UCF STIG Viewer Logo

Microsoft SQL Server 2005 Database Security Technical Implementation Guide


Overview

Date Finding Count (26)
2015-06-16 CAT I (High): 0 CAT II (Med): 24 CAT III (Low): 2
STIG Description
The Microsoft SQL Server 2005 Database Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-15654 Medium DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes.
V-15657 Medium Changes to DBMS security labels should be audited.
V-15177 Medium The Service Master Key should be backed up, stored offline and off site.
V-3817 Medium Database accounts should not specify account lock times less than the site-approved minimum.
V-15172 Medium Object permissions should not be assigned to PUBLIC or GUEST.
V-15159 Medium The Database Master key encryption password should meet DoD password complexity requirements.
V-2498 Medium Permissions using the WITH GRANT OPTION should be granted only to DBA or application administrator accounts.
V-15151 Medium Fixed Database roles should have only authorized users or groups as members.
V-5683 Medium Application object owner accounts should be disabled when not performing installation or maintenance actions.
V-2463 Medium DDL permissions should be granted only to authorized accounts.
V-15642 Medium Access grants to sensitive data should be restricted to authorized user roles.
V-15185 Medium Asymmetric private key encryption should use an authorized encryption type.
V-15629 Medium Application users privileges should be restricted to assignment using application user roles.
V-15607 Medium Application objects should be owned by accounts authorized for ownership.
V-15164 Medium Asymmetric keys should be derived from DoD PKI certificates.
V-15128 Medium DBMS application user roles should not be assigned unauthorized privileges.
V-15162 Medium Database Master Key passwords shoud not be stored in credentials within the database.
V-15161 Medium The Database Master Key should be encrypted by the Service Master Key where required.
V-15168 Medium Symmetric keys should use a master key, certificate, or asymmetric key to encrypt the key.
V-15142 Medium Asymmetric keys used by the DBMS for encryption of sensitive data should use DoD PKI Certificates. Private keys used by the DBMS should be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes.
V-15630 Medium Access to sensitive data should be restricted to authorized users identified by the Information Owner.
V-2458 Medium Permissions on system tables should be restricted to authorized accounts.
V-2457 Medium Object permission assignments should be authorized.
V-2451 Medium The guest user account should be disabled.
V-3727 Low Database applications should be restricted from using static DDL statements to modify the application schema.
V-3823 Low Custom and GOTS application source code stored in the database should be protected with encryption or encoding.