Asymmetric keys derived from self-signed certificates or self-generated by other means do not meet the security requirements of DoD that require validation by DoD trusted certificate authorities…..
Symmetric Keys: encrypting_mechanism
Symmetric keys are vulnerable if the symmetric key encryption is not protected from disclosure. Symmetric keys are well protected by use of either the database or service master key. Where…..
Database Master key: is_master_key_encrypted_by_Server
Protection of the Database Master Key is necessary to protect the confidentiality of sensitive data. When encrypted by the Service Master Key, SYSADMINs may access and use the key to view sensitive data that they are not authorized to view. Where …..
Database Master key: Access control.
Severity: CAT 2
Description: Unauthorized access to the database master key could jeopardize the confidentiality of sensitive data stored in the database. Access to the database master key should be strictly assigned to a limited number of individuals authorized to use and maintain the key.
Check:
From the query prompt:
for each database:
use <database name>
select user_name(grantee_principal_id)
[...]
Database Master key: encryption password.
Severity: CAT 2
Description: Weak passwords may be easily guessed. When passwords used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk.
Check:
From the query prompt:
For each database :
use <database name>
select count(name) from sys.symmetric_keys s, sys.key_encryptions k
where s.name=’##MS_DatabaseMasterKey##’
and s.symmetric_key_id [...]
WITH GRANT privilege assignments
Severity: CAT 2
Description: The WITH GRANT option assigned with privileges, allows the grantee of the privilege to re-grant the privilege to other accounts. Unauthorized or unmanaged assignment of privileges may result in a compromise of data confidentiality and database operation. Privilege assignment should be restricted to DBA, application object owner accounts, and application administration [...]
Application/custom stored procedure encryption
Severity: CAT 3
Description: Application code may contain indications of sensitive data relationships that may aid an unauthorized user in discovering methods to circumvent other access controls. Vulnerabilities may also be discovered during an unauthorized code review that can assist a malicious user in an attack that compromises the DBMS or its data. Application code [...]
DDL permission assignments.
Severity: CAT 2
Description: Data Definition Language (DDL) commands include CREATE, ALTER, and DROP object actions. These actions cause changes to the structure, definition, and configuration of the DBMS as well as to the objects themselves that can affect any or all operations of the database. Such privileged actions, when not restricted to authorized persons [...]
Unauthorized object permission grants
Severity: CAT 2
Description: Securely designed applications require only that database application user accounts have permissions to access and manipulate only the application data assigned to them in accordance with the their job function. Restrictions may be further restricted by granting data access to users only through execution of database procedures. Excess privileges can lead [...]
Fixed database role members
Severity: CAT 2
Description: Fixed database roles provide a mechanism to grant groups of privileges to users. These privilege groupings are defined by the installation or upgrade of the SQL Server software at the discretion of Microsoft. Memberships in these roles granted to users should be strictly controlled and monitored. Privileges assigned to these roles [...]
Protection of DBMS asymmetric encryption keys
Severity: CAT 2
Description: Encryption is only effective if the encryption method is robust and the keys used to provide the encryption are not easily discovered. Without effective encryption, sensitive data is vulnerable to unauthorized access.
Check:
Review the system security plan for identification of sensitive or classified data stored in the database. If there is none, [...]
DBMS application user role privilege assignment
Severity: CAT 2
Description: Unauthorized access to the data can lead to loss of confidentiality and integrity of the data.
Check:
Compare privileges assigned to custom database application user roles to those defined in the System Security Plan.
For each database:
use <database name>
select r.name, p.permission_name,o.name
from sys.database_principals as r
join sys.database_permissions as p
on p.grantee_principal_id = [...]
DBMS Restore Permissions
Unauthorized restoration of database data, objects, or other configuration or features can result in a loss of data integrity, unauthorized configuration, or other DBMS interruption or compromise.
