diff --git a/CHANGELOG.md b/CHANGELOG.md index 34866c058..357fe7c10 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## [Unreleased] +* Update PowerSTIG to successfully parse/apply MS SQL Server 2012 Instance Ver. 1 Rel. 20: [#639](https://github.com/microsoft/PowerStig/issues/639) * Update PowerSTIG to successfully parse/apply MS SQL Server 2016 Instance Ver. 1 Rel. 9: [#636](https://github.com/microsoft/PowerStig/issues/636) * Update PowerSTIG to successfully parse/apply Windows Server 2012 DNS STIG - Ver 1, Rel 14: [#633](https://github.com/microsoft/PowerStig/issues/633) * Update PowerSTIG to parse/convert the Vmware Vsphere 6.5 STIG V1R4: [#634](https://github.com/microsoft/PowerStig/issues/634) diff --git a/source/Module/Common/Functions.XccdfXml.ps1 b/source/Module/Common/Functions.XccdfXml.ps1 index 2af584033..2465eddd5 100644 --- a/source/Module/Common/Functions.XccdfXml.ps1 +++ b/source/Module/Common/Functions.XccdfXml.ps1 @@ -375,15 +375,10 @@ function Split-BenchmarkId { {$PSItem -match "SQL_Server"} { - # The metadata does not differentiate between the database and instance STIG so we have to get that from the file name. - $sqlRole = Get-SqlTechnologyRole -Path $FilePath - $returnId = $id -replace ($sqlServerVariations -join '|'), 'SqlServer' - - # SQL 2012 Instance 1.17 has a different format which requires this line, can be removed when this STIG is no longer in archive - $returnId = $returnId -replace "_Database_Instance" + "" - # SQL 2012 Database 1.20 has a different format which requires this line. - $returnId = $returnId -replace "_Database" + "" - $returnId = '{0}_{1}' -f $returnId, $sqlRole + $sqlRole = Get-SqlTechnologyRole -Path $FilePath -Id $id + $id -match "(?\d{4})" + $sqlVersion = $Matches['Version'] + $returnId = 'SqlServer_{0}_{1}' -f $sqlVersion, $sqlRole continue } {$PSItem -match "_Firewall"} @@ -519,6 +514,10 @@ function Get-SqlTechnologyRole [OutputType([string])] param ( + [Parameter(Mandatory = $true)] + [string] + $Id, + [Parameter(Mandatory=$true)] [AllowEmptyString()] [string] @@ -528,6 +527,11 @@ function Get-SqlTechnologyRole $split = $Path -split '_' $stigIndex = $split.IndexOf('STIG') $sqlRole = $split[$stigIndex -1] + if ($sqlRole -match '\w\d{1,}\w\d{1,}') + { + $null = $Id -match "(?Database|Instance)" + $sqlRole = $Matches['Type'] + } return $sqlRole } @@ -555,12 +559,8 @@ function Get-StigVersionNumber ) # Extract the revision number from the xccdf - $revision = ( $StigDetails.Benchmark.'plain-text'.'#text' ` - -split "(Release:)(.*?)(Benchmark)" )[2].trim() - + $revision = ($StigDetails.Benchmark.'plain-text'.'#text' -split "(Release:)(.*?)(Benchmark)")[2].trim() "$($StigDetails.Benchmark.version).$revision" - } #endregion - diff --git a/source/StigData/Archive/SQL Server/U_SQL_Server_2012_Instance_STIG_V1R17_Manual-xccdf.log b/source/StigData/Archive/SQL Server/U_MS_SQL_Server_Instance_2012_V1R20_Manual-xccdf.log similarity index 100% rename from source/StigData/Archive/SQL Server/U_SQL_Server_2012_Instance_STIG_V1R17_Manual-xccdf.log rename to source/StigData/Archive/SQL Server/U_MS_SQL_Server_Instance_2012_V1R20_Manual-xccdf.log diff --git a/source/StigData/Archive/SQL Server/U_SQL_Server_2012_Instance_STIG_V1R17_Manual-xccdf.xml b/source/StigData/Archive/SQL Server/U_MS_SQL_Server_Instance_2012_V1R20_Manual-xccdf.xml similarity index 79% rename from source/StigData/Archive/SQL Server/U_SQL_Server_2012_Instance_STIG_V1R17_Manual-xccdf.xml rename to source/StigData/Archive/SQL Server/U_MS_SQL_Server_Instance_2012_V1R20_Manual-xccdf.xml index 6f5229e57..1cf62ec01 100644 --- a/source/StigData/Archive/SQL Server/U_SQL_Server_2012_Instance_STIG_V1R17_Manual-xccdf.xml +++ b/source/StigData/Archive/SQL Server/U_MS_SQL_Server_Instance_2012_V1R20_Manual-xccdf.xml @@ -1,16 +1,16 @@ -acceptedMicrosoft SQL Server 2012 Database Instance Security Technical Implementation GuideThe Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 17 Benchmark Date: 27 Apr 20181I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000268-DB-000164<GroupDescription></GroupDescription>SQL2-00-023000The system must activate an alarm and/or automatically shut SQL Server down if a failure is detected in its software components. <VulnDiscussion>Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining system security fail to function, then SQL Server could continue operating in an unsecure state. The organization must be prepared, and the system must be configured, to send an alarm for such conditions and/or automatically shut SQL Server down. If appropriate actions are not taken when component failures occur, a denial of service condition may occur. Appropriate actions can include conducting a graceful application shutdown to avoid losing information. -For the purposes of this requirement, "component" may be interpreted as meaning any of the Windows services that comprise a SQL Server instance. "The system" encompasses SQL Server itself, the Windows operating system, and any monitoring/management tools used to control the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001328Configure the system to activate an alarm and/or trigger a SQL Server shutdown when a component failure is detected.Check the configuration of SQL Server, the operating system and any monitoring/management tools to verify the system activates an alarm and/or triggers a shutdown of SQL Server when a component failure is detected. +For the purposes of this requirement, "component" may be interpreted as meaning any of the Windows services that comprise a SQL Server instance. "The system" encompasses SQL Server itself, the Windows operating system, and any monitoring/management tools used to control the server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001328Configure the system to activate an alarm and/or trigger a SQL Server shutdown when a component failure is detected.Check the configuration of SQL Server, the operating system and any monitoring/management tools to verify the system activates an alarm and/or triggers a shutdown of SQL Server when a component failure is detected. If system does not take either or both actions, this is a finding.SRG-APP-000265-DB-000161<GroupDescription></GroupDescription>SQL2-00-022700SQL Server must identify potential security-relevant error conditions.<VulnDiscussion>The structure and content of SQL Server error messages need to be carefully considered by the organization and development team. The extent to which the application is able to identify and handle error conditions is guided by organizational policy and operational requirements. Database logs can be monitored for specific security-related errors. Any error that can have a negative effect on database security should be quickly identified and forwarded to the appropriate personnel. If security-relevant error conditions are not identified by SQL Server they may be overlooked by the personnel responsible for addressing them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Monitor SQL Server log files to determine when a security-related error occurs. -Add/Update list of appropriate personnel that are to be alerted when a security related error condition occurs to system documentation. Consider an automated job for both the monitor and the alerting.Security-related errors must be identified and monitored. In most cases, these items would appear in the SQL Server log file. +Add/Update list of appropriate personnel that are to be alerted when a security related error condition occurs to system documentation. Consider an automated job for both the monitor and the alerting.Security-related errors must be identified and monitored. In most cases, these items would appear in the SQL Server log file. -If security-related error conditions are not being monitored to meet this requirement, this is a finding.SRG-APP-000264-DB-000136<GroupDescription></GroupDescription>SQL2-00-022600SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission.<VulnDiscussion>Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), VPN, or IPSEC tunnel. +If security-related error conditions are not being monitored to meet this requirement, this is a finding.SRG-APP-000264-DB-000136<GroupDescription></GroupDescription>SQL2-00-022600SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission.<VulnDiscussion>Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), VPN, or IPSEC tunnel. Information in transmission is particularly vulnerable to attack. If the DBMS does not employ cryptographic mechanisms preventing unauthorized disclosure of information during transit, the information may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-002421Deploy organization-approved encryption to the SQL Server network connections. @@ -21,7 +21,7 @@ Where physical network devices are used for encryption, set them up such that: 3. The encryption keys utilized are current and valid keys. 4. The keys utilized meet approved organizationally defined compliant algorithms. -Where SQL Server network encryption is used, open SQL Server Configuration Manager. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, provide a DoD certificate on the Certificate tab. If the DBMS exists in the unclassified environment, and data transmission does not cross the boundary between the NIPRNet and the wider Internet, and the application owner and authorizing official have determined that encryption is not required, this is not a finding. +Where SQL Server network encryption is used, open SQL Server Configuration Manager. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, provide a DoD certificate on the Certificate tab. If the DBMS exists in the unclassified environment, and data transmission does not cross the boundary between the NIPRNet and the wider Internet, and the application owner and authorizing official have determined that encryption is not required, this is not a finding. Check SQL Server and network settings to determine whether cryptographic mechanisms are used to prevent the unauthorized disclosure of information during transmission. If not, this is a finding. @@ -46,11 +46,11 @@ If Force Encryption is set to "NO" or a DoD Certificate is not utilized, and phy If the primary SQL Server has a backup/secondary server that is dedicated 100% to the primary server's process, this is not a finding. If, however, the processing of the primary SQL Server is loaded to a secondary server that is already partly resourced to process something other than that of the primary SQL Server responsibility, then there can be load balancing issues. -Load balancing for the purpose of sharing a secondary/backup SQL Server is often done to share and save on resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-002394Allocate replacement server(s) to provide failover support to the Primary SQL Server. +Load balancing for the purpose of sharing a secondary/backup SQL Server is often done to share and save on resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-002394Allocate replacement server(s) to provide failover support to the Primary SQL Server. -If a single solution cannot be employed, split the processing of a secondary SQL Server amongst two or more secondary servers.If Database Availability Groups are not being used, this is not applicable (NA). +If a single solution cannot be employed, split the processing of a secondary SQL Server amongst two or more secondary servers.If Database Availability Groups are not being used, this is not applicable (NA). -Check the system documentation and check with the administrator regarding processing resources of the backup/secondary SQL Server. +Check the system documentation and check with the administrator regarding processing resources of the backup/secondary SQL Server. If the primary SQL Server has a backup/secondary server that is dedicated 100% to the primary server's processing, this is not a finding. @@ -62,33 +62,33 @@ SQL Server often runs queries for multiple users at the same time. If lower prio Even if SQL Server's utilization is very small and there may seem to be no need to priority protection, often resources grow exponentially and must be implemented as part of an initial deployment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-002394SQL Server utilizes the "Resource Governor" to determine who is allowed high processing resources. There are several configurations regarding the "Resource Governor" that mostly comes down to users or groups of users having a "MAX_CPU_PERCENT", "MIN_CPU_PERCENT", "MIN_MEMORY_PERCENT", and/or "MAX_MEMORY_PERCENT" settings. -Users are assigned to Workgroups and the Workgroups are configured processing resources via the "Resource Governor".Review system documentation and determine if one type or more of SQL Server users has a business need for priority usage over other types of users. The need for prioritization most frequently occurs when SQL Server resources are shared between two or more applications or systems where the number of users on more than one system is small or non-existent. This needs to be the case, because SQL Server limits resource based on user accounts and not what process is running. +Users are assigned to Workgroups and the Workgroups are configured processing resources via the "Resource Governor".Review system documentation and determine if one type or more of SQL Server users has a business need for priority usage over other types of users. The need for prioritization most frequently occurs when SQL Server resources are shared between two or more applications or systems where the number of users on more than one system is small or non-existent. This needs to be the case, because SQL Server limits resource based on user accounts and not what process is running. If SQL Server has users that are determined to run significantly high priority processes than other users and the SQL Server "Resource Governor" is not being implemented, this is a finding.SRG-APP-000233-DB-000124<GroupDescription></GroupDescription>SQL2-00-021500SQL Server must isolate security functions from nonsecurity functions by means of separate security domains.<VulnDiscussion>Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based". Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. -Database Management Systems typically separate security functionality from nonsecurity functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and nonsecurity functionality is commingled, users who have access to nonsecurity functionality may be able to access security functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001084Locate security-related database objects and code in a separate database, schema, or other separate security domain from database objects and code implementing application logic.Determine elements of security functionality (lists of permissions, additional authentication information, stored procedures, application specific auditing, etc.) which are being housed inside SQL server. +Database Management Systems typically separate security functionality from nonsecurity functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and nonsecurity functionality is commingled, users who have access to nonsecurity functionality may be able to access security functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001084Locate security-related database objects and code in a separate database, schema, or other separate security domain from database objects and code implementing application logic.Determine elements of security functionality (lists of permissions, additional authentication information, stored procedures, application specific auditing, etc.) which are being housed inside SQL server. For any elements found, check SQL Server to determine if these objects or code implementing security functionality are located in a separate security domain, such as a separate database or schema created specifically for security functionality. Run the following queryto list all the user-defined databases: -SELECT Name -FROM sys.databases -WHERE database_id > 4 +SELECT Name +FROM sys.databases +WHERE database_id > 4 ORDER BY 1; -If security-related database objects or code are not kept separate, this is a finding.SRG-APP-000203-DB-000146<GroupDescription></GroupDescription>SQL2-00-020400SQL Server must associate and maintain security labels when exchanging information between systems.<VulnDiscussion>When data is exchanged between information systems, the security attributes associated with said data need to be maintained. +If security-related database objects or code are not kept separate, this is a finding.SRG-APP-000203-DB-000146<GroupDescription></GroupDescription>SQL2-00-020400SQL Server must associate and maintain security labels when exchanging information between systems.<VulnDiscussion>When data is exchanged between information systems, the security attributes associated with said data need to be maintained. -Security attributes are an abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information, typically associated with internal data structures (e.g., records, buffers, files) within the information system and used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. +Security attributes are an abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information, typically associated with internal data structures (e.g., records, buffers, files) within the information system and used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. -Security attributes may be explicitly or implicitly associated with the information contained within the information system. +Security attributes may be explicitly or implicitly associated with the information contained within the information system. -If database security labels are not maintained as information moves between systems, handling instructions can be lost and data can be accidentally distributed to unauthorized individuals.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001157Develop SQL code or acquire a third party tool to perform data labeling. SQL Server Label Security Toolkit can be downloaded from http://www.codeplex.com. This tool can satisfy all data labeling and security data labeling requirements.Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines. +If database security labels are not maintained as information moves between systems, handling instructions can be lost and data can be accidentally distributed to unauthorized individuals.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001157Develop SQL code or acquire a third party tool to perform data labeling. SQL Server Label Security Toolkit can be downloaded from http://www.codeplex.com. This tool can satisfy all data labeling and security data labeling requirements.Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines. If the labeling of sensitive data is not required, this is NA. -Obtain system configuration setting to determine how data labeling is being performed. This can be through triggers or some other SQL developed means or via a third-party tool. Check to ensure that labels are being associated to data when information is being exchanged between systems. +Obtain system configuration setting to determine how data labeling is being performed. This can be through triggers or some other SQL developed means or via a third-party tool. Check to ensure that labels are being associated to data when information is being exchanged between systems. If the labeling is not being associated to data when exchanging data between systems, this is a finding.SRG-APP-000201-DB-000145<GroupDescription></GroupDescription>SQL2-00-020300SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Server Roles access.<VulnDiscussion>The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of other security controls. If SQL Server contains publicly available information, though not concerned with confidentiality, SQL Server must maintain the integrity of the data. If data available to the public is not protected from unauthorized modification or deletion, then the data cannot be trusted by those accessing it. @@ -96,7 +96,7 @@ The user account associated with public access must not have access to the OS or This requirement is not intended to prevent the establishment of public-facing systems for the purpose of collecting data from the public.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> Server Roles. -Uncheck the 'Server Roles' that are checked and grant more than read-only access to the publicly available information.If SQL Server is not housing or distributing publicly available information, this finding is NA. +Uncheck the 'Server Roles' that are checked and grant more than read-only access to the publicly available information.If SQL Server is not housing or distributing publicly available information, this finding is NA. Obtain from the DBA or system documentation the list of publicly available data within SQL Server and the role names that assign read-only access to that public data. @@ -117,7 +117,7 @@ SQL Server access to any of the three system databases (master, model, or msdb) This requirement is not intended to prevent the establishment of public-facing systems for the purpose of collecting data from the public.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> User Mapping >> highlight checked database. -Uncheck the 'Database role membership' that is checked and grants more than read-only access to the publicly available information.If SQL Server is not housing or distributing publicly available information, this finding is NA. +Uncheck the 'Database role membership' that is checked and grants more than read-only access to the publicly available information.If SQL Server is not housing or distributing publicly available information, this finding is NA. Obtain from the DBA or system documentation the list of publicly available data within SQL Server. @@ -145,7 +145,7 @@ Right click <'the group to modify' >> Properties >> 'Members:' Remove the publicly available user account from the group by clicking/highlighting the account and then clicking the 'Remove' button. -Revoke any update permissions for a guest being used in the context of a guest account.If SQL Server is not housing or distributing publicly available information, this finding is NA. +Revoke any update permissions for a guest being used in the context of a guest account.If SQL Server is not housing or distributing publicly available information, this finding is NA. If SQL Server supports an application collecting information from the public, this is NA. @@ -171,12 +171,12 @@ Likely the only 'Server roles' assignment for the publicly available user accoun This requirement is not intended to prevent the establishment of public-facing systems for the purpose of collecting data from the public.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> Securables >> highlight 'Securable Name'. -Uncheck all 'Grant', 'With Grant', and 'Deny' for the highlighted 'Securable'.If SQL Server is not housing or distributing publicly available information, this finding is NA. +Uncheck all 'Grant', 'With Grant', and 'Deny' for the highlighted 'Securable'.If SQL Server is not housing or distributing publicly available information, this finding is NA. If SQL Server supports an application collecting information from the public, this is NA. Obtain from the DBA or system documentation the list of publicly available data within SQL Server. -Obtain the publicly available user account(s) being used to access SQL Server. +Obtain the publicly available user account(s) being used to access SQL Server. Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'Securables'. @@ -194,7 +194,7 @@ Developed using established NSA business processes and containing NSA approved a NSA-approved cryptography is required to be used for classified information system processing. -See FIPS Publication 140-2 and related documents for guidance on approved encryption techniques and certified encryption modules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-002450Configure SQL Server to encrypt sensitive or classified data stored in each database. Use only NIST-certified or NSA-approved cryptography to provide encryption.If the system exists in the non-classified environment, this is NA. +See FIPS Publication 140-2 and related documents for guidance on approved encryption techniques and certified encryption modules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-002450Configure SQL Server to encrypt sensitive or classified data stored in each database. Use only NIST-certified or NSA-approved cryptography to provide encryption.If the system exists in the non-classified environment, this is NA. For each database under the SQL Server instance, review the system documentation to determine whether the database holds classified or sensitive information. If it does not, this is not a finding. @@ -244,7 +244,7 @@ CREATE CERTIFICATE <certificate name> Run the following SQL script to create a symmetric key and assign an existing certificate: USE <database name> CREATE SYMMETRIC KEY <'key name'> - WITH ALGORITHM = AES_256 + WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE <certificate name> Assign the application object owner account as the owner of asymmetric and symmetric keys, and certificates. (Ownership is assigned via the AUTHORIZATION clause of the CREATE statement, or the ALTER AUTHORIZATION statement.) @@ -265,7 +265,7 @@ WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE <certificate name>; ALTER DATABASE <database name> SET ENCRYPTION ON; -Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. +Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. If the system documentation does not specify the type of information hosted on SQL Server: classified, sensitive and/or unclassified, this is a finding. @@ -302,17 +302,17 @@ Detailed information on the NIST Cryptographic Module Validation Program (CMVP) Non-organizational users shall be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server. -This may be accomplished by a code embedded within the userid, or via a flag or code columns in a table of users, or by some other means. In any case, the user must be individually identified to, and within, SQL Server via a mapping to an individual account and not mapping to a shared account. +This may be accomplished by a code embedded within the userid, or via a flag or code columns in a table of users, or by some other means. In any case, the user must be individually identified to, and within, SQL Server via a mapping to an individual account and not mapping to a shared account. Accordingly, a risk assessment is used in determining the authentication needs of the organization. -Scalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, and other organizations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000804Configure SQL Server to uniquely identify and authenticate all non-organizational users who log onto the system. This likely would be done via a combination of the operating system with unique accounts and the SQL Server by ensuring mapping to individual accounts.Review documentation, SQL Server settings and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system. +Scalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, and other organizations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000804Configure SQL Server to uniquely identify and authenticate all non-organizational users who log onto the system. This likely would be done via a combination of the operating system with unique accounts and the SQL Server by ensuring mapping to individual accounts.Review documentation, SQL Server settings and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system. If non-organizational users are not uniquely identified and authenticated, this is a finding.SRG-APP-000171-DB-000074<GroupDescription></GroupDescription>SQL2-00-018600SQL Server must enforce password encryption for storage.<VulnDiscussion>SQL Server must enforce password encryption when storing passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Passwords stored in clear text are vulnerable to unauthorized disclosure. Database passwords should always be encoded or encrypted when stored internally or externally to SQL Server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000196Develop, document, and maintain a list of SQL Server database objects, database configuration files, associated scripts, and applications defined within or external to SQL Server that access the database/user environment files/settings in the System Security Plan. -Record whether they do or do not contain SQL Server passwords. If passwords are present, ensure they are encrypted.Since Windows security is being leveraged, this check applies to database configuration files, associated scripts, and applications external to SQL Server that access the database. +Record whether they do or do not contain SQL Server passwords. If passwords are present, ensure they are encrypted.Since Windows security is being leveraged, this check applies to database configuration files, associated scripts, and applications external to SQL Server that access the database. Ask the DBA and/or IAO to determine if any SQL Server database objects, database configuration files, associated scripts, or applications defined as external to SQL Server that access the database/user environment files/settings contain database passwords. If any do, confirm that SQL Server passwords stored externally to the SQL Server are encoded or encrypted. If any passwords are stored in clear text, this is a finding.SRG-APP-000153-DB-000108<GroupDescription></GroupDescription>SQL2-00-018500SQL Server must ensure users are authenticated with an individual authenticator prior to using a shared authenticator.<VulnDiscussion>To ensure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individually identified and authenticated. @@ -324,7 +324,7 @@ Legitimate use of shared accounts includes, for example, connection pooling. Si Build/configure applications to ensure successful individual authentication prior to shared account access. -Ensure each user's identity is received and used in audit data in all relevant circumstances.Review SQL Server users to determine whether shared accounts exist. +Ensure each user's identity is received and used in audit data in all relevant circumstances.Review SQL Server users to determine whether shared accounts exist. If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. @@ -336,7 +336,7 @@ Users (and any processes acting on behalf of users) are uniquely identified and Build/configure applications to ensure successful individual authentication prior to shared account access. -Ensure each user's identity is received and used in audit data in all relevant circumstances.Review SQL Server users to determine whether shared accounts exist. (This does not include when SQL Server has a guest or public account that is providing access to publicly available information.) +Ensure each user's identity is received and used in audit data in all relevant circumstances.Review SQL Server users to determine whether shared accounts exist. (This does not include when SQL Server has a guest or public account that is providing access to publicly available information.) If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. @@ -348,7 +348,7 @@ Backups shall be consistent with organization-defined recovery time and recovery SQL Server depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of SQL Server operations. -A mixture of full and incremental server-level backups by a third-party tool that backs up those software library directories would satisfy this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000537Ensure inclusion of all SQL Server software libraries into the backup process.Review evidence of inclusion of SQL Server software libraries in current backup records. +A mixture of full and incremental server-level backups by a third-party tool that backs up those software library directories would satisfy this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000537Ensure inclusion of all SQL Server software libraries into the backup process.Review evidence of inclusion of SQL Server software libraries in current backup records. If the backup tool does not include SQL Server, this is a finding.SRG-APP-000146-DB-000099<GroupDescription></GroupDescription>SQL2-00-018200SQL Server backups of system-level information per organization-defined frequency must be performed that is consistent with recovery time and recovery point objectives.<VulnDiscussion>SQL Server backups are a critical step in maintaining data assurance and availability. System-level information includes: system-state information, operating system and application software, and licenses. @@ -357,7 +357,7 @@ Backups shall be consistent with organizationally defined recovery time and reco SQL Server depends upon the availability and integrity of its system-level information. Without backups, compromise or loss of system-level information can prevent a successful recovery of SQL Server operations. If SQL Server system-level information is not backed up regularly this risks the loss of SQL Server data in the event of a system failure. -A mixture of full and incrementally server level backups that backup the system-level information would satisfy this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000537Deploy a backup solution to perform backups as per organizationally defined Backup Policy.Windows Server Backup, or a 3rd Party Backup Tool, can be utilized to perform this function. Determine how SQL Server is being backed up. If there is no scheduled backup or if organizationally defined backup policy and procedures does not exist, this is finding. +A mixture of full and incrementally server level backups that backup the system-level information would satisfy this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000537Deploy a backup solution to perform backups as per organizationally defined Backup Policy.Windows Server Backup, or a 3rd Party Backup Tool, can be utilized to perform this function. Determine how SQL Server is being backed up. If there is no scheduled backup or if organizationally defined backup policy and procedures does not exist, this is finding. Check evidence of inclusion of system-level information into current backup records, if the organizationally defined backup policy, procedures, and backup configurations is not including system-level information backups, this is a finding.SRG-APP-000145-DB-000098<GroupDescription></GroupDescription>SQL2-00-018100SQL Server backup and restoration files must be protected from unauthorized access.<VulnDiscussion>SQL Server backups are a critical step in maintaining data assurance and availability. @@ -371,7 +371,7 @@ SQL Server can maintain local copies of critical control files to provide transp Backup files, both local to the SQL Server machine and not local to the machine, need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000535Develop, document, and implement protection against unauthorized access of backup and restoration files. -Document personnel and the level of access authorized for each to the backup and restoration files in the system documentation.Obtain authorized access list for backup and restoration procedures from system documentation. +Document personnel and the level of access authorized for each to the backup and restoration files in the system documentation.Obtain authorized access list for backup and restoration procedures from system documentation. If documented procedures are insufficient to show or describe authorized personnel, this is a finding. @@ -391,7 +391,7 @@ Problems with backup procedures or backup media may not be discovered until afte Part of an overall backup and recovery methodology includes regular recovery testing. This is very important and helps to expose any issue in the recovery process (e.g., hardware, procedures, etc.).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000535Develop or update recovery procedures and add the new recovery procedures to the system documentation. -Plan for and test system recovery procedures and document the test.Review SQL Server's documented testing and recovery procedures that exist in the system documentation. +Plan for and test system recovery procedures and document the test.Review SQL Server's documented testing and recovery procedures that exist in the system documentation. If the testing or recovery procedures are not documented in the system documentation, this is a finding. @@ -405,7 +405,7 @@ User-level information is data generated by the information system and/or applic Applications performing backups must be configured to back up user-level information per the DoD-defined frequency. -SQL Server Database backups provide the required means to restore databases after compromise or loss. Backups help reduce the vulnerability to unauthorized access or hardware loss.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000535Develop, document, and implement database backup procedures.Review the database backup procedures and implementation evidence. +SQL Server Database backups provide the required means to restore databases after compromise or loss. Backups help reduce the vulnerability to unauthorized access or hardware loss.