STIGQter STIGQter: STIG Summary: MS SQL Server 2016 Database Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

DISA Rule

SV-213917r508025_rule

Vulnerability Number

V-213917

Group Title

SRG-APP-000266-DB-000162

Rule Version

SQL6-D0-002400

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Adjust database code to remove any information not required for explaining the error to an end user.

Consider enabling trace flag 3625 to mask certain system-level error information returned to non-administrative users.

Launch SQL Server Configuration Manager >> Click SQL Services >> Open the instance properties >> Click the Service Parameters tab >> Enter "-T3625" >> Click Add >> Click OK >> Restart SQL instance.

Check Contents

Review application behavior and custom database code (stored procedures, triggers), to determine whether error messages contain information beyond what is needed for explaining the issue to general users.

If database error messages contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.

Vulnerability Number

V-213917

Documentable

False

Rule Version

SQL6-D0-002400

Severity Override Guidance

Review application behavior and custom database code (stored procedures, triggers), to determine whether error messages contain information beyond what is needed for explaining the issue to general users.

If database error messages contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.

Check Content Reference

M

Target Key

3992

Comments