| V-276227 | | Database objects must be owned by Azure SQL Managed Instance principals authorized for ownership. | Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to ot... |
| V-276228 | | The role(s)/group(s) used to modify database structure and logic modules inside Azure SQL Server Managed Instance must be restricted to authorized users. | If the Azure SQL Managed Instance were to allow any user to make changes to database structure or logic, then those changes might be implemented witho... |
| V-276229 | | Azure SQL Managed Instance contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. | Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources.
Data used for the developme... |
| V-276230 | | Azure SQL Managed Instance and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack. | With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of t... |
| V-276231 | | Azure SQL Managed Instance must associate organization-defined types of security labels having organization-defined security label values with information. | Without the association of security labels to information, there is no basis for Azure SQL Managed Instance to make security-related access-control de... |
| V-276232 | | Azure SQL Managed Instance must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-276233 | | Azure SQL Managed Instance must restrict execution of stored procedures and functions that utilize "execute as" to necessary cases only. | In certain situations, to provide required functionality, a database management system (DBMS) needs to execute internal logic (stored procedures, func... |
| V-276234 | | Azure SQL Managed Instance must prohibit user installation of logic modules without explicit privileged status. | Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be inst... |
| V-276235 | | Azure SQL Managed Instance must enforce access restrictions associated with changes to the configuration of the database(s). | Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the sy... |
| V-276237 | | Azure SQL Managed Instance must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. | Azure SQL Managed Instance databases handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized dis... |
| V-276238 | | Azure SQL Managed Instance must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components. | Azure SQL Managed Instance handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure an... |
| V-276239 | | When invalid inputs are received, the Azure SQL Managed Instance must behave in a predictable and documented manner that reflects organizational and system objectives. | A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior c... |
| V-276240 | | Azure SQL Managed Instance must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database. | Nonrepudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating informati... |
| V-276241 | | Azure SQL Managed Instance must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables). | Nonrepudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating informati... |
| V-276242 | | The Azure SQL Managed Instance must be able to generate audit records when attempts to retrieve privileges/permissions occur. | Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information; therefore, it must be possible to con... |
| V-276243 | | Azure SQL Managed Instance must initiate session auditing upon startup. | Session auditing is used when a user's activities are under investigation. To ensure capture of all activity during those periods when session auditin... |
| V-276244 | | Azure SQL Managed Instance default demonstration and sample databases, database objects, and applications must be removed. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-276245 | | The Azure SQL Managed Instance audit storage account must be configured to prohibit public access. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-276246 | | The Azure SQL Managed Instance must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-276247 | | Azure SQL Managed Instance must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-276248 | | Azure SQL Managed Instance must map the PKI-authenticated identity to an associated user account. | The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to an Azure SQL Man... |
| V-276249 | | Azure SQL Managed Instance must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users). | Nonorganizational users include all information system users other than organizational users, which include organizational employees or individuals th... |
| V-276250 | | Azure SQL Managed Instance must separate user functionality (including user interface services) from database management functionality. | Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers and typ... |
| V-276252 | | Azure SQL Managed Instance must be able to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | To ensure sufficient storage capacity for the audit logs, the database management system (DBMS) must be able to allocate audit record storage capacity... |
| V-276253 | | Azure SQL Managed Instance must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity. | Auditing for Azure SQL Managed Instance tracks database events and writes them to an audit log in the Azure storage account, Log Analytics workspace, ... |
| V-276254 | | Azure SQL Managed Instance must generate audit records when security objects are modified. | Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and... |
| V-276255 | | Azure SQL Managed Instance must generate audit records when attempts to modify categorized information (e.g., classification levels/security levels) occur. | Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
To aid in d... |
| V-276256 | | Azure SQL Managed Instance must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject. | Information system auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is not possib... |
| V-276257 | | Azure SQL Managed Instance must generate audit records when attempts to delete security objects occur. | The removal of security objects from the database/database management system (DBMS) would seriously degrade a system's information assurance posture. ... |
| V-276258 | | Azure SQL Managed Instance must generate audit records when attempts to delete categories of information (e.g., classification levels/security levels) occur. | Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected. To aid in diagn... |
| V-276259 | | Azure SQL Managed Instance must generate audit records when logon or connection attempts occur. | For completeness of forensic analysis, it is necessary to track failed attempts to log on to Azure SQL Managed Instance. While positive identification... |
| V-276260 | | Azure SQL Managed Instance must generate audit records for all privileged activities or other system-level access. | Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify th... |