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000535Develop, document, and implement database backup procedures.Review the database backup procedures and implementation evidence. Evidence of implementation includes records of backup events and physical review of backup media. @@ -417,7 +417,7 @@ User-level information is data generated by information system and/or applicatio Applications performing backups must be capable of backing up user-level information per the DoD defined frequency. -Databases that do not backup information regularly risk the loss of that information in the event of a system failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000535Deploy a backup solution to perform backups as per organizationally defined Backup Policy.Windows Server Backup, or a 3rd Party Backup Tool, can be utilized to perform this function. Determine how SQL Server is being backed up. If there is no scheduled backup or if organizationally defined backup policy and procedures does not exist, this is finding. +Databases that do not backup information regularly risk the loss of that information in the event of a system failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000535Deploy a backup solution to perform backups as per organizationally defined Backup Policy.Windows Server Backup, or a 3rd Party Backup Tool, can be utilized to perform this function. Determine how SQL Server is being backed up. If there is no scheduled backup or if organizationally defined backup policy and procedures does not exist, this is finding. Check evidence of inclusion user-level information into current backup records, if the organizationally defined backup policy, procedures, and backup configurations is not including user-level information backups, this is a finding.SRG-APP-000144-DB-000101<GroupDescription></GroupDescription>SQL2-00-017500SQL Server must recover to a known state that is verifiable.<VulnDiscussion>Application recovery and reconstitution constitutes executing an information system contingency plan comprising activities that restore essential missions and business functions. @@ -443,7 +443,7 @@ To modify Initial Size (MB), click in the "Initial Size (MB)" field for the log To modify Autogrowth, click on the "Autogrowth/Maxsize" button for the log file in question, choose "In Percent" or "In Megabytes", enter value, and then click OK. -To modify Maximum File Size, click on the "Autogrowth/Maxsize" button for the log file in question, choose "Limited to (MB)", enter value, and then click OK. Do not select "Unlimited".Obtain the SQL Server recovery procedures and technical system features to determine if mechanisms exist and are in place to specify use of trusted files during SQL Server recovery. +To modify Maximum File Size, click on the "Autogrowth/Maxsize" button for the log file in question, choose "Limited to (MB)", enter value, and then click OK. Do not select "Unlimited".Obtain the SQL Server recovery procedures and technical system features to determine if mechanisms exist and are in place to specify use of trusted files during SQL Server recovery. If recovery procedures do not exist or are not sufficient to ensure recovery is done in a secure and verifiable manner, this is a finding. @@ -463,17 +463,17 @@ SELECT ''?'' AS ''database name'' WHERE type_desc = ''LOG'' AND state = 0; ' -; +; -If any transaction log files are not configured correctly for size, max_size, and growth to log sufficient transaction information, this is a finding.SRG-APP-000142-DB-000094<GroupDescription></GroupDescription>SQL2-00-017400SQL Server must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). +If any transaction log files are not configured correctly for size, max_size, and growth to log sufficient transaction information, this is a finding.SRG-APP-000142-DB-000094<GroupDescription></GroupDescription>SQL2-00-017400SQL Server must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -Additionally, it is sometimes convenient to provide multiple services from a single component of an information system (e.g., email and web services) but doing so increases risk over limiting the services provided by any one component. +Additionally, it is sometimes convenient to provide multiple services from a single component of an information system (e.g., email and web services) but doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. Database Management Systems using ports, protocols, and services deemed unsafe are open to attack through those ports, protocols, and services. This can allow unauthorized access to the database and, through the database, to other components of the information system. -For detailed guidance on Ports, Protocols, and Services Management (PPSM), refer to the PPSM section of the Information Assurance Support Environment (IASE) web site, at http://iase.disa.mil/ppsm/Pages/index.aspx.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000382Disable functions, ports, protocols, and services that are not approved or are not used, but are enabled.Review the SQL Server configuration and settings for functions, ports, protocols, and services that are not approved or are not used, but are available. +For detailed guidance on Ports, Protocols, and Services Management (PPSM), refer to the PPSM section of the Information Assurance Support Environment (IASE) web site, at http://iase.disa.mil/ppsm/Pages/index.aspx.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000382Disable functions, ports, protocols, and services that are not approved or are not used, but are enabled.Review the SQL Server configuration and settings for functions, ports, protocols, and services that are not approved or are not used, but are available. To determine the protocol(s) enabled for SQL Server, open SQL Server Configuration Manager. In the left-hand pane, expand SQL Server Network Configuration. Click on the entry for the SQL Server instance under review: "Protocols for <instance name>". The right-hand pane displays the protocols enabled for the instance. @@ -489,7 +489,7 @@ DROP FUNCTION <'function name'> To remove a Stored Procedure from SQL Server, run the following SQL Script: DROP PROCEDURE <'stored procedure name'> -If the user-defined Stored Procedures and Functions need to remain available, but access needs to be more restricted, then the user-defined Stored Procedures and Functions should be moved to a separate schema or database that has more restrictive access.Review the list of user-defined Stored Procedures and Functions by running the following SQL query: +If the user-defined Stored Procedures and Functions need to remain available, but access needs to be more restricted, then the user-defined Stored Procedures and Functions should be moved to a separate schema or database that has more restrictive access.Review the list of user-defined Stored Procedures and Functions by running the following SQL query: EXEC sp_MSforeachdb ' DECLARE @nCount integer; @@ -507,9 +507,9 @@ SELECT ''?'' AS ''Table Name'', * ' ; -If any user-defined Stored Procedures and Functions are unauthorized and therefore should be prohibited or restricted and are not, this is a finding.SRG-APP-000141-DB-000093<GroupDescription></GroupDescription>SQL2-00-017200Access to xp_cmdshell must be disabled.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). +If any user-defined Stored Procedures and Functions are unauthorized and therefore should be prohibited or restricted and are not, this is a finding.SRG-APP-000141-DB-000093<GroupDescription></GroupDescription>SQL2-00-017200Access to xp_cmdshell must be disabled.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements; or providing a wide array of functionality not required for every mission, but which cannot be disabled. +It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements; or providing a wide array of functionality not required for every mission, but which cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. @@ -526,7 +526,7 @@ EXEC sp_configure 'xp_cmdshell', 0 GO RECONFIGURE -GOTo determine if xp_cmdshell is enabled, execute the following commands: +GOTo determine if xp_cmdshell is enabled, execute the following commands: EXEC SP_CONFIGURE 'show advanced option', '1'; RECONFIGURE WITH OVERRIDE; @@ -542,12 +542,12 @@ Some applications that run on SQL Server require the 'sa' account to be enabled USE master; GO -ALTER LOGIN [sa] DISABLE;Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: +ALTER LOGIN [sa] DISABLE;Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER GO -SELECT name, is_disabled -FROM sys.sql_logins +SELECT name, is_disabled +FROM sys.sql_logins WHERE principal_id = 1; Verify that the "name" column contains the current name of the sa database server account (see note). @@ -562,17 +562,17 @@ Applications must adhere to the principles of least functionality by providing o Unused and unnecessary SQL Server components increase the number of available attack vectors to SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. Components of the system that are unused and cannot be uninstalled must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000381If any components or features of SQL Server are required for operation of applications that will be accessing SQL Server data or configuration, include them in the system documentation. -If any unused components or features of SQL Server are installed and cannot be uninstalled or removed, then disable those components or features.Review the components and features included in SQL Server and capable of being disabled (by configuration settings, permissions and privileges, etc.). Take note of those which are enabled. +If any unused components or features of SQL Server are installed and cannot be uninstalled or removed, then disable those components or features.Review the components and features included in SQL Server and capable of being disabled (by configuration settings, permissions and privileges, etc.). Take note of those which are enabled. Review the system documentation to verify that the enabled components or features are documented and authorized. If any enabled components or features are not authorized, this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL2-00-016800SQL Server must have the SQL Server Analysis Service (SSAS) software component removed from SQL Server if SSAS is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -It is detrimental for applications to provide or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software demonstrations or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. +It is detrimental for applications to provide or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software demonstrations or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. Unused and unnecessary SQL Server components increase the number of available attack vectors to SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. -SQL Server must have the SQL Server Analysis Service (SSAS) software component removed from SQL Server if SSAS is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000381Remove the SQL Server Analysis Service (SSAS) software component.If the SQL Server service "SQL Server Analysis Services (MSSQLSERVER)" is used and the service satisfies functional organizational requirement, this is not a finding. +SQL Server must have the SQL Server Analysis Service (SSAS) software component removed from SQL Server if SSAS is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000381Remove the SQL Server Analysis Service (SSAS) software component.If the SQL Server service "SQL Server Analysis Services (MSSQLSERVER)" is used and the service satisfies functional organizational requirement, this is not a finding. If there is no functional organizational requirement for the "SQL Server Analysis Services (MSSQLSERVER)" service make sure that the service is not installed or is disabled. @@ -588,7 +588,7 @@ Applications must adhere to the principles of least functionality by providing o Unused and unnecessary SQL Server components increase the number of available attack vectors to SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. -SQL Server must have the SQL Server Integrated Services (SSIS) software component removed from SQL Server if SSIS is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000381Remove the SQL Server Integrated Services (SSIS) software component.If the SQL Server service "SQL Server Integration Services 11.0" is used and the service satisfies functional organizational requirement, this is not a finding. +SQL Server must have the SQL Server Integrated Services (SSIS) software component removed from SQL Server if SSIS is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000381Remove the SQL Server Integrated Services (SSIS) software component.If the SQL Server service "SQL Server Integration Services 11.0" is used and the service satisfies functional organizational requirement, this is not a finding. If there is no functional organizational requirement for the "SQL Server Integration Services 11.0" service make sure that the service is not installed or is disabled. @@ -604,7 +604,7 @@ Applications must adhere to the principles of least functionality by providing o Unused and unnecessary SQL Server components increase the number of available attack vectors to SQL Server by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. -SQL Server must have the SQL Server Reporting Service (SSRS) software component removed from SQL Server if SSRS is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000381Remove the SSRS from SQL Server.If there is no functional organizational requirement for the "SQL Server Reporting Services (MSSQLSERVER)" service, make sure that the service is not installed or that the service is disabled. +SQL Server must have the SQL Server Reporting Service (SSRS) software component removed from SQL Server if SSRS is unused.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000381Remove the SSRS from SQL Server.If there is no functional organizational requirement for the "SQL Server Reporting Services (MSSQLSERVER)" service, make sure that the service is not installed or that the service is disabled. If the SQL Server service "SQL Server Reporting Services (MSSQLSERVER)" is used and the service satisfies functional organizational requirement, this is not a finding. @@ -613,9 +613,9 @@ From command prompt, using an account with System Administrator Privilege, open If the "SQL Server Reporting Services (MSSQLSERVER)" service does not exist, this is not a finding. -If the "SQL Server Reporting Services (MSSQLSERVER)" status is "Started" or the "Startup Type" is not set to "Disabled", this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL2-00-016500SQL Server must have the SQL Server Data Tools (SSDT) software component removed from SQL Server if SSDT is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). +If the "SQL Server Reporting Services (MSSQLSERVER)" status is "Started" or the "Startup Type" is not set to "Disabled", this is a finding.SRG-APP-000141-DB-000091<GroupDescription></GroupDescription>SQL2-00-016500SQL Server must have the SQL Server Data Tools (SSDT) software component removed from SQL Server if SSDT is unused.<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. +It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. @@ -629,7 +629,7 @@ If it is not required, using an account with System Administrator privileges, fr Navigate to Programs and Features. Remove the following entries in the 'Uninstall or change a program' window. Microsoft SQL Server Data Tools - Database Projects - Web installer entry point -Prerequisites for SSDTReview the list of components and features installed with the database. Using an account with System Administrator privileges, from Command Prompt, open control.exe. +Prerequisites for SSDTReview the list of components and features installed with the database. Using an account with System Administrator privileges, from Command Prompt, open control.exe. Navigate to Programs and Features. Check for the following entries in the 'Uninstall or change a program' window. @@ -644,7 +644,7 @@ Applications must adhere to the principles of least functionality by providing o Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the SQL Server and the OS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000381Remove the publicly available "AdventureWorks" database from SQL Server by running the following query: -DROP DATABASE AdventureWorksCheck SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: +DROP DATABASE AdventureWorksCheck SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: SELECT name from sysdatabases where name like 'AdventureWorks%'; @@ -657,7 +657,7 @@ Applications must adhere to the principles of least functionality by providing o Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions and are not developed to prevent vulnerabilities from being introduced to the SQL Server and the OS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000381Remove the publicly available "Northwind" database from SQL Server by running the following query: -DROP DATABASE NorthwindCheck SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: +DROP DATABASE NorthwindCheck SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: SELECT name from sysdatabases where name like 'Northwind%'; @@ -716,9 +716,9 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission l 8) Click "OK" 9) Permission like a normal user from here -Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. +Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. -Note 4: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately, and this is considered acceptable where those permissions are required. (All SQL Server files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory.)Obtain the SQL Server software directory location: from a command prompt, open the registry editor by typing regedit.exe and pressing [ENTER]. Navigate to the following registry location: +Note 4: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately, and this is considered acceptable where those permissions are required. (All SQL Server files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory.)Obtain the SQL Server software directory location: from a command prompt, open the registry editor by typing regedit.exe and pressing [ENTER]. Navigate to the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft @@ -799,16 +799,16 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission l 8) Click "OK" 9) Permission like a normal user from here -Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. +Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. Note 4: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately, and this is considered acceptable where those permissions are required. (All SQL Server files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory.) -SRG-APP-000133-DB-000205<GroupDescription></GroupDescription>SQL2-00-015700Vendor-supported software and patches must be evaluated and patched against newly found vulnerabilities.<VulnDiscussion>Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. +SRG-APP-000133-DB-000205<GroupDescription></GroupDescription>SQL2-00-015700Vendor-supported software and patches must be evaluated and patched against newly found vulnerabilities.