Access to database files must be limited to relevant processes and to authorized, administrative users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-213977	SQL6-D0-010000	SV-213977r754622_rule		Medium

Description
SQL Server must prevent unauthorized and unintended information transfer via shared system resources. Permitting only SQL Server processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.

STIG	Date
MS SQL Server 2016 Instance Security Technical Implementation Guide	2021-12-10

Details

Check Text ( C-15194r313714_chk )
Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files. To obtain the location of SQL Server data, transaction log, and backup files, open and execute the supplemental file "Get SQL Data and Backup Directories.sql". For each of the directories returned by the above script, verify whether the correct permissions have been applied. 1) Launch Windows Explorer. 2) Navigate to the folder. 3) Right-click the folder and click "Properties". 4) Navigate to the "Security" tab. 5) Review the listing of principals and permissions. Account Type Directory Type Permission ----------------------------------------------------------------------------------------------- Database Administrators ALL Full Control SQL Server Service SID Data; Log; Backup; Full Control SQL Server Agent Service SID Backup Full Control SYSTEM ALL Full Control CREATOR OWNER ALL Full Control For information on how to determine a "Service SID", go to: https://aka.ms/sql-service-sids Additional permission requirements, including full directory permissions and operating system rights for SQL Server, are documented at: https://aka.ms/sqlservicepermissions If any additional permissions are granted but not documented as authorized, this is a finding.

Check Text ( C-15194r313714_chk )

Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files.

To obtain the location of SQL Server data, transaction log, and backup files, open and execute the supplemental file "Get SQL Data and Backup Directories.sql".

For each of the directories returned by the above script, verify whether the correct permissions have been applied.

1) Launch Windows Explorer.
2) Navigate to the folder.
3) Right-click the folder and click "Properties".
4) Navigate to the "Security" tab.
5) Review the listing of principals and permissions.

Account Type Directory Type Permission
-----------------------------------------------------------------------------------------------
Database Administrators ALL Full Control
SQL Server Service SID Data; Log; Backup; Full Control
SQL Server Agent Service SID Backup Full Control
SYSTEM ALL Full Control
CREATOR OWNER ALL Full Control

For information on how to determine a "Service SID", go to:
https://aka.ms/sql-service-sids

Additional permission requirements, including full directory permissions and operating system rights for SQL Server, are documented at:
https://aka.ms/sqlservicepermissions

If any additional permissions are granted but not documented as authorized, this is a finding.

Fix Text (F-15192r313715_fix)
Remove any unauthorized permission grants from SQL Server data, log, and backup directories. 1) On the "Security" tab, highlight the user entry. 2) Click "Remove".