Fixed server and database role assignments to Guest
Severity: CAT 2
Description: The guest account is the account used by unauthenticated users of the database. Assignment of privileges to the guest account is an assignment of privileges to an unauthorized account. Any access by unauthenticated and unauthorized users can lead to a compromise of the database operational integrity as well as data integrity [...]
DBMS object permission grants to PUBLIC or Guest
Severity: CAT 2
Description: The guest account is available to users that do not have authorized accounts on the database. The PUBLIC role is granted to all users of the database regardless of assigned job function. Assignment of object privileges to unauthorized users can compromise data integrity and/or confidentiality.
Check:
From the query prompt (repeat for each [...]
Asymmetric Keys – pvt_key_encryption_type
Severity: CAT 2
Description: Asymmetric keys stored in the database that also include storage of the private key require protection from any unauthorized user. To protect unauthorized access and use of any asymmetric key by DBA’s or users with SYSADMIN privileges, a password must be used to encrypt the private key. Use of the Database [...]
Symmetric Keys: Allowed encryption algorithms
Severity: CAT 2
Description: Strong encryption algorithms protect against unauthorized decryption of and access to sensitive data.
Check:
From the query prompt:
for each database:
use <database name>
select name,key_algorithm from sys.symmetric_keys where key_algorithm not in (‘D3′,’A1′,’A2′,’A3′)
If any records are returned, then this is a Finding.
Fix:
Configure symmeteric keys to use aprroved encryption algorithms.
Existing keys are not re-configurable to [...]
Direct permission assignment to DBMS accounts
Severity: CAT 2
Description: The use of groups to assign permissions promotes and supports the assignment of privileges based on job function. Where permissions are assigned to individual users, the risk of unnecessary and unauthorized privileges is increased. The SQL REFERENCES permission is used to support creation of objects dependent upon data values stored in [...]
Guest user
Severity: CAT 2
Description: The guest user ID in a database allows access by all Windows login IDs without requiring an individual database account. This allows unauthorized access to the database.
Check:
From the query prompt (repeat for each database except master and tempdb):
use <database name>
Select state_desc from sys.database_permissions where permission_name=’CONNECT’ and grantee_principal_id=2
If the value [...]
Application object owner account disabling
Severity: CAT 2
Description: Object ownership provides all database object permissions to the owned object. Access to the application object owner accounts requires special protection to prevent unauthorized access and use of the object ownership privileges. In addition to the high privileges to application objects assigned to this account, it is also an account that, [...]
Agent XPs
Severity: CAT 2
Description: The Agent XPs are extended stored procedures used by the SQL Server Agent that provide privileged actions that run externally to the DBMS under the security context of the SQL Server Agent service account. If these procedures are available from a database session, an exploit to the SQL Server instance could [...]
Database TRUSTWORTHY status
Severity: CAT 2
Description: The TRUSTWORTHY database setting restricts access to database resources by databases that contain assemblies with the EXTERNAL_ACCESS or UNSAFE permission settings and modules that use impersonation of accounts assigned elevated privileges. Unless all assemblies and code for the database have been reviewed, especially in the case where databases have been detached [...]
Proxy account subsystem privileges
Severity: CAT 2
Description: SQL Server subsystems define a set of functionality available for assignment to a SQL Server Agent proxy. These act as privileges to perform certain job tasks. Excess privilege assignment or subsystem assignment can lead to unauthorized access to the SQL Server instance or host operating system.
Check:
From the query prompt:
use msdb
exec [...]
Service broker access
Severity: CAT 2
Description: Service Broker endpoints expose the database to SQL Server messaging communication access. Where not carefully designed and implemented, messaging communication can unnecessarily expose the database to additional exploit that compromises data confidentiality and integrity. Removing messaging communication endpoints helps to protect the database from unauthorized messaging communication access.
Check:
From the query prompt:
select [...]
XML web service access
Severity: CAT 2
Description: XML Web Service endpoints expose the database its data to web service access. Where not carefully designed and implemented, web services can unnecessarily expose the database to additional exploit that compromises data confidentiality and integrity. Removing web service endpoints helps to protect the database from unauthorized web service access.
