STIGQter STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Apr 2020:

SQL Server must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

DISA Rule

SV-82389r1_rule

Vulnerability Number

V-67899

Group Title

SRG-APP-000378-DB-000365

Rule Version

SQL4-00-033800

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Document and obtain approval for any non-administrative users who require the ability to create, alter or replace logic modules.

Implement the approved permissions. Revoke (or Deny) any unapproved permissions, and remove any unauthorized role memberships.

Check Contents

If the SQL Server instance supports only software development, experimentation and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.

Review the SQL Server instance and database security settings with respect to non-administrative users' ability to create, alter, or replace logic modules, to include but not necessarily only stored procedures, functions, triggers, and views. The database permission functions and views provided in the supplemental file Permissions.sql can help with this.

If any such permissions exist and are not documented and approved, this is a finding.

Vulnerability Number

V-67899

Documentable

False

Rule Version

SQL4-00-033800

Severity Override Guidance

If the SQL Server instance supports only software development, experimentation and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.

Review the SQL Server instance and database security settings with respect to non-administrative users' ability to create, alter, or replace logic modules, to include but not necessarily only stored procedures, functions, triggers, and views. The database permission functions and views provided in the supplemental file Permissions.sql can help with this.

If any such permissions exist and are not documented and approved, this is a finding.

Check Content Reference

M

Target Key

2639

Comments