STIGQter STIGQter: STIG Summary: MS SQL Server 2014 Database Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 26 Jan 2018:

The DBMS and associated applications must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

DISA Rule

SV-81887r2_rule

Vulnerability Number

V-67397

Group Title

SRG-APP-000266-DB-000162

Rule Version

SQL4-00-022800

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure DBMS settings, custom database code, and associated application code not to divulge sensitive information or information useful for system identification in error messages that are displayed to general users.

Check Contents

Review application behavior and custom database code (stored procedures; triggers), to determine whether error messages contain information beyond what is needed for explaining the issue to general users.

If database error messages contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.

Vulnerability Number

V-67397

Documentable

False

Rule Version

SQL4-00-022800

Severity Override Guidance

Review application behavior and custom database code (stored procedures; triggers), to determine whether error messages contain information beyond what is needed for explaining the issue to general users.

If database error messages contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.

Check Content Reference

M

Target Key

2637

Comments