Check:
From the query [...]
Database Mail XPs option
Severity: CAT 2
Description: The Database Mail extended stored procedure (XPs) are used by database applications to provide email messages to and from the database. This capability may easily be abused to send malicious messages to remote users or systems. Disabling the use, helps to protect the database from generating or receiving malicious email notifications.
Check:
From [...]
clr enabled option
Severity: CAT 3
Description: The clr_enabled parameter configures SQL Server to allow or disallow use of Command Language Runtime objects. CLR objects is managed code that integrates with the .NET Framework. This is a more secure method than external stored procedures, although it still contains some risk. Where no external application execution requirements are required, [...]
Replication administration role privileges.
Severity: CAT 2
Description: Role privileges required by replication include full privileges to the databases with replicated objects. Restrict replication database db_owner role memberships and the system distribution database replmonitor database role membership to authorized replication agent accounts that require access to the database. Unauthorized access can provide unintentional or malicious users greater opportunity to [...]
SQL Server Agent permissions to proxies
Severity: CAT 2
Description: Database accounts granted access to SQL Server Agent proxies are granted permissions to create and submit specific function job steps to be executed by SQL Server Agent. Unauthorized users may use access to proxies to execute unauthorized functions against the SQL Server instance or host operating system.
Check:
NOTE: Access to ActiveScripting and [...]
Audit trace status
Severity: CAT 2
Description: If auditing is not enabled, unauthorized or malicious activity can occur without detection and without accountability.
Check:
From the query prompt:
select * from ::fn_trace_getinfo(‘0′)
where property=5
If result from above for trace id with audit events set (see check DM5432) is not enabled or no data is returned, then this is a Finding.
Fix:
From the [...]
Trace rollover on audit trace
Severity: CAT 2
Description: The majority of Microsoft SQL Server security auditing is provided by the trace facility. Traces may be created using system stored procedures or with Microsoft SQL Profiler. The trace must be running in order for security event data to be collected for analysis. Traces can specify a maximum size for the [...]
CmdExec or ActiveScripting jobs
Severity: CAT 2
Description: SQL Server Agent CmdExec and ActiveScripting subsystems allow the execution of code by the host operating system under the security context. Allow use of these features only to SYSADMINs and use only where absolutely necessary to limit risk of database exploit to the host operating system.
NOTE: member of the SYSADMIN group [...]
Authentication mode
Severity: CAT 2
Description: SQL Server authentication does not provide a sufficiently robust password complexity and management capability to meet stringent security requirements. SQL Server allows use of Windows authentication, a more robust and security authentication service, to control access to the database.
Check:
From the query prompt:
exec sys.xp_loginconfig ‘login mode’
If Windows Authentication is returned, then this [...]
Linked server definitions
Severity: CAT 2
Description: Linked server definitions provide the possibility for access to and from remote database systems. This access could allow users defined on remote servers unauthorized access to the local SQL Server instance and data. Removing unauthorized definitions helps prevent access by remote databases.
Check:
From the query prompt:
select name from sys.servers where server_id<>0
Review [...]
Remote access option
Severity: CAT 2
Description: The remote access option determines if connections to and from other Microsoft SQL Servers are allowed. Remote connections are used to support distributed queries and other data access and command executions across and between remote database hosts. The list of remote servers determines the servers that have defined for remote connections [...]
Replication use and security
Severity: CAT 2
Description: While use of replication features may contribute to improved availability, they also require privileged interfaces to external systems. Where replication is not part of a tested and secure design, the databases involved are exposed to unnecessary risk.
Check:
From the query prompt:
use master
exec sp_get_distributor
If the value of installed is 0, then this [...]
Registry extended stored procedures access
Severity: CAT 2
Description: The SQL Server registry extended stored procedures allow access to the Windows registry from the SQL Server service. The registry contains configuration information for the SQL Server service and may also contain passwords to remote or local systems. Access to this information is appropriate only for SYSADMINs and other administrative functions. [...]