<VulnDiscussion>Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Any time new software code is introduced to a system there is the potential for unintended consequences. There have been documented instances where the application of a patch has caused problems with system integrity or availability. Due to information system integrity and availability concerns, organizations must give careful consideration to the methodology used to carry out automatic updates. If SQL Server were no longer supported, no patches from Microsoft would address newly discovered security vulnerabilities. Unpatched software is vulnerable to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001499Upgrade SQL Server to the Microsoft-supported version. -Apply the latest SQL Server patches after evaluation of impact.Check Microsoft's list of supported SQL Server versions. To locate the correct web page, perform a web search for "Microsoft SQL Server end of support." +Apply the latest SQL Server patches after evaluation of impact.Check Microsoft's list of supported SQL Server versions. To locate the correct web page, perform a web search for "Microsoft SQL Server end of support." To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerabilities. @@ -817,9 +817,13 @@ print @@version If the security patch support for SQL Server cannot be determined or SQL Server version is not shown as supported, this is a finding. -If SQL Server does not contain the latest security patches, this is a finding.SRG-APP-000133-DB-000199<GroupDescription></GroupDescription>SQL2-00-015500Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.<VulnDiscussion>When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. +If SQL Server does not contain the latest security patches, this is a finding. + +SQL Server 2012 Service Pack 3 support end date: 10/9/2018 +SQL Server 2012 Enterprise Core mainstream support end date: 7/11/2018 +SQL Server 2012 Enterprise Core extended support end date: 7/12/2022SRG-APP-000133-DB-000199<GroupDescription></GroupDescription>SQL2-00-015500Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.<VulnDiscussion>When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. -Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit of one application can lead to an exploit of other applications sharing the same security context. For example, an exploit of a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to other applications’ database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001499Separate database files (software, data) into dedicated directories.Verify the SQL Server installations present on the server. +Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit of one application can lead to an exploit of other applications sharing the same security context. For example, an exploit of a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to other applications’ database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001499Separate database files (software, data) into dedicated directories.Verify the SQL Server installations present on the server. From a Command Prompt, type regedit.exe, and press [ENTER]. @@ -829,15 +833,15 @@ Analysis Services Instances are registered in the OLAP subfolder. Reporting Services Instances are registered in the RS subfolder. Standard SQL Server Instances are registered in the SQL subfolder. -Inside each of these folders, a single key is used to reference an Instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: +Inside each of these folders, a single key is used to reference an Instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME]. -An [INSTANCE NAME] is listed as the Data component of a key found in one of the above OLAP, RS, or SQL folders. +An [INSTANCE NAME] is listed as the Data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: -HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. +HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance. @@ -856,7 +860,7 @@ DBA and other privileged administrative or application owner accounts are grante Configure SQL Server & OS settings and access controls, to restrict user access to objects and data that the user is authorized to view or interact with. -Develop, document, and implement procedures to restrict use of the DBMS software installation account.Check system documentation for policy and procedures to restrict use of the SQL Server software installation account. +Develop, document, and implement procedures to restrict use of the DBMS software installation account.Check system documentation for policy and procedures to restrict use of the SQL Server software installation account. Check OS settings to determine whether users are restricted from accessing SQL Server objects and data they are not authorized to access by checking the local OS user accounts. @@ -875,7 +879,7 @@ Unmanaged changes that occur to the software libraries or configuration can lead Of particular note in this context is that any software installed for auditing and/or audit file management must be protected and monitored. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001493CCI-001494CCI-001495CCI-002716CCI-002718Include locations of all files, libraries, scripts, and executables that are part of, or related to, the SQL Server 2012 installation in the documentation. -Deploy a security and data integrity tool for monitoring and alerting files and folders based on cryptographic hashes, to verify files/folder locations as listed in the documentation.If a security and data integrity tool is not used for monitoring and alerting files and folders based on cryptographic hashes, this is a finding. +Deploy a security and data integrity tool for monitoring and alerting files and folders based on cryptographic hashes, to verify files/folder locations as listed in the documentation.If a security and data integrity tool is not used for monitoring and alerting files and folders based on cryptographic hashes, this is a finding. If the tool does not verify files/folder locations as listed in the documentation, this is a finding.SRG-APP-000133-DB-000179<GroupDescription></GroupDescription>SQL2-00-015300SQL Server must monitor for security-relevant configuration settings to discover unauthorized changes.<VulnDiscussion>When dealing with change control issues, it should be noted, any changes to security-relevant configuration settings of SQL Server can potentially have significant effects on the overall security of the system. @@ -887,17 +891,17 @@ Unmanaged changes that occur to SQL Server software libraries or configuration c Document the specific users or types of security personnel that are able to monitor security-relevant configuration settings to discover unauthorized changes. -Deploy and implement a third-party tool or some other SQL Server method of monitoring security-relevant configuration settings to discover unauthorized changes.Verify within the system documentation that SQL Server is monitoring for security-relevant configuration settings to discover unauthorized changes. +Deploy and implement a third-party tool or some other SQL Server method of monitoring security-relevant configuration settings to discover unauthorized changes.Verify within the system documentation that SQL Server is monitoring for security-relevant configuration settings to discover unauthorized changes. -This can be done by a third-party tool or a SQL script that does baselining and then comparisons. +This can be done by a third-party tool or a SQL script that does baselining and then comparisons. -If the monitoring of security-relevant configuration settings to discover unauthorized changes is not implemented on SQL Server, this is a finding.SRG-APP-000130-DB-000088<GroupDescription></GroupDescription>SQL2-00-014700SQL Server must support the employment of automated mechanisms supporting the auditing of the enforcement actions.<VulnDiscussion>Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. +If the monitoring of security-relevant configuration settings to discover unauthorized changes is not implemented on SQL Server, this is a finding.SRG-APP-000130-DB-000088<GroupDescription></GroupDescription>SQL2-00-014700SQL Server must support the employment of automated mechanisms supporting the auditing of the enforcement actions.<VulnDiscussion>Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. -Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. +Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. -Access restrictions for change also include software libraries. +Access restrictions for change also include software libraries. -Examples of access restrictions include: physical access controls (such as locks and access cards), logical access controls (such as ACLs), automated auditing (logging) of logical access, workflow automation, media libraries, abstract layers (e.g., changes are implemented into a third-party interface rather than directly into the information system component), and change windows (e.g., changes occur only during specified times, making unauthorized changes outside the window easy to discover). +Examples of access restrictions include: physical access controls (such as locks and access cards), logical access controls (such as ACLs), automated auditing (logging) of logical access, workflow automation, media libraries, abstract layers (e.g., changes are implemented into a third-party interface rather than directly into the information system component), and change windows (e.g., changes occur only during specified times, making unauthorized changes outside the window easy to discover). This requirement focuses on the auditing aspect of the protections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001814Navigate to Advanced Security Settings by selecting Properties > Security > Advanced > Auditing > Continue. @@ -908,7 +912,7 @@ Where "Everyone" is in the "Name" column, select that row and click on the Edit In the Auditing Entry dialog, set "Apply onto" to "This folder, subfolders and files". In the Auditing Entry dialog, select both the Successful and the Failed checkbox for each of the following access types, where not already selected: - Traverse folder/execute file + Traverse folder/execute file List folder/read data Read attributes Read extended attributes @@ -919,9 +923,9 @@ In the Auditing Entry dialog, select both the Successful and the Failed checkbox Delete Read permissions -Click OK, OK, OK, OK to save the new settings and exit the dialog boxes.Verify that Files and Folders that are part of the SQL Server 2012 Installation have auditing enabled. +Click OK, OK, OK, OK to save the new settings and exit the dialog boxes.Verify that Files and Folders that are part of the SQL Server 2012 Installation have auditing enabled. -Right click the root folder of the SQL Server installation. Typically, this is at <drive>:\Program Files\Microsoft SQL Server\. Select Properties. +Right click the root folder of the SQL Server installation. Typically, this is at <drive>:\Program Files\Microsoft SQL Server\. Select Properties. Click on the Security tab @@ -936,7 +940,7 @@ If "This folder, subfolders and files" is not listed in the "Apply To" column, t When "Everyone" ... " is listed, select the "Everyone" row and click on the Edit button. If either the Successful or Failed checkbox is not selected for any of the following access types, this is a finding: - Traverse folder/execute file + Traverse folder/execute file List folder/read data Read attributes Read extended attributes @@ -957,7 +961,7 @@ Multiple applications can provide a cumulative negative effect. A vulnerability Relocate any directories or reinstall other application software that currently shares the DBMS software library directory to separate directories. -Recommend dedicating a separate partition for the SQL software libraries.Obtain the SQL Server software library installation directory location. +Recommend dedicating a separate partition for the SQL software libraries.Obtain the SQL Server software library installation directory location. From a command prompt, type regedit.exe, and press [ENTER]. @@ -969,7 +973,7 @@ Standard SQL Server Instances are registered in the SQL subfolder. Inside each one of these folders, a single key is used to reference an instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME]. -An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. +An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance. @@ -989,13 +993,13 @@ Audit information includes all information (e.g., audit records, audit settings, Deletion of database audit data could mask the theft or unauthorized modification of sensitive data stored in the database.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000164Modify audit file permissions to meet the requirement to protect against unauthorized deletion. Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right-click on the file, click Properties. -On the Security tab, modify the security permissions to: +On the Security tab, modify the security permissions to: Administrator(read) Users (none) Audit Administrator(Full Control) Auditors group (Read) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] -SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] ----- @@ -1017,8 +1021,8 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission 7.b.i) Type "NT SERVICE\SQL" and click "Check Names" 7.b.ii) Select the "SQLAgent$<instance name>" user and click OK 8) Click OK -9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script: -SELECT DISTINCT +9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script: +SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION @@ -1034,10 +1038,10 @@ Administrator(read) Users (none) Audit Administrator (Full Control) Auditors group (Read) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. +If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding ----- @@ -1073,13 +1077,13 @@ Modification of database audit data could mask the theft or unauthorized modific Modify audit file permissions to meet the requirement to protect against unauthorized modification. -Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right-click on the file, click Properties. On the Security tab, modify the security permissions to: +Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right-click on the file, click Properties. On the Security tab, modify the security permissions to: Administrator(read) Users (none) Audit Administrator(Full Control) Auditors group (Read) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] -SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] ----- @@ -1101,8 +1105,8 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission 7.b.i) Type "NT SERVICE\SQL" and click "Check Names" 7.b.ii) Select the "SQLAgent$<instance name>" user and click OK 8) Click OK -9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script: -SELECT DISTINCT +9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script: +SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION @@ -1118,10 +1122,10 @@ Administrator(read) Users (none) Audit Administrator (Full Control) Auditors group (Read) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. +If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding. @@ -1138,7 +1142,7 @@ Audit information includes all information (e.g., audit records, audit settings, Modify audit file permissions to meet the requirement to protect against unauthorized access. Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right-click on the file, click Properties. -On the Security tab, modify the security permissions to: +On the Security tab, modify the security permissions to: Administrator(read) Users (none) Audit Administrator(Full Control) @@ -1167,8 +1171,8 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission 7.b.i) Type "NT SERVICE\SQL" and click "Check Names" 7.b.ii) Select the "SQLAgent$<instance name>" user and click OK 8) Click OK -9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script: -SELECT DISTINCT +9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script: +SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION @@ -1184,11 +1188,11 @@ Administrator(read) Users (none) Audit Administrator (Full Control) Auditors group (Read) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. +If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding. @@ -1222,7 +1226,7 @@ Reducing the risk of audit compromises by privileged users can also be achieved, If an attacker were to gain access to audit tools, they could analyze audit logs for system weaknesses or weaknesses in the auditing itself. An attacker could also manipulate logs to hide evidence of malicious activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366CCI-001351Modify audit file permissions to meet the requirement to protect against unauthorized access. Navigate to the audit folder location(s) using a command prompt or Windows Explorer. Right-click on the file, click Properties. -On the Security tab, modify the security permissions to: +On the Security tab, modify the security permissions to: Administrator(read) Users (none) Audit Administrator(Full Control) @@ -1250,8 +1254,8 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission 7.b.i) Type "NT SERVICE\SQL" and click "Check Names" 7.b.ii) Select the "SQLAgent$<instance name>" user and click OK 8) Click OK -9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script: -SELECT DISTINCT +9) Permission like a normal user from hereObtain the SQL Server audit file location(s) by running the following SQL script: +SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION @@ -1273,22 +1277,22 @@ If any less restrictive permissions are present (and not specifically justified Detection of suspicious activity, including access attempts and successful access from unexpected places, during unexpected times, or other unusual indicators, can support decisions to apply countermeasures to deter an attack. Without detection, malicious activity may proceed without hindrance. In SQL Server's case, this is a combination of the standard audit trace, as well as the operating system logs. Only the SQL Server logs are validated for this check, as the other part is dependent upon the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000158Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -1296,9 +1300,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000107-DB-000169<GroupDescription></GroupDescription>SQL2-00-012800SQL Server must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists.<VulnDiscussion>It is critical that, when SQL Server is at risk of failing to process audit logs as required, it takes action to mitigate the failure. If the system were to continue processing without auditing enabled, actions could be taken on the system that could not be tracked and recorded for later forensic analysis. @@ -1310,7 +1314,7 @@ Note that trace file rollover does not count as an audit failure, provided that If a trace exists, but is not set to SHUTDOWN_ON_ERROR, modify the SQL Server audit setting to immediately shutdown the database in the event of an audit failure by setting property 1 to a value of 4 or 6 for the audit. -(See the SQL Server Help page for sys.sp_trace_create for implementation details.)From the query prompt: +(See the SQL Server Help page for sys.sp_trace_create for implementation details.)From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -1319,7 +1323,7 @@ All currently defined traces for the SQL Server instance will be listed. If no t Determine the trace being used for the auditing requirement. Replace # in the following code with a traceid being used for the auditing requirements. From the query prompt, determine whether the trace options include the value 4, which means SHUTDOWN_ON_ERROR: -SELECT CAST(value AS INT) +SELECT CAST(value AS INT) FROM sys.fn_trace_getinfo(#) where property = 1; @@ -1329,24 +1333,24 @@ If a value is returned but is not 4 or 6, this is a finding. NOTE: Microsoft has flagged the trace techniques and tools used in this STIG as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use and configured to satisfy this requirement, this is not a finding. The following code can be used to check Extended Events settings. -/********************************** +/********************************** Check to verify shutdown on failure is set. -The following settings are what should be returned: -name = <name of audit> -on_failure = 1 -on_failure_desc = SHUTDOWN SERVER INSTANCE -**********************************/ -SELECT name, on_failure, on_failure_desc -FROM sys.server_audits +The following settings are what should be returned: +name = <name of audit> +on_failure = 1 +on_failure_desc = SHUTDOWN SERVER INSTANCE +**********************************/ +SELECT name, on_failure, on_failure_desc +FROM sys.server_audits SRG-APP-000103-DB-000050<GroupDescription></GroupDescription>SQL2-00-012600SQL Server itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. If audit log capacity were to be exceeded, then events subsequently occurring will not be recorded. Organizations shall define a maximum allowable percentage of storage capacity serving as an alarming threshold (e.g., application has exceeded 80% of log storage capacity allocated) at which time the application or the logging mechanism the application utilizes will provide a warning to the appropriate personnel. A failure of database auditing will result in either the database continuing to function without auditing, or in a complete halt to database operations. When audit processing fails, appropriate personnel must be alerted immediately to avoid further downtime or unaudited transactions. This can be an alert provided by a log repository or the OS when a designated log directory is nearing capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001855From File Server Resource Manager: Choose the From Server Selection, Select a server from the server pool, and select the server from the lower menu. Expand the File and Storage Services Role. Then Expand the File and iSCSI Services subtree. Select File Server Resource Manager. Click Add Features. Return to Add Roles and Features Wizard. Click Next. On the Features Tab, Click Next. Click Install to install and enable the FSRM.msc Microsoft Management Console Snap-in tool. -From a Command Prompt, open fsrm.msc. Enable File and Folder Quota Management. +From a Command Prompt, open fsrm.msc. Enable File and Folder Quota Management. Create Quotas for previously identified Audit storage locations based on organizationally defined requirements. -Right click the appropriate quota or quotas, and click Edit Quota Properties. From the Notification thresholds pane, create a Notification threshold for this Quota utilizing a generate email alert, or a generated Event Log entry.Since SQL Server does not support the monitoring of the available audit log file space, utilize Windows File Server Resource Manager or a third-party application to perform this activity. +Right click the appropriate quota or quotas, and click Edit Quota Properties. From the Notification thresholds pane, create a Notification threshold for this Quota utilizing a generate email alert, or a generated Event Log entry.Since SQL Server does not support the monitoring of the available audit log file space, utilize Windows File Server Resource Manager or a third-party application to perform this activity. From a Command Prompt, open fsrm.msc. If fsrm.msc is not installed, the File Server Resource Manager is not installed, File and Folder Quota Management is not enabled. If File Server Resource Manager or a third-party tool capable of sending alert notifications based on audit log store requirements is not installed, this is a finding. @@ -1356,7 +1360,7 @@ Expand Quota Management. Select Quotas. If Quotas have not been created for defined Audit Log storage locations that meet organizationally defined requirements, this is a finding. -In the center pane, select each quota to determine its Path, Limit, Type, and Description. +In the center pane, select each quota to determine its Path, Limit, Type, and Description. Right click the appropriate quota or quotas, and click Edit Quota Properties. Examine the Notification thresholds panel. If there are no Notification thresholds applied to this Quota, this is a finding. @@ -1368,25 +1372,25 @@ If SQL Server audit logs that are being generated exceed the amount of space res After the initial setup of SQL Server audit log configuration, it is best to check the available space frequently until the maximum number of files has been reached. Checking the available space can help determine the balance of online audit data with space required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001849Configure the maximum number of audit log files that are to be generated, staying within the number of logs the system was sized to support. -Update the max_files parameter of the audits to ensure the correct number of files is defined.Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. +Update the max_files parameter of the audits to ensure the correct number of files is defined.Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. -Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. +Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. -The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. +The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. If auditing will outgrow the space reserved for logging before being overwritten, this is a finding.SRG-APP-000071-DB-000047<GroupDescription></GroupDescription>SQL2-00-010400SQL Server auditing configuration maximum file size must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.<VulnDiscussion>Configure SQL Server during the installation and/or configuration process to determine if adequate storage capacity has been allocated for audit logs. If SQL Server audit logs that are being generated exceed the amount of space reserved for those logs, the system may shutdown or take other measures to stop processing in order to protect transactions from continuing unlogged. -After the initial setup of SQL Server audit log configuration, it is best to check the available space until the maximum number of files has been reached. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. Therefore, the combination of max_size and max_files must be monitored to ensure that overwriting does not occur. This must also coincide with the backup process of off-loading the files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001849Configure the maximum file size of each audit log file that is to be generated, staying within the file size the system was sized to support. Modify the audit in question to be placed on drives with adequate space or reconfigure to ensure the audit will not fill the space allocated.Check the SQL Server audit setting on the maximum file size of the trace used for the auditing requirement. +After the initial setup of SQL Server audit log configuration, it is best to check the available space until the maximum number of files has been reached. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. Therefore, the combination of max_size and max_files must be monitored to ensure that overwriting does not occur. This must also coincide with the backup process of off-loading the files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001849Configure the maximum file size of each audit log file that is to be generated, staying within the file size the system was sized to support. Modify the audit in question to be placed on drives with adequate space or reconfigure to ensure the audit will not fill the space allocated.Check the SQL Server audit setting on the maximum file size of the trace used for the auditing requirement. -Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. +Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. -The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. +The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. If auditing will outgrow the space reserved for logging before being overwritten, this is a finding.SRG-APP-000072-DB-000046<GroupDescription></GroupDescription>SQL2-00-010600SQL Server must have allocated audit record storage capacity to meet the organization-defined requirements for saving audit record information.<VulnDiscussion>SQL Server does not have the ability to be cognizant of potential audit log storage capacity issues. During the installation and/or configuration process, SQL Server should detect and determine if adequate storage capacity has been allocated for audit logs. -During the installation process, a notification may be provided to the installer indicating, based on the auditing configuration chosen and the amount of storage space allocated for audit logs, the amount of storage capacity available is not sufficient to meet storage requirements. SQL Server is not able to send out notice based on adequate storage capacity allocated for the audit logs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001849Use File Server Resource Manager (FSRM.msc) to enable File and Folder Quota Management and create quotas for identified Audit storage locations.From a Command Prompt, open fsrm.msc. +During the installation process, a notification may be provided to the installer indicating, based on the auditing configuration chosen and the amount of storage space allocated for audit logs, the amount of storage capacity available is not sufficient to meet storage requirements. SQL Server is not able to send out notice based on adequate storage capacity allocated for the audit logs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001849Use File Server Resource Manager (FSRM.msc) to enable File and Folder Quota Management and create quotas for identified Audit storage locations.From a Command Prompt, open fsrm.msc. If fsrm.msc is not installed, the File Server Resource Manager is not installed; File and Folder Quota Management is not enabled. If File Server Resource Manager or a third-party tool capable of sending alert notifications based on audit log store requirements is not installed, this is a finding. If fsrm.msc is installed, expand File Server Resource Manager in the left pane. @@ -1398,22 +1402,22 @@ SQL Server does have a means available to add organizationally defined additiona Some organizations may determine that more detailed information is required for specific database event types. If this information is not available, it could negatively impact forensic investigations into user actions or other malicious events.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000135Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -1421,30 +1425,30 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. -6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000100-DB-000201<GroupDescription></GroupDescription>SQL2-00-012300SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000100-DB-000201<GroupDescription></GroupDescription>SQL2-00-012300SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001487Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -1452,11 +1456,11 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. -6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000099-DB-000043<GroupDescription></GroupDescription>SQL2-00-012200SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000099-DB-000043<GroupDescription></GroupDescription>SQL2-00-012200SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know the outcome of attempted actions. This requires specific information regarding the outcome of the action or event that the audit record is referring to. If outcome status information is not recorded and stored with the audit record, the record itself is of very limited use. @@ -1464,22 +1468,22 @@ Success and failure indicators ascertain the outcome of a particular event. As s If auditing is enabled, SQL Server does capture the outcome status-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000134Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -1487,32 +1491,32 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. -6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000098-DB-000042<GroupDescription></GroupDescription>SQL2-00-012100SQL Server must produce audit records containing sufficient information to establish the sources (origins) of the events.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000098-DB-000042<GroupDescription></GroupDescription>SQL2-00-012100SQL Server must produce audit records containing sufficient information to establish the sources (origins) of the events.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed what actions. This requires specific information regarding the source of the event an audit record is referring to. If the source of the event information is not recorded and stored with the audit record, the record itself is of very limited use. The source of the event can be a user account and sometimes a system account when timed jobs are run. Without information establishing the source of activity, the value of audit records from a forensics perspective is questionable. If auditing is enabled, SQL Server does capture the source of the event-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000133Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -1520,32 +1524,32 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. -6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000097-DB-000041<GroupDescription></GroupDescription>SQL2-00-012000SQL Server must produce audit records containing sufficient information to establish where the events occurred.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000097-DB-000041<GroupDescription></GroupDescription>SQL2-00-012000SQL Server must produce audit records containing sufficient information to establish where the events occurred.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly where actions were performed. This requires specific information regarding the event location an audit record is referring to. If event location information is not recorded and stored with the audit record, the record itself is of very limited use. An event location can be a database instance, table, column, row, etc. Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. If auditing is enabled, SQL Server does capture the event location-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000132Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -1553,32 +1557,32 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. -6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000096-DB-000040<GroupDescription></GroupDescription>SQL2-00-011900SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000096-DB-000040<GroupDescription></GroupDescription>SQL2-00-011900SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when actions were performed. This requires specific information regarding the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the date and time-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000131Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -1586,32 +1590,32 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. -6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000095-DB-000039<GroupDescription></GroupDescription>SQL2-00-011800SQL Server must produce audit records containing sufficient information to establish what type of events occurred.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000095-DB-000039<GroupDescription></GroupDescription>SQL2-00-011800SQL Server must produce audit records containing sufficient information to establish what type of events occurred.<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly what actions were performed. This requires specific information regarding the event type an audit record is referring to. If event type information is not recorded and stored with the audit record, the record itself is of very limited use. If auditing is enabled, SQL Server does capture the event type-specific information in all audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000130Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -1619,9 +1623,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000080-DB-000063<GroupDescription></GroupDescription>SQL2-00-023700SQL Server must protect against an individual using a shared account from falsely denying having performed a particular action.<VulnDiscussion>Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. @@ -1637,11 +1641,11 @@ Build/configure applications to ensure successful individual authentication prio Ensure each user's identity is received and used in audit data in all relevant circumstances. -Design, develop, and implement a method to log use of any account to which more than one person has access. Restrict interactive access to shared accounts to the fewest persons possible.Obtain the list of authorized SQL Server accounts in the system documentation. +Design, develop, and implement a method to log use of any account to which more than one person has access. Restrict interactive access to shared accounts to the fewest persons possible.Obtain the list of authorized SQL Server accounts in the system documentation. -If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. (The key is individual accountability. If this can be traced, this is not a finding.) +If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. (The key is individual accountability. If this can be traced, this is not a finding.) -If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding. +If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding. Review contents of audit logs, traces and data tables to confirm that the identity of the individual user performing the action is captured. If shared identifiers are found, and not accompanied by individual identifiers, this is a finding. @@ -1653,22 +1657,22 @@ Organizations may define the organizational personnel accountable for determinin Auditing provides accountability for changes made to the SQL Server configuration or its objects and data. It provides a means to discover suspicious activity and unauthorized changes. Without auditing, a compromise may go undetected and without a means to determine accountability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000172Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -1676,15 +1680,15 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-999999-DB-000209<GroupDescription></GroupDescription>SQL2-00-023600SQL Server must be configured to use Windows Integrated Security.