| V-276261 | | Azure SQL Managed Instance must generate audit records showing starting and ending time for user access to the database(s). | For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to the Azure SQL Managed Instance l... |
| V-276262 | | Azure SQL Managed Instance must generate audit records when concurrent logons/connections by the same user from different workstations occur. | For completeness of forensic analysis, it is necessary to track who logs on to Azure SQL Managed Instance. Concurrent connections by the same user fro... |
| V-276263 | | Azure SQL Managed Instance must be able to generate audit records when access to objects occur. | Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to est... |
| V-276264 | | Azure SQL Managed Instance must generate audit records for all direct access to the database(s). | In this context, direct access is any query, command, or call to Azure SQL Managed Instance that comes from any source other than the application(s) i... |
| V-276265 | | Azure SQL Managed Instance must store audit records in an immutable blob storage container for an organizationally defined period of time. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. When configured and enabled, Azure SQL Managed In... |
| V-276267 | | Azure SQL Managed Instance must implement the capability to centrally review and analyze audit records from multiple components within the system using a service such as Azure Log Analytics. | Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products.... |
| V-276268 | | Azure SQL Server Managed Instance must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. | Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and... |
| V-276269 | | Azure SQL Managed Instance must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate recognized and approved by the organization. | The database management system (DBMS) must prevent the installation of organization-defined software and firmware components without verification tha... |
| V-276276 | | Azure SQL Server Managed Instance must, for password-based authentication, require immediate selection of a new password upon account recovery. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords ... |
| V-276285 | | Azure SQL Managed Instance must limit privileges to change software modules, to include stored procedures, functions, and triggers. | If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate... |
| V-276286 | | Azure SQL Managed Instance must limit privileges to change software modules, to include schema ownership. | If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate... |
| V-276287 | | The database master key (DMK) encryption password for Azure SQL Server Managed Instance must meet DOD password complexity requirements. | Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, then the confidentiality of all d... |
| V-276288 | | The database master key (DMK) for Azure SQL Server Managed Instance must be encrypted by the service master key (SMK), where a DMK is required and another encryption method has not been specified. | When not encrypted by the SMK, system administrators or application administrators may access and use the DMK to view sensitive data that they are not... |
| V-276289 | | The Certificate used for encryption for Azure SQL Managed Instance must be backed up, stored offline and off-site. | Backup and recovery of the Certificate used for encryption is critical to the complete recovery of the database. Not having this key can lead to loss ... |
| V-276291 | | Azure SQL Managed Instance must check the validity of all data inputs except those specifically identified by the organization. | Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process ... |
| V-276294 | | Azure SQL Managed Instance must protect against a user falsely repudiating by ensuring databases are not in a trust relationship. | Nonrepudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating informati... |
| V-276295 | | Azure SQL Managed Instance must be configured to generate audit records for DOD-defined auditable events within all DBMS/database components. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-276296 | | Azure SQL Managed Instance must allow only documented and approved individuals or roles to select which auditable events are to be audited. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or i... |
| V-276298 | | The audit information produced by Azure SQL Managed Instance must be protected from unauthorized access. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity i... |
| V-276299 | | Azure SQL Managed Instance must protect its audit configuration from unauthorized access, modification, and deletion. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is ne... |
| V-276300 | | Access to xp_cmdshell must be disabled for Azure SQL Server Managed Instance unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-276301 | | Access to CLR code must be disabled for Azure SQL Server Managed Instance, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-276302 | | Access to linked servers must be disabled or restricted for Azure SQL Server Managed Instance, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-276304 | | Azure SQL Server Managed Instance contained databases must use Microsoft Entra or native Windows principals. | OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstance... |
| V-276306 | | Azure SQL Managed Instance must reveal detailed error messages only to the information system security officer (ISSO), information system security manager (ISSM), system administrator (SA), and database administrator (DBA). | If Azure SQL Managed Instance provides too much information in error logs and administrative messages to the screen, this could lead to compromise. Th... |
| V-276307 | | Azure SQL Managed Instance must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary ... |
| V-276308 | | Azure SQL Managed Instance must enforce access restrictions associated with changes to the configuration of the instance. | Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the sy... |
| V-276309 | | Azure Resource Manager must enforce access restrictions associated with changes to the configuration of Azure SQL Managed Instance. | Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the sy... |
| V-276310 | | Azure SQL Managed Instance must produce audit records of its enforcement of access restrictions associated with changes to the configuration of Azure SQL Managed Instance or database(s). | Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks and an a... |
| V-276311 | | Azure SQL Managed Instance must maintain a separate execution domain for each executing process. | Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space.