OLE Automation Procedures (option)
Severity: CAT 2
Description: Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server [...]
Extended stored procedure use
Severity: CAT 2
Description: Extended stored procedures allow Microsoft SQL Server users to execute applications outside the security controls of SQL Server and under the security context of the SQL Server service account. Extended stored procedures are applications stored within a Windows DLL that can be referenced as a stored procedure within the SQL Server [...]
Scan for startup procs option
Severity: CAT 2
Description: The DBMS startup process may be vulnerable to introduction of malicious or unauthorized actions. Any use of automated execution of custom procedures provides an opportunity to deploy unauthorized code. For some versions of SQL Server, audit requirements may only be met by audit procedures that are set to start automatically at [...]
MS SQL Server Instance name
Severity: CAT 2
Description: The use of version numbers within the database instance name restricts the use of the instance name from meaningful use in subsequent upgrades. Changing the database instance names on a production database causes unnecessary administrative overhead and compromise existing secure network configurations.
Check:
If the SQL Server is version 7 or earlier, then [...]
Fixed server role members
Severity: CAT 2
Description: Fixed server roles provide a mechanism to grant groups of privileges to users. These privilege groupings are defined by the installation or upgrade of the SQL Server software at the discretion of Microsoft. Memberships in these roles granted to users should be strictly controlled and monitored. Privileges assigned to these roles [...]
SYSADMIN fixed server role membership
Severity: CAT 2
Description: The SYSADMIN fixed server role grants all database privileges to assigned members. By default, the BUILTIN\Administrators group of the host server is granted the SYSADMIN role. Separation of duties is not enforced by automatically combining assignment of DBA responsibilities to the host administrator role.
Check:
View SYSADMIN group membership:
From the query prompt:
exec sp_helpsrvrolemember [...]
DBMS remote system credential use and access
Severity: CAT 2
Description: Credentials defined for access to remote databases or applications may provide unauthorized access to additional databases and applications to unauthorized or malicious users.
Check:
Review the list of defined linked servers:
select name from sys.servers where server_id<>0
If no linked servers are listed, then this check is NF.
If any linked servers are listed, verify their [...]
Application user access to external objects
Severity: CAT 2
Description: Access to objects stored and/or executed outside of the DBMS security context may provide an avenue of attack to host system resources not controlled by the DBMS. Any access to external resources from the DBMS can lead to a compromise of the host system or its resources.
Check:
From the query prompt:
For each [...]
Critical DBMS files fault protection
Severity: CAT 2
Description: DBMS recovery can be adversely affected by hardware storage failure. Impediments to DBMS recovery can have a significant impact on operations.
Check:
If the instance employs Failover Clustering, then this check is NF.
Failover clustering requires configuration of Microsoft Cluster Services (MSCS) to be running on the host. View Services on the host to [...]
DBMS user account authorization
Severity: CAT 2
Description: Unauthorized user accounts provide unauthorized access to the database and may allow access to database objects. Only authorized users should be granted database accounts.
Check:
Review procedures for ensuring authorization of new or re-assigned DBMS user accounts. Requests for user account access to the DBMS should include documented approval by an authorized requestor. [...]
DBMS shared account authorization
Severity: CAT 2
Description: Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual account ability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users [...]
Database job/batch queue monitoring
Severity: CAT 2
Description: Unauthorized users may bypass security mechanisms by submitting jobs to job queues managed by the database to be run under a more privileged security context of the database or host system. These queues should be monitored regularly to detect any such unauthorized job submissions.
Check:
Review jobs scheduled to start automatically at system [...]
Analysis Services: permissions to data sources
Severity: CAT 2
Description: Access control applied to data sources controls user access to remotely defined systems using the authentication and authorizations defined for the data source. Unauthorized access to the data source in turn provides unauthorized access to remote systems.
Check:
From SQL Server Management Studio:
Connect to the Analysis Services instance.
