STIGQter STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.

DISA Rule

SV-213935r617437_rule

Vulnerability Number

V-213935

Group Title

SRG-APP-000080-DB-000063

Rule Version

SQL6-D0-004200

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Remove all logins that were returned in the check content.

Check Contents

Execute the following query:

SELECT name
FROM sys.server_principals
WHERE type in ('U','G')
AND name LIKE '%$'

If no logins are returned, this is not a finding.

If logins are returned, determine whether each login is a computer account.

Launch PowerShell.

Execute the following code:

Note: <name> represents the username portion of the login. For example, if the login is "CONTOSO\user1$", the username is "user1".

([ADSISearcher]"(&(ObjectCategory=Computer)(Name=<name>))").FindAll()

If no account information is returned, this is not a finding.

If account information is returned, this is a finding.

Vulnerability Number

V-213935

Documentable

False

Rule Version

SQL6-D0-004200

Severity Override Guidance

Execute the following query:

SELECT name
FROM sys.server_principals
WHERE type in ('U','G')
AND name LIKE '%$'

If no logins are returned, this is not a finding.

If logins are returned, determine whether each login is a computer account.

Launch PowerShell.

Execute the following code:

Note: <name> represents the username portion of the login. For example, if the login is "CONTOSO\user1$", the username is "user1".

([ADSISearcher]"(&(ObjectCategory=Computer)(Name=<name>))").FindAll()

If no account information is returned, this is not a finding.

If account information is returned, this is a finding.

Check Content Reference

M

Target Key

3993

Comments