<VulnDiscussion>SQL Server Authentication does not provide for many of the authentication requirements of the DoD. In some cases workarounds are present, but the authentication is not as robust and does not provide needed functionality. Without that functionality, SQL Server is vulnerable to authentication attacks. Consideration must be given to the placement of SQL server inside a forest to ensure evaluation of risk within the environment is considered. Risk includes introduction of risk to SQL Server from other applications or workstations as well as risk from introduction of SQL server itself into an established environment. There may be situations where SQL Server Authentication must remain enabled, because of constraints imposed by a third-party application. In such a case, document the constraint in the system security plan, and obtain signed approval.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366From SQL Server Management Studio, right-click the server, and then click Properties. -Select the Security page. Under Server authentication, select Windows Authentication Mode, and then click OK.To determine the Server Authentication Mode, execute the following: +Select the Security page. Under Server authentication, select Windows Authentication Mode, and then click OK.To determine the Server Authentication Mode, execute the following: EXEC XP_LOGINCONFIG 'login mode' @@ -1694,7 +1698,7 @@ Since the SQL Server 'sa' is administrative in nature, the compromise of a defau Hit <F2> while the name is highlighted in order to edit the name. -Rename the 'sa' account.Verify the SQL Server default 'sa' account name has been changed. +Rename the 'sa' account.Verify the SQL Server default 'sa' account name has been changed. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins. @@ -1704,14 +1708,14 @@ Use of privileged accounts for non-administrative purposes puts data at risk of The SQL Server installation account requires privileges not required for SQL Server administration or other functions. Use of accounts configured with excess privileges may result in the loss or compromise of data or system settings due to elevated privileges that bypass controls designed to protect them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Restrict usage of the SQL Server installation account to SQL Server installation, upgrade, and maintenance actions only. -Disable installation accounts when authorized actions are not being performed.Review system documentation to identify the installation account. Verify whether the account is used for anything beyond SQL Server software installation, upgrade, and maintenance actions. +Disable installation accounts when authorized actions are not being performed.Review system documentation to identify the installation account. Verify whether the account is used for anything beyond SQL Server software installation, upgrade, and maintenance actions. If the account is used for anything beyond SQL Server installation, upgrade, and maintenance actions, this is a finding.SRG-APP-000063-DB-000021<GroupDescription></GroupDescription>SQL2-00-010000DBA OS or domain accounts must be granted only those host system privileges necessary for the administration of SQL Server.<VulnDiscussion>SQL Server DBAs, if assigned excessive OS privileges, could perform actions that could endanger the information system or hide evidence of malicious activity. This requirement is intended to limit exposure due to operating from within a privileged account or role. The check and fix are based on the assumption that Role-Based Access Control (RBAC) is in effect, as mandated by other STIG requirements. They further assume that, as mandated elsewhere, the privileged accounts discussed here are distinct from the accounts used by the same people when not performing privileged functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366 Remove any unnecessary privileges and any unauthorized members from the Group(s) representing DBAs. -Remove any unnecessary Group memberships from the user accounts representing DBAs.From the system security documentation, obtain the list of SQL Server DBA accounts, the OS/domain Group(s) representing those DBAs' job role(s), and the OS permissions required by that/those role(s). +Remove any unnecessary Group memberships from the user accounts representing DBAs.From the system security documentation, obtain the list of SQL Server DBA accounts, the OS/domain Group(s) representing those DBAs' job role(s), and the OS permissions required by that/those role(s). To review local accounts and groups: @@ -1741,7 +1745,7 @@ To limit exposure when operating from within a privileged account or role, the a Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification, or exposure. In particular, DBA accounts, if used for non-administration application development or application maintenance, can lead to misassignment of privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in, and provided by, applications. -External applications called by SQL Server may be executed under OS or domain accounts with unnecessary privileges. This can lead to unauthorized access to OS resources and compromise of the OS, SQL Server, or any other services provided by the host platform.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Limit privileges to SQL Server-related OS and domain accounts to those required privileges needed to perform their SQL Server-specific functionality.Determine which OS or domain accounts are used by SQL Server to run external procedures. Validate that these accounts have only the privileges necessary to perform the required functionality. +External applications called by SQL Server may be executed under OS or domain accounts with unnecessary privileges. This can lead to unauthorized access to OS resources and compromise of the OS, SQL Server, or any other services provided by the host platform.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Limit privileges to SQL Server-related OS and domain accounts to those required privileges needed to perform their SQL Server-specific functionality.Determine which OS or domain accounts are used by SQL Server to run external procedures. Validate that these accounts have only the privileges necessary to perform the required functionality. If any OS or domain accounts utilized by SQL Server are running external procedures and have privileges beyond those required for running the external procedures, this is a finding.SRG-APP-000063-DB-000019<GroupDescription></GroupDescription>SQL2-00-009800SQL Server DBA roles must not be assigned excessive or unauthorized privileges.<VulnDiscussion>This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. @@ -1761,7 +1765,7 @@ Remove 'Server Roles' permissions from DBAs and other administrative users that Navigate from 'Server Roles' to 'Users mapped to the login'. -Remove 'Users mapped to the login' permissions from DBAs and other administrative users that are beyond what is required.Obtain the list of all DBAs. +Remove 'Users mapped to the login' permissions from DBAs and other administrative users that are beyond what is required.Obtain the list of all DBAs. Obtain documented role assignments for each DBA. Obtain from system documentation or use SQL Server to determine privilege assignment of user-defined roles. @@ -1777,7 +1781,7 @@ Navigate from 'Server Roles' to 'Users mapped to the login'. If any checked 'Database role membership' of each highlighted and checked 'Database' are determined to be excessive privileges, this is a finding.SRG-APP-000063-DB-000018<GroupDescription></GroupDescription>SQL2-00-009700All use of privileged accounts must be audited.<VulnDiscussion>This is intended to limit exposure, by making it possible to trace any unauthorized access to other data or functionality by a privileged user account or role that has permissions on security functions or security-relevant information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); @@ -1823,7 +1827,7 @@ USE master ALTER SERVER ROLE [<'server role name'>] DROP MEMBER <'user name'> GO -Provide administrators with separate accounts for administration and regular accounts for non-administrator activity.Obtain a list of SQL Server DBAs or other administrative accounts. Run the following SQL script to check all users’ permissions: +Provide administrators with separate accounts for administration and regular accounts for non-administrator activity.Obtain a list of SQL Server DBAs or other administrative accounts. Run the following SQL script to check all users’ permissions: SELECT SP1.[name] AS 'Login', 'Role: ' + SP2.[name] COLLATE DATABASE_DEFAULT AS 'ServerPermission' FROM sys.server_principals SP1 @@ -1844,7 +1848,7 @@ If any DBA or administrator has authorization for non- administrative access to To aid in tracking and administering such permissions, individual logins must not be directly granted permissions or built-in server roles. Instead, user-defined server roles must be created, with the permissions and built-in server roles granted to them; the individual logins must be assigned to the appropriate user-defined server roles. -The built-in server role "sysadmin" is a partial exception. This cannot be granted to a user-defined role, only to a login account. Most (not necessarily all) database administrators will need to be members of sysadmin. Without this, most DBCC commands and the system stored procedures/functions listed below are unavailable. The users who require such access must be documented and approved. +The built-in server role "sysadmin" is a partial exception. This cannot be granted to a user-defined role, only to a login account. Most (not necessarily all) database administrators will need to be members of sysadmin. Without this, most DBCC commands and the system stored procedures/functions listed below are unavailable. The users who require such access must be documented and approved. In addition, if the site uses backup-restore software that connects to SQL Server via the Virtual Device Interface (VDI), the account used by that software must have the sysadmin role. (See Microsoft Knowledge Base article 2926557, http://support.microsoft.com/kb/2926557). If this applies, it must be documented and approved. @@ -2036,7 +2040,7 @@ Remove Server Roles permissions from user account. Navigate from Server Roles to Users Mapping. -Remove direct permissions on db_accessadmin, db_backupoperator, db_datareader, db_datawriter, db_ddladmin, db_denydatareader, db_denydatawriter, db_owner, and db_securityadmin from user account.Use SQL Server and system documentation to determine privilege assignment of user-defined roles. +Remove direct permissions on db_accessadmin, db_backupoperator, db_datareader, db_datawriter, db_ddladmin, db_denydatareader, db_denydatawriter, db_owner, and db_securityadmin from user account.Use SQL Server and system documentation to determine privilege assignment of user-defined roles. Determine which user-defined roles grant privileges to system tables and configuration data stored in SQL Server. @@ -2072,7 +2076,7 @@ db_denydatawriter db_owner db_securityadminSRG-APP-000062-DB-000012<GroupDescription></GroupDescription>SQL2-00-009100A single SQL Server database connection configuration file (or a single set of credentials) must not be used to configure all database clients.<VulnDiscussion>Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of information systems. -Many sites distribute a single SQL Server connection configuration file to all site database users that contains network access information for all databases on the site. Such a file provides information to access SQL Server databases not required by all users that may assist in unauthorized access attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366CCI-002220Implement procedures to supply SQL Server database connection information to only those databases authorized for the user.Check procedures for providing SQL Server database connection information to users/applications. If procedures do not indicate or implement restrictions to connections required by the particular user/application which indicate process of least privilege and specific authorization was employed, this is a finding.SRG-APP-000062-DB-000011<GroupDescription></GroupDescription>SQL2-00-009000SQL Server must restrict access to sensitive information to authorized user roles.<VulnDiscussion>Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of information systems. +Many sites distribute a single SQL Server connection configuration file to all site database users that contains network access information for all databases on the site. Such a file provides information to access SQL Server databases not required by all users that may assist in unauthorized access attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366CCI-002220Implement procedures to supply SQL Server database connection information to only those databases authorized for the user.Check procedures for providing SQL Server database connection information to users/applications. If procedures do not indicate or implement restrictions to connections required by the particular user/application which indicate process of least privilege and specific authorization was employed, this is a finding.SRG-APP-000062-DB-000011<GroupDescription></GroupDescription>SQL2-00-009000SQL Server must restrict access to sensitive information to authorized user roles.<VulnDiscussion>Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of information systems. Unauthorized access to sensitive data may compromise the confidentiality of personnel privacy, threaten national security or compromise a variety of other sensitive operations. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366CCI-002220Add the user-defined server role to the system documentation. @@ -2088,7 +2092,7 @@ REVOKE <'server role name'> TO [<'server role name'>] Rename the user-defined role by running the following script: USE master -ALTER SERVER ROLE [<'old role name'>] WITH NAME = [<'new role name'>]Obtain the list of available user-defined server roles from system documentation. +ALTER SERVER ROLE [<'old role name'>] WITH NAME = [<'new role name'>]Obtain the list of available user-defined server roles from system documentation. Obtain the list of available user-defined server roles from the SQL Server system by running the following script: /********************************************************************************** @@ -2139,24 +2143,24 @@ Navigate to SQL Server Management Studio >> Object Explorer >> <' If any user-defined role contains permissions that are inconsistent with separation sensitive information assignment, this is a finding. -If system access requires more than one level of sensitive information access and the user-defined role names do not clearly differentiate between the different levels of sensitive information, this is a finding.SRG-APP-000062-DB-000010<GroupDescription></GroupDescription>SQL2-00-008900SQL Server processes or services must run under custom, dedicated OS or domain accounts.<VulnDiscussion>Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. +If system access requires more than one level of sensitive information access and the user-defined role names do not clearly differentiate between the different levels of sensitive information, this is a finding.SRG-APP-000062-DB-000010<GroupDescription></GroupDescription>SQL2-00-008900SQL Server processes or services must run under custom, dedicated OS or domain accounts.<VulnDiscussion>Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. -The concept of separation of duties extends to processes. The DBMS must run under a custom, dedicated OS or domain account. When the DBMS is running under a shared account, users with access to that account could inadvertently or maliciously make changes to the DBMS’s settings, files, or permissions. Similarly, related services must run under dedicated accounts where this is possible. The SQL Server Browser and Writer services are exceptions: see http://msdn.microsoft.com/en-us/library/hh510203(v=sql.110).aspx and http://msdn.microsoft.com/en-us/library/ms175536(v=sql.110).aspx.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366CCI-002220Configure the SQL Server services to use a custom, dedicated OS or domain account.Check OS settings to determine whether SQL Server processes are running under a dedicated OS or domain account. If the SQL Server processes are running under shared accounts, this is a finding. +The concept of separation of duties extends to processes. The DBMS must run under a custom, dedicated OS or domain account. When the DBMS is running under a shared account, users with access to that account could inadvertently or maliciously make changes to the DBMS’s settings, files, or permissions. Similarly, related services must run under dedicated accounts where this is possible. The SQL Server Browser and Writer services are exceptions: see http://msdn.microsoft.com/en-us/library/hh510203(v=sql.110).aspx and http://msdn.microsoft.com/en-us/library/ms175536(v=sql.110).aspx.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366CCI-002220Configure the SQL Server services to use a custom, dedicated OS or domain account.Check OS settings to determine whether SQL Server processes are running under a dedicated OS or domain account. If the SQL Server processes are running under shared accounts, this is a finding. From a Command Prompt, type services.msc, and press [ENTER]. Scroll down to the SQL Server Services. SQL Server Services begin with SQL. The following services, when present, should be listed as follows: -Service Name: Log On As: -SQL Full-text Filter Daemon Launcher: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server [stand-alone]: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server [cluster]: <domain>\<CustomServiceAccount> -SQL Server Agent: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server Analysis Services: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server Browser: Local Service -SQL Server Distributed Replay Client: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server Distributed Replay Controller: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server Integration Services 11.0: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server Reporting Services: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server VSS Writer: Local System +Service Name: Log On As: +SQL Full-text Filter Daemon Launcher: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server [stand-alone]: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server [cluster]: <domain>\<CustomServiceAccount> +SQL Server Agent: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Analysis Services: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Browser: Local Service +SQL Server Distributed Replay Client: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Distributed Replay Controller: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Integration Services 11.0: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Reporting Services: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server VSS Writer: Local System UNIQUE CUSTOM ACCOUNT refers to an account with which no other service listed in the services.msc window is assigned. If any account requiring a unique custom account uses an account that any other service utilizes (regardless of service status), this is a finding.SRG-APP-000062-DB-000009<GroupDescription></GroupDescription>SQL2-00-008800SQL Server must enforce separation of duties through assigned information access authorizations.