For each Anayssis Services database:
Expand the [...]
Data Directory. Dedicated data file directories.
Severity: CAT 2
Description: Data directories require different access controls than software file directories. Locating data directories in separate directories on a dedicated disk partition allows assign of access controls to only those users that require access and helps protect the data from unauthorized access.
Check:
Review the default data and log directory specifications:
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\MSSQLServer\DefaultData
HKLM\SOFTWARE\Microsoft\Microsoft SQL [...]
Analysis Services: network port assignment
Severity: CAT 2
Description: Use of default ports helps management of enterprise network device security controls. Use of non-default ports makes tracking and protection of published vulnerabilities to services and protocols more difficult to track and block.
Check:
If Analysis Services is not in use, then this check is NA.
From a text editor, open the Analysis Services [...]
DisallowAdhocAccess for providers
Severity: CAT 2
Description: Ad hoc access allows undefined access to remote systems. Access to remote systems should be controlled to prevent untrusted data to be executed or uploaded to the local server.
Check:
From the registry editor, view the value for DisallowAdhocAccess for each provider:
HKLM\Software\Microsoft \Microsoft SQL Server\MSSQL.<#>\Providers\<Provider>
Replace <#> with each defined instance number.
Replace <provider> with [...]
Reporting Services: Windows Integrated Security.
Severity: CAT 2
Description: Use of Windows integrated security may allow access via Report Services bypasses security controls assessed at the database level. This may be restricted by requiring that all report data source connections use specific credentials to access report data sources.
Check:
If Reporting Services is not installed, then this check is NA.
From Surface Area [...]
Reporting Services: Scheduled events and report delivery
Severity: CAT 3
Description: Where not required, Scheduled events and report delivery unnecessarily exposes the report server to attack via Report Service event handling and report delivery.
Check:
If Reporting Services is not installed, then this check is NA.
From Surface Area Configuration for Features:
Connect to the Report Services instance.
Expand the instance.
Expand Report Services.
Select Scheduled events and report [...]
Reporting Services: Web Service requests and HTTP Access
Severity: CAT 3
Description: Where not required, SOAP and URL access to the web service unnecessarily exposes the report server to attack via the SOAP and HTTP protocols.
Check:
If Reporting Services is not installed, then this check is NA.
From Surface Area Configuration for Features:
Connect to the Report Services instance.
Expand the instance.
Expand Report Services.
Select Web Service Requests [...]
Analysis Services: database role membership
Severity: CAT 2
Description: Unauthorized group membership assignment grants unauthorized privileges to database accounts. Unauthorized may lead to a compromise of data confidentiality or integrity.
Check:
If Analysis Services is not deployed on the local host, then this check is NA.
(to detect deployment, view Windows Services. If SQL Server Analysis Services (<instance name>) is not listed, then [...]
Analysis Services: server role membership
Severity: CAT 2
Description: The Analysis Services server role grants server-wide security privileges to the assigned user. An unauthorized user could compromise database and analysis server data and operational integrity or availability.
Check:
If Analysis Services is not deployed on the local host, then this check is NA.
(to detect deployment, view Windows Services. If SQL Server Analysis [...]
Analysis Services: AdministrativeDataProtection\RequiredProtectionLevel
Severity: CAT 1
Description: Administrative data that may contain sensitive configuration, operational, or other sensitive data is vulnerable to unauthorized access when traversing untrusted network segments. Encryption of the data in transit helps protect the confidentiality of the data.
Check:
If Analysis Services is not deployed on the local host, then this check is NA.
(to detect deployment, [...]
Analysis Services: AdministrativeDataProtection\RequiredWebProtectionLevel
Severity: CAT 1
Description: Administrative data that may contain sensitive configuration, operational, or other sensitive data is vulnerable to unauthorized access when traversing untrusted network segments. Encryption of the data in transit helps protect the confidentiality of the data.
Check:
If Analysis Services is not deployed on the local host, then this check is NA.
