id = O.object_id JOIN sys.schemas S ON O.schema_id = S.schema_id WHERE execute_as_principal_id IS NOT NULL ORDER BY schema_name, module_name If any procedures or functions are returned that are not documented, this is a finding. |
Fix Text (F-85859r1_fix) |
---|
Alter stored procedures and functions to remove the "EXECUTE AS" statement. |