STIGQter STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

SQL Server must prevent unauthorized and unintended information transfer via shared system resources.

DISA Rule

SV-213975r617437_rule

Vulnerability Number

V-213975

Group Title

SRG-APP-000243-DB-000373

Rule Version

SQL6-D0-009800

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure SQL Server to effectively protect the private resources of one process or user from unauthorized access by another user or process.

sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
sp_configure 'common criteria compliance enabled', 1;
GO
RECONFIGURE
GO

Check Contents

Review system documentation to determine if Common Criteria Compliance is not required due to potential impact on system performance.

SQL Server Residual Information Protection (RIP) requires a memory allocation to be overwritten with a known pattern of bits before memory is reallocated to a new resource. Meeting the RIP standard can contribute to improved security; however, overwriting the memory allocation can slow performance. After the common criteria compliance enabled option is enabled, the overwriting occurs.

Review the Instance configuration:


SELECT value_in_use
FROM sys.configurations
WHERE name = 'common criteria compliance enabled'

If "value_in_use" is set to "1" this is not a finding.
If "value_in_use" is set to "0" this is a finding.

NOTE: Enabling this feature may impact performance on highly active SQL Server instances. If an exception justifying setting SQL Server Residual Information Protection (RIP) to disabled (value_in_use set to "0") has been documented and approved, then this may be downgraded to a CAT III finding.

Vulnerability Number

V-213975

Documentable

False

Rule Version

SQL6-D0-009800

Severity Override Guidance

Review system documentation to determine if Common Criteria Compliance is not required due to potential impact on system performance.

SQL Server Residual Information Protection (RIP) requires a memory allocation to be overwritten with a known pattern of bits before memory is reallocated to a new resource. Meeting the RIP standard can contribute to improved security; however, overwriting the memory allocation can slow performance. After the common criteria compliance enabled option is enabled, the overwriting occurs.

Review the Instance configuration:


SELECT value_in_use
FROM sys.configurations
WHERE name = 'common criteria compliance enabled'

If "value_in_use" is set to "1" this is not a finding.
If "value_in_use" is set to "0" this is a finding.

NOTE: Enabling this feature may impact performance on highly active SQL Server instances. If an exception justifying setting SQL Server Residual Information Protection (RIP) to disabled (value_in_use set to "0") has been documented and approved, then this may be downgraded to a CAT III finding.

Check Content Reference

M

Target Key

3993

Comments