(to detect deployment, [...]
Analysis Services: SecurityPackageList
Severity: CAT 2
Description: Analysis Services Security Packages are security applications provided outside of the default Analysis Services installation. The packages may be provided by custom development or commercial third-party products used for client authentication. Use of untested or unverified security applications may introduce unknown vulnerabilities to the instance. Restrict use of non-default security packages [...]
Analysis Services: DataProtection\RequiredWebProtectionLevel
Severity: CAT 1
Description: Sensitive data crossing untrusted network segments is vulnerable to unauthorized access. Encryption helps protect sensitive data in transit from unauthorized access.
Check:
If Analysis Services is not deployed on the local host, then this check is NA.
(to detect deployment, view Windows Services. If SQL Server Analysis Services (<instance name>) is not listed, then [...]
Analysis Services: RequiredProtectionLevel
Severity: CAT 1
Description: Sensitive data is vulnerable to unauthorized access when traversing untrusted network segments. Encryption of the data in transit helps protect the confidentiality of the data.
Check:
If Analysis Services is not deployed on the local host, then this check is NA.
(to detect deployment, view Windows Services. If SQL Server Analysis Services (<instance name>) [...]
Analysis Services: User-Defined COM Functions
Severity: CAT 2
Description: Allowing user-defined COM functions can allow unauthorized code access to the Analysis Services instance. Where not required as part of the operational design, allowing user-defined COM functions can expose the instance to unnecessary risk.
Check:
If Analysis Services is not deployed on the local host, then this check is NA.
(to detect deployment, view [...]
Analysis Services: Links From Objects
Severity: CAT 2
Description: Analysis Services allows other server instances to link to local analysis services objects. Where not required, enabling of this allowance can unnecessarily expose the database objects to unauthorized access or compromise.
Check:
If Analysis Services is not deployed on the local host, then this check is NA.
(to detect deployment, view Windows Services. If [...]
Analysis Services: Links To Objects
Severity: CAT 2
Description: Analysis Services may make connections to external SQL Server instances. In some cases this may be required for the intended operation, however, where not required, this may introduce unnecessary risk where unauthorized external links may be made.
Check:
If Analysis Services is not deployed on the local host, then this check is NA.
(to [...]
Analysis Services: Anonymous Connections
Severity: CAT 2
Description: Anonymous allow unauthenticated access to the database. Although the database may not store sensitive application data, operation and data compromise may occur without accountability where unauthenticated access is allowed.
Check:
If Analysis Services is not deployed on the local host, then this check is NA.
(to detect deployment, view Windows Services. If SQL Server [...]
Analysis Services: Ad hoc data mining queries.
Severity: CAT 2
Description: SQL Server Ad Hoc distributed queries allow specific functions (OPENROWSET and OPENDATASOURCE) to connect to remote systems without those remote systems being defined within database. Access to unauthorized systems could lead to a unauthorized activity in remote systems that could compromise the local database.
Check:
If Analysis Services is not deployed on the [...]
Replication snapshot folder protection
Severity: CAT 2
Description: Replication snapshot folders contain database data to which only authorized replication accounts require access. Unauthorized access to these folders could compromise data confidentiality and integrity, and could compromise database availability.
Check:
View the list of databases participating in replication:
exec sp_helpreplicationdboption
For each replication database:
exec sp_helppublication
If snapshot_in_defaultfolder is 1, then the snapshot folder name is:
<install [...]
Event forwarding/Forward events setting
Severity: CAT 2
Description: If SQL Server is configured to forward events to an Alerts Management Server that is not available, then no alerts are issued for the server.
Check:
From Regedit:
View values for:
HKLM\SOFTWARE\Microsoft\Microsoft SQL Sever\MSSQL.<#>\SQLServerAgent\AlertForwardingServer
If the value is empty or NULL, then this is Not a Finding.
If the value is not NULL, verify that the use [...]
