Developers should not be assigned excessive privileges on production databases.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15114 | DG0089-SQLServer9 | SV-24242r1_rule | ECPC-1 ECPC-2 | Low |
| Description |
|---|
| Developers play a unique role and represent a specific type of threat to the security of the DBMS. Where restricted resources prevent the required separation of production and development DBMS installations, developers granted elevated privileges to create and manage new database objects must also be prevented from actions that can threaten the production operation. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13761r1_chk ) |
|---|
| If the database is not a production database, this check is Not Applicable. Review privileges assigned to developers: 1. Identify login name of developer DBMS accounts from the System Security Plan and/or DBA. 2. For each developer account, display the username SID and the databases where the user is defined: EXEC SP_HELPLOGINS '[login name]' 3. Display all fixed server role membership assignments: EXEC SP_HELPSRVROLEMEMBER If developers are assigned privileges that allow change or alteration of database objects in any production databases, this is a Finding. If developers are assigned membership to any DBMS server roles, this is a Finding. |
| Fix Text (F-24667r1_fix) |
|---|
| Revoke DBA privileges assigned to developers on production DBMS unless required and authorized. Revoke database or other production object administrative privileges from developers unless required and authorized. Restrict developer privileges to production objects to those granted to application users only where such privileges are required and authorized. |