STIGQter: STIG Summary: MS SQL Server 2014 Database Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 26 Jan 2018:

SQL Server must reveal detailed error messages only to the ISSO, ISSM (or their designees), SA and DBA.

DISA Rule

SV-81889r2_rule

Vulnerability Number

V-67399

Group Title

SRG-APP-000267-DB-000163

Rule Version

SQL4-00-022900

Severity

CAT II

CCI(s)

• CCI-001314 - The information system reveals error messages only to organization-defined personnel or roles.

Weight

10

Fix Recommendation

Configure audit logging, tracing and/or custom code in the database or application to record detailed error messages generated by SQL Server, for review by authorized personnel.

Check Contents

Review application behavior, custom database code (stored procedures; triggers) and DBMS audit and trace settings, to determine whether detailed error messages are logged or stored for review by authorized personnel.

If detailed error messages are not available to individuals authorized to view them, this is a finding.

Vulnerability Number

V-67399

Documentable

False

Rule Version

SQL4-00-022900

Severity Override Guidance

Review application behavior, custom database code (stored procedures; triggers) and DBMS audit and trace settings, to determine whether detailed error messages are logged or stored for review by authorized personnel.

If detailed error messages are not available to individuals authorized to view them, this is a finding.

Check Content Reference

M

Target Key

2637

Comments