Disable named pipes network protocol
Severity: CAT 2
Description: The named pipes network protocol requires more ports to be opened on firewalls than TCP/IP. Managing and administering multiple network protocols may unnecessarily complicate network controls.
Check:
From SQL Server Configuration Manager, expand SQL Server 2005 Network Configuration.
Repeat for each instance:
Select Protocols for <instance name>.
View in the right pane, the status for Named [...]
Number of error logs setting
Severity: CAT 2
Description: The SQL Server error log is used to store system event and system error information. In addition to assisting in correcting system failures or issues that could affect system availability and operation, log information may also be useful in discovering evidence of malicious intent. Management of the error logs requires consideration [...]
SQL Server file permissions
Severity: CAT 2
Description: Unauthorized and unnecessary permissions assigned to SQL Server directories and files can lead to a compromise of database integrity and data confidentiality protection.
Check:
Check file permissions
SQL Server program files are installed in two places: a subdirectory of Program Files directory named Microsoft SQL Server ( specified here as <PFdir>)and the directory created [...]
SQL Server Agent account user rights
Severity: CAT 2
Description: Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the SQL Server Agent service is compromised, the attack can lead to use of the privileges assigned to the service account. Administrative and other unnecessary privileges assigned to the service account can be used for an attack on the [...]
Integration Services (SSIS) OS account least privileges
Severity: CAT 2
Description: Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the Integration Service is compromised, the attack can lead to use of the privileges assigned to the service account. Administrative and other unnecessary privileges assigned to the service account can be used for an attack on the host system [...]
SQL Server component service account user rights
Severity: CAT 2
Description: Excessive or unneeded privileges allow for unauthorized actions. When application vulnerabilities are exploited, excessive privileges assigned to the application can lead to unnecessary risk to the host system and other services.
Check:
Check User Rights (may be assigned using group privileges):
From Windows Desktop:
Start \ Control Panel \ Administrative Tools \ Local Security Policy [...]
SQL server registry keys permissions
Severity: CAT 2
Description: Registry keys contain configuration data for the SQL Server services and applications. Unrestricted access or access unnecessary for operation can lead to a compromise of the application or disclosure of information that may lead to a successful attack or compromise of data.
Check:
Use regedit.exe (Windows 2003) or regedt32 (Windows XP, Windows 2000) [...]
SQL Server service account user rights
Severity: CAT 2
Description: Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the SQL Server process is compromised, the attack can lead to use of the privileges assigned to the process account. Administrative and other unnecessary privileges assigned to the service account can be used for an attack on the host [...]
SQL server service account
Severity: CAT 2
Description: The Windows builtin Administrators group and LocalSystem account are assigned full privileges to the Windows operating system. These privileges are not required by the SQL Server service accounts for operation and, if assigned, could allow a successful attack of the SQL Server service to lead to a full compromise of the [...]
DBA OS privilege assignment
Severity: CAT 2
Description: The host DBA group is assigned permissions to the DBMS system libraries and may also be used to assign DBA privileges within the database. Unauthorized DBA privilege assignment leaves the DBMS data and operations vulnerable to complete compromise.
Check:
Review the list of accounts assigned to the OS DBA group.
Review the list of [...]
Custom OS DBA group
Severity: CAT 2
Description: The DBA job function differs from the host system administrator job function. Without a separate host OS group to assign necessary privileges on the operating system, separation of duties is not achieved and excess privileges for the job function are assigned.
Check:
For Windows 2000: Right click on My Computer, Select Manage, Expand [...]
SQL Server services Windows group membership
Severity: CAT 2
Description: Exploits to SQL Server services may provide access to the host system resources within the security context of the service. Excess privileges assigned to the SQL Services can increase the threat to the host system.
Check:
View the Windows group membership assigned to the SQL Server service accounts:
List of services:
1 SQL Server Database
2 [...]
DBMS host file privileges assigned to developers
Severity: CAT 2
Description: Developer roles do not and should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the production system from unauthorized, malicious, or unintentional interruption due to development activities.
