Remote DBMS administration is not authorized and is not disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15651 | DG0157-SQLServer9 | SV-25387r1_rule | EBRP-1 | Medium |
| Description |
|---|
| Remote administration may expose configuration and sensitive data to unauthorized viewing during transit across the network or allow unauthorized administrative access to the DBMS to remote users. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-23643r1_chk ) |
|---|
| From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'remote admin connections' If the value of Config_Value is 0, this is Not a Finding. If the value of Config_Value is 1, confirm in the System Security Plan that remote admin connection access is required and approved by the IAO. If it is not documented, required and approved, this is a Finding. |
| Fix Text (F-20157r1_fix) |
|---|
| Where remote admin connection access is part of the designed and approved use of the SQL Server database, document the requirement in the System Security Plan. Where remote admin connection access is not required, disable its use. From the query prompt: EXEC SP_CONFIGURE 'remote admin connections', 0 RECONFIGURE |