... |
| V-276312 | | Azure SQL Managed Instance must be able to generate audit records when attempts to access security objects occur. | Changes to the security configuration must be tracked.
This requirement applies to situations where security data is retrieved or modified via data ... |
| V-276313 | | Azure SQL Managed Instance must generate audit records when attempts to access categorized information (e.g., classification levels/security levels) occur. | Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
For detailed... |
| V-276314 | | Azure SQL Managed Instance must generate audit records when attempts to add privileges/permissions occur. | Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restri... |
| V-276315 | | Azure SQL Managed Instance must generate audit records when attempts to modify privileges/permissions occur. | Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restri... |
| V-276316 | | Azure SQL Managed Instance must generate audit records when attempts to delete privileges/permissions occur. | Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restri... |
| V-276317 | | The Azure SQL Managed Instance default [sa] account must be disabled. | Azure SQL Managed Instance [sa] account has special privileges required to administer the database. The [sa] account is a well-known account and is li... |
| V-276318 | | Azure SQL Managed Instance default [sa] account must have its name changed. | Azure SQL Managed Instance's [sa] account has special privileges required to administer the database. The [sa] account is a well-known account name th... |
| V-276319 | | The Allow Filesystem Enumeration feature must be disabled for Azure SQL Server Managed Instance, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-276320 | | The CLR Strict Security feature must be enabled for Azure SQL Server Managed Instance, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-276321 | | The Hadoop Connectivity feature must be disabled for Azure SQL Server Managed Instance, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-276322 | | Azure SQL Server Managed Instance Replication Xps feature must be disabled, unless specifically required and approved. | Azure SQL Managed Instance is capable of providing a wide range of features and services. Some of the features and services, provided by default, may ... |
| V-276324 | | Applications connecting to Azure SQL Server Managed Instance must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the informat... |
| V-276290 | | Azure SQL Managed Instance must isolate security functions from nonsecurity functions. | An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
Se... |
| V-276297 | | Azure SQL Managed Instance must have an audit defined to track Microsoft Support Operations. | Azure SQL Managed Instance auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is no... |
| V-276225 | | Azure SQL Managed Instances must integrate with Microsoft Entra ID for providing account management and automation for all users, groups, roles, and any other principals. | Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functi... |
| V-276226 | | Azure SQL Managed Instance must enforce approved authorizations for logical access to database information and system resources in accordance with applicable access control policies. | Authentication with a DOD-approved PKI certificate does not necessarily imply authorization to access Azure SQL Managed Instance. To mitigate the risk... |
| V-276236 | | Azure SQL Managed Instance must use NSA-approved cryptography to protect classified information in accordance with the data owners' requirements. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptogr... |
| V-276251 | | Azure SQL Managed Instance must protect the confidentiality and integrity of all information at rest. | This control is intended to address the confidentiality and integrity of information at rest in nonmobile devices and covers user information and syst... |
| V-276293 | | Azure SQL Managed Instance must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | Authentication with a DOD-approved PKI certificate does not necessarily imply authorization to access Azure SQL Managed Instance. To mitigate the risk... |
| V-276303 | | If DBMS authentication using passwords is employed, Azure SQL Managed Instance must enforce the DOD standards for password complexity and lifetime. | OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstance... |
| V-276305 | | If passwords are used for authentication, Azure SQL Server Managed Instance must transmit only encrypted representations of passwords. | The DOD standard for authentication is DOD-approved PKI certificates.
Authentication based on User ID and Password may be used only when it is not ... |
| V-276323 | | When using command-line tools with Azure SQL Server Managed Instance, such as SQLCMD, in a mixed-mode authentication environment, users must use a logon method that does not expose the password. | To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the informat... |