Check:
If the DBMS host does not support both production operations [...]
DBMS software file backups
Severity: CAT 2
Description: The DBMS application depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of DBMS operations.
Check:
Review evidence of SQL Server and dependent application files and directories.
The SQL Server software directory is specified in the registry value HKLM\SOFTWARE\Microsoft\Microsoft [...]
DBMS audit log backups
Severity: CAT 2
Description: DBMS audit logs are essential to the investigation and prosecution of unauthorized access to the DBMS data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of [...]
Encryption of DBMS sensitive data in transit
Severity: CAT 1
Description: Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review.
Check:
Review the system security plan to determine if any encryption requirements for sensitive data are required for network transmission of DBMS data.
If no requirement is listed, then this check is NA.
If [...]
DBMS network port, protocol, and services (PPS) usage
Severity: CAT 2
Description: Non-standard network ports, protocol, or services configuration or usage could lead to bypass of network perimeter security controls and protections.
Check:
From SQL Server configuration Manager, expand SQL Server 2005 Network Configuration, select Protocols for <instance name>, right-click on TCP/IP, select Properties, select IP Addresses tab.
View all TCP Dynamic Ports and TCP Port [...]
DBMS dedicated software directory and partition
Severity: CAT 2
Description: Protection of DBMS data, transaction, and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database process, resource contention and differing security controls may be required to isolate and protect one application’s data and audit logs from another. DBMS software [...]
DBMS dedicated host
Severity: CAT 2
Description: In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to [...]
Database data encryption configuration
Severity: CAT 2
Description: Access to sensitive data may not always be sufficiently protected by authorizations and requires encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must [...]
DBMS services dedicated custom account
Severity: CAT 2
Description: Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services.
Check:
Using the SQL Server Configuration [...]
Database data file encryption
Severity: CAT 2
Description: Where access controls do not provide complete protection of sensitive data, encryption can help to close the gap. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to view the data that is stored in files outside of the database. Data encryption also [...]
Sensitive data identification and encryption
Severity: CAT 2
Description: Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing.
Check:
Use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan.
If any sensitive data is human readable, then this is a Finding.
Fix:
Use third-party tools or native DBMS features to [...]
Developer DBMS privileges on production databases
Severity: CAT 3
Description: Developers play a unique role and represent a specific type of threat to the security of the DBMS. Where restricted resources prevent the required separation of production and development DBMS installations, developers granted elevated privileges to create and manage new database objects must also be prevented from actions that can threaten [...]
Production data protection in shared development system
Severity: CAT 2
Description: Developers granted elevated database and operating system privileges on systems that support both development and production databases can affect the operation and/or security of the production database system. Operating system and database privileges assigned to developers on shared development and production systems should be restricted.
Check:
Review the list of instances and databases [...]
Production Data Import to Development DBMS
Severity: CAT 2
Description: Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure.
Check:
If the database being reviewed is not a [...]
DBMS audit record access
Audit data is frequently targeted by malicious users as it can provide a means to detect their activity. The protection of the audit trail data …..
DBMS software ownership
Severity: CAT 3
Description: File and directory ownership imparts full privileges to the owner. These privileges should be restricted to a single, dedicated account to preserve proper chains of ownership and privilege assignment management.
Check:
Review the ownership of all DBMS and dependent application software and configuration files. If the owner is other than the software installation [...]
DBMS shared production/development use
Severity: CAT 2
Description: On shared production and development DBMS systems access identifiers that do not clearly indicate whether the DBMS or DBMS object being accessed is part of the production or development objects can lead to unintentional modification of production objects.
Check:
If this system is not a shared development/production system, then this check is N/A.
Review [...]
Data Definition Language use
Severity: CAT 3
Description: Application users by definition and job function require only the permissions to manipulate data within database objects and execute procedures within the database. The statements used to define objects in the database are referred to as Data Definition Language (DDL) statements and include the CREATE, DROP, and ALTER object statements. (DDL [...]
