Database privileged role assignments should be restricted to IAO-authorized DBMS accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15626 | DG0116-SQLServer9 | SV-24102r1_rule | ECLP-1 | Medium |
| Description |
|---|
| Roles assigned privileges to perform DDL and/or system configuration actions in the database can lead to compromise of any data in the database as well as operation of the DBMS itself. Restrict assignment of privileged roles to authorized personnel and database accounts to help prevent unauthorized activity. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-04-03 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (F-17955r1_fix) |
|---|
| Document IAO-authorized privileged role assignments in the System Security Plan. Remove assignments where not authorized. If BUILTIN\Administrators is part of the SYSADMIN fixed server role, create a custom group for SYSADMIN functions, add authorized users to the custom group, add the group to the SYSADMIN fixed server role, remove BUILTIN\Administrators from the role. If other unauthorized users exist, remove them from the role. To remove BUILTIN\Administrators from the SYSADMIN fixed server role: 1. Create a custom group for SYSADMIN functions 2. Add authorized users to the custom group 3. Add the group to the SYSADMIN fixed server role 4. Remove BUILTIN\Administrators from the role |