<VulnDiscussion>Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. @@ -2172,7 +2176,7 @@ REVOKE <'server permission name'> TO <'account name'> CASCADE Remove server role permission from the user-defined server role by running the following script: USE master -REVOKE <'server role name'> TO [<'server role name'>]Check for direct user assignment to server permissions by running the following script: +REVOKE <'server role name'> TO [<'server role name'>]Check for direct user assignment to server permissions by running the following script: /********************************************************************************** LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT SYSTEM ADMINISTRATOR accounts. DO NOT LIST ROLES. @@ -2273,10 +2277,10 @@ The DBMS must ensure the recipient of server permissions possesses only the acce Correct each unapproved GRANT_WITH_GRANT_OPTION with REVOKE and GRANT statements of the form (replacing "ALTER ANY DATABASE" with the actual server permission at issue): REVOKE ALTER ANY DATABASE FROM SampleLoginOrServerRole CASCADE; -GRANT ALTER ANY DATABASE TO SampleServerRole; -- Note, no WITH GRANT OPTION clause here.Check for rights propagation assignment to DBMS server permissions by running the following query: +GRANT ALTER ANY DATABASE TO SampleServerRole; -- Note, no WITH GRANT OPTION clause here.Check for rights propagation assignment to DBMS server permissions by running the following query: USE master; -SELECT * +SELECT * FROM sys.server_permissions WHERE state_desc = 'GRANT_WITH_GRANT_OPTION'; @@ -2302,7 +2306,7 @@ ALTER SERVER ROLE [<'server role name'>] DROP MEMBER <'user name'> Add the user-defined role access to the user by running the following script: USE master -ALTER SERVER ROLE [<'server role name'>] ADD MEMBER <'user name'>Check for direct user assignment to server permissions by running the following script: +ALTER SERVER ROLE [<'server role name'>] ADD MEMBER <'user name'>Check for direct user assignment to server permissions by running the following script: /********************************************************************************** LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT SYSTEM ADMINISTRATOR accounts. DO NOT LIST ROLES. @@ -2403,20 +2407,20 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Unsafe assembly' permission access from the role that is not authorized by executing the following query: -REVOKE Unsafe assembly TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Unsafe assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Unsafe assembly TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Unsafe assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Unsafe assembly' + what.permission_name = 'Unsafe assembly' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name @@ -2426,54 +2430,54 @@ GO If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Unsafe assembly' permission and the role is not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-008300SQL Server must not grant users direct access to the Alter any endpoint permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -2490,20 +2494,20 @@ USE master REVOKE ALTER ANY ENDPOINT TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any endpoint' + what.permission_name = 'Alter any endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -2514,55 +2518,55 @@ GO If any user accounts have direct access to the 'Alter any endpoint' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-008200SQL Server must not grant users direct access to the Alter any database permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -2579,20 +2583,20 @@ USE master REVOKE ALTER ANY DATABASE TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any database' + what.permission_name = 'Alter any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -2603,55 +2607,55 @@ GO If any user accounts have direct access to the 'Alter any database' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-008100SQL Server must not grant users direct access to the Alter Any Credential permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -2668,20 +2672,20 @@ USE master REVOKE ALTER ANY CREDENTIAL TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any credential' + what.permission_name = 'Alter any credential' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -2692,55 +2696,55 @@ GO If any user accounts have direct access to the 'Alter any credential' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-008000SQL Server must not grant users direct access to the Alter any connection permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -2757,20 +2761,20 @@ USE master REVOKE ALTER ANY CONNECTION TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any connection' + what.permission_name = 'Alter any connection' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -2781,57 +2785,57 @@ GO If any user accounts have direct access to the 'Alter any connection' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; -GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-007900SQL Server must not grant users direct access control to the Alter Any Availability Group permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. +GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-007900SQL Server must not grant users direct access control to the Alter Any Availability Group permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. @@ -2859,20 +2863,20 @@ GO -- For each user identified in the Check who needs this permission: USE master; ALTER SERVER ROLE <role name> ADD MEMBER <login name>; -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any availability group' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any availability group' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any availability group' + what.permission_name = 'Alter any availability group' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -2883,55 +2887,55 @@ GO If any user accounts have direct access to the 'Alter any availability group' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-007800SQL Server must not grant users direct access to the Alter server state permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -2948,16 +2952,16 @@ USE master REVOKE ALTER SERVER STATE TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -2972,55 +2976,55 @@ GO If any user accounts have direct access to the 'Alter server state' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-007600SQL Server must not grant users direct access to the Alter any event notification permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3037,16 +3041,16 @@ USE master REVOKE ALTER ANY EVENT NOTIFICATION TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -3061,55 +3065,55 @@ GO If any user accounts have direct access to the 'Alter any event notification' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-007500SQL Server must enforce access control policies to restrict the View any database permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3121,77 +3125,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the "View any database" permission access from the role that is not authorized by executing the following query: -REVOKE View any database TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE View any database TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'View any database' + what.permission_name = 'View any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-007400SQL Server must not grant users direct access to the Alter any server audit permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3208,20 +3212,20 @@ USE master REVOKE ALTER ANY SERVER AUDIT TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any server audit' + what.permission_name = 'Alter any server audit' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -3232,55 +3236,55 @@ GO If any user accounts have direct access to the 'Alter any server audit' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-007300SQL Server must enforce access control policies to restrict the Shutdown permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3293,16 +3297,16 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the' 'Shutdown' permission access from the role that is not authorized by executing the following query: -REVOKE Shutdown TO <'role name'>Obtain the list of roles that are authorized for the 'Shutdown' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Shutdown TO <'role name'>Obtain the list of roles that are authorized for the 'Shutdown' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -3311,59 +3315,59 @@ AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-007200SQL Server must enforce access control policies to restrict the External access assembly permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3376,77 +3380,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'External access assembly' permission access from the role that is not authorized by executing the following query: -REVOKE External access assembly TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'External access assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE External access assembly TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'External access assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'External access assembly' + what.permission_name = 'External access assembly' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-007100SQL Server must enforce access control policies to restrict the Create trace event notification permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3459,16 +3463,16 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Create trace event notification' permission access from the role that is not authorized by executing the following query: -REVOKE Create trace event notification TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create trace event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Create trace event notification TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create trace event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -3477,59 +3481,59 @@ AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-007000SQL Server must enforce access control policies to restrict the Create server role permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3542,16 +3546,16 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Create server role' permission access from the role that is not authorized by executing the following query: -REVOKE Create server role TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Create server role TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -3560,59 +3564,59 @@ AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-006900SQL Server must enforce access control policies to restrict the Create endpoint permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3625,79 +3629,79 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Create endpoint' permission access from the role that is not authorized by executing the following query: -REVOKE Create endpoint TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. +REVOKE Create endpoint TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Create endpoint' + what.permission_name = 'Create endpoint' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-006800SQL Server must enforce access control policies to restrict the Create DDL event notification permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3710,77 +3714,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Create DDL event notification' permission access from the role that is not authorized by executing the following query: -REVOKE Create DDL event notification TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create DDL event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Create DDL event notification TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create DDL event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Create DDL event notification' + what.permission_name = 'Create DDL event notification' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-006700SQL Server must enforce access control policies to restrict the Create availability group permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3793,77 +3797,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Create availability group' permission access from the role that is not authorized by executing the following query: -REVOKE Create availability group TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Create availability group TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Create availability group' + what.permission_name = 'Create availability group' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-006600SQL Server must enforce access control policies to restrict the Alter any server audit permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3876,25 +3880,25 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any server audit' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any server audit TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any server audit' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any server audit TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any server audit' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any server audit' + what.permission_name = 'Alter any server audit' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.SRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-006500SQL Server must enforce access control policies to restrict the View any definition permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3907,77 +3911,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'View any definition' permission access from the role that is not authorized by executing the following query: -REVOKE View any definition TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'View any definition' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE View any definition TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'View any definition' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'View any definition' + what.permission_name = 'View any definition' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-006400SQL Server must not grant users direct access to the Authenticate server permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -3991,16 +3995,16 @@ Note that this does not apply to logins with names of the form '##MS...##'. The USE master; REVOKE AUTHENTICATE SERVER FROM <account name>; -GOObtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -4015,55 +4019,55 @@ GO If any user accounts have direct access to the 'Authenticate Server' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-006300SQL Server must not grant users direct access to the Administer bulk operations permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4080,16 +4084,16 @@ USE master REVOKE ADMINISTER BULK OPERATIONS TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -4104,55 +4108,55 @@ GO If any user accounts have direct access to the 'Administer bulk operations' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-006200SQL Server must not grant users direct access to the Create endpoint permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4169,16 +4173,16 @@ USE master REVOKE CREATE ENDPOINT TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -4193,55 +4197,55 @@ GO If any user accounts have direct access to the 'Create endpoint' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-006100SQL Server must not grant users direct access to the Create DDL event notification permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4258,7 +4262,7 @@ USE master REVOKE CREATE DDL EVENT NOTIFICATION TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Create DDL Event Notification' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Create DDL Event Notification' by running the following query: SELECT who.name AS [Principal Name], @@ -4271,7 +4275,7 @@ sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE -what.permission_name = 'Create DDL Event Notification' +what.permission_name = 'Create DDL Event Notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -4282,55 +4286,55 @@ GO If any user accounts have direct access to the 'Create DDL Event Notification' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-006000SQL Server must not grant users direct access to the Create availability group permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4348,16 +4352,16 @@ USE master REVOKE CREATE AVAILABILITY GROUP TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -4372,55 +4376,55 @@ GO If any user accounts have direct access to the 'Create availability group' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-005900SQL Server must not grant users direct access to the Create any database permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4437,16 +4441,16 @@ USE master REVOKE CREATE ANY DATABASE TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -4461,55 +4465,55 @@ GO If any user accounts have direct access to the 'Create any database' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-005800SQL Server must not grant users direct access to the Control server permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4526,16 +4530,16 @@ USE master REVOKE CONTROL SERVER TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -4550,55 +4554,55 @@ GO If any user accounts have direct access to the 'Control server' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-005700SQL Server must enforce access control policies to restrict the Administer bulk operations permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4611,18 +4615,18 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Administer bulk operations' permission access from the role that is not authorized by executing the following query: -REVOKE Administer bulk operations TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Administer bulk operations' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. +REVOKE Administer bulk operations TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Administer bulk operations' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -4631,59 +4635,59 @@ AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-005600SQL Server must enforce access control policies to restrict the Alter resources permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4696,77 +4700,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter resources' permission access from the role that is not authorized by executing the following query: -REVOKE Alter resources TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter resources' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter resources TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter resources' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter resources' + what.permission_name = 'Alter resources' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-005500SQL Server must not grant users direct access to the Alter any linked server permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4783,16 +4787,16 @@ USE master REVOKE ALTER ANY LINKED SERVER TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -4807,55 +4811,55 @@ GO If any user accounts have direct access to the 'Alter any linked server' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-005300SQL Server must not grant users direct control to the Alter any event session permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4872,16 +4876,16 @@ USE master REVOKE ALTER ANY EVENT SESSION TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -4896,55 +4900,55 @@ GO If any user accounts have direct access to the 'Alter any event session' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-005200SQL Server must not grant users direct access to the Alter trace permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -4961,16 +4965,16 @@ USE master REVOKE ALTER TRACE TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -4985,55 +4989,55 @@ GO If any user accounts have direct access to the 'Alter trace' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-005100SQL Server must not grant users direct access to the Alter Settings permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5050,16 +5054,16 @@ USE master REVOKE ALTER SETTINGS TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -5074,55 +5078,55 @@ GO If any user accounts have direct access to the 'Alter Settings' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-005000SQL Server must not grant users direct access to the Create trace event notification permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5139,20 +5143,20 @@ USE master REVOKE CREATE TRACE EVENT NOTIFICATION TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Create trace event notification' + what.permission_name = 'Create trace event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -5163,55 +5167,55 @@ GO If any user accounts have direct access to the 'Create trace event notification' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-004900SQL Server must not grant users direct access to the Alter resources permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5228,16 +5232,16 @@ USE master REVOKE ALTER RESOURCES TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -5252,55 +5256,55 @@ GO If any user accounts have direct access to the 'Alter resources' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-004800SQL Server must not grant users direct access to the External access assembly permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5317,16 +5321,16 @@ USE master REVOKE EXTERNAL ACCESS ASSEMBLY TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -5341,55 +5345,55 @@ GO If any user accounts have direct access to the 'External access assembly' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-004700SQL Server must not grant users direct access to the Alter any login permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5406,16 +5410,16 @@ USE master REVOKE ALTER ANY LOGIN TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -5430,55 +5434,55 @@ GO If any user accounts have direct access to the 'Alter any login' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-004600SQL Server must enforce access control policies to restrict the Alter any availability group permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5491,77 +5495,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any availability group' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any availability group TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any availability group TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any availability group' + what.permission_name = 'Alter any availability group' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-004500SQL Server must enforce access control policies to restrict the Alter any login permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5574,77 +5578,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any login' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any login TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any login' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any login TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any login' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any login' + what.permission_name = 'Alter any login' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-004300SQL Server must enforce access control policies to restrict the Alter any linked server permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5657,77 +5661,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any linked server' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any linked server TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any linked server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any linked server TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any linked server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any linked server' + what.permission_name = 'Alter any linked server' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-004200SQL Server must not grant users direct access control to the Shutdown permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5744,20 +5748,20 @@ USE master REVOKE SHUTDOWN TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Shutdown' + what.permission_name = 'Shutdown' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -5768,55 +5772,55 @@ GO If any user accounts have direct access to the 'Shutdown' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-004100SQL Server must enforce access control policies to restrict the View server state permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5829,77 +5833,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'View server state' permission access from the role that is not authorized by executing the following query: -REVOKE View server state TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'View server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE View server state TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'View server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'View server state' + what.permission_name = 'View server state' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-004000SQL Server must enforce access control policies to restrict the Alter trace permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5912,77 +5916,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter trace' permission access from the role that is not authorized by executing the following query: -REVOKE Alter trace TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter trace' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter trace TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter trace' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter trace' + what.permission_name = 'Alter trace' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-003900SQL Server must not grant users direct access to the Unsafe assembly permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -5999,16 +6003,16 @@ USE master REVOKE UNSAFE ASSEMBLY TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6023,55 +6027,55 @@ GO If any user accounts have direct access to the 'Unsafe assembly' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-003800SQL Server must enforce access control policies to restrict the Control server permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6084,77 +6088,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Control server' permission access from the role that is not authorized by executing the following query: -REVOKE Control server TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Control server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Control server TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Control server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Control server' + what.permission_name = 'Control server' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-003700SQL Server must not grant users direct access to the Create server role permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6171,16 +6175,16 @@ USE master REVOKE CREATE SERVER ROLE TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6195,55 +6199,55 @@ GO If any user accounts have direct access to the 'Create server role' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-003600SQL Server must enforce access control policies to restrict the Alter any server role permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6256,16 +6260,16 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any server role' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any server role TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any server role TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6274,59 +6278,59 @@ AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-003500SQL Server must enforce access control policies to restrict the Alter Settings permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6339,77 +6343,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter Settings' permission access from the role that is not authorized by executing the following query: -REVOKE Alter Settings TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter Settings' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter Settings TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter Settings' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter Settings' + what.permission_name = 'Alter Settings' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-003400SQL Server must enforce access control policies to restrict the Authenticate server permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6422,77 +6426,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Authenticate server' permission access from the role that is not authorized by executing the following query: -REVOKE Authenticate server TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Authenticate server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Authenticate server TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Authenticate server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Authenticate server' + what.permission_name = 'Authenticate server' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-003300SQL Server must enforce access control policies to restrict the Create any database permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6505,77 +6509,77 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Create any database' permission access from the role that is not authorized by executing the following query: -REVOKE Create any database TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Create any database TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Create any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Create any database' + what.permission_name = 'Create any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-003200SQL Server must not grant users direct access to the View server state permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6591,16 +6595,16 @@ Remove the 'View server state' permission access from an account that has direct USE master; REVOKE VIEW SERVER STATE TO <'account name'>; -GOObtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6615,55 +6619,55 @@ GO If any user account has direct access to the 'View server state' permission, and the need for this has not been documented and approved, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-003100SQL Server must not grant users direct access to the Alter any server role permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6680,16 +6684,16 @@ USE master REVOKE ALTER ANY SERVER ROLE TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6704,55 +6708,55 @@ GO If any user accounts have direct access to the 'Alter any server role' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-003000SQL Server must not grant users direct access to the View any definition permission.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6769,16 +6773,16 @@ USE master REVOKE VIEW ANY DEFINITION TO <'account name'> -GOObtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: +GOObtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6793,55 +6797,55 @@ GO If any user accounts have direct access to the 'View any definition' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GOSRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-002900SQL Server must enforce access control policies to restrict the Alter any connection permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6854,25 +6858,25 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any connection' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any connection TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any connection' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any connection TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any connection' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any connection' + what.permission_name = 'Alter any connection' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.SRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-002800SQL Server must enforce access control policies to restrict the Alter any credential permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6885,25 +6889,25 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any credential' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any credential TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any credential' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any credential TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any credential' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any credential' + what.permission_name = 'Alter any credential' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.SRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-002700SQL Server must enforce access control policies to restrict the Alter any database permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6916,25 +6920,25 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any database' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any database TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any database TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any database' + what.permission_name = 'Alter any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.SRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-002600SQL Server must enforce access control policies to restrict the Alter any endpoint permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6947,25 +6951,25 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any endpoint' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any endpoint TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any endpoint TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any endpoint' + what.permission_name = 'Alter any endpoint' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.SRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-002400SQL Server must enforce access control policies to restrict the Alter any event session permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -6978,25 +6982,25 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any event session' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any event session TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any event session' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any event session TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any event session' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any event session' + what.permission_name = 'Alter any event session' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.SRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-002300SQL Server must enforce access control policies to restrict Alter server state permissions to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. @@ -7009,27 +7013,27 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter server state' permission access from the role that is not authorized by executing the following query: -REVOKE Alter server state TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. +REVOKE Alter server state TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter server state' + what.permission_name = 'Alter server state' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.SRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-002200SQL Server must enforce non-DAC policies over users and resources where the policy rule set for each policy specifies access control information (i.e., position, nationality, age, project, time of day).<VulnDiscussion>Non-DAC controls are determined by policy makers and are managed centrally or by a central authority. These controls must not be changed at the discretion of ordinary application users. Data protection requirements may result in a non-DAC policy being specified as part of the application design. Non-DACs are employed at the application level to restrict and control access to application data, thereby providing increased information security for the organization. @@ -7045,7 +7049,7 @@ REVOKE <'server permission name'> TO <'account name'> CASCADE Remove the user from user-defined role access by running the following script: USE master -ALTER SERVER ROLE [<'server role name'>] DROP MEMBER <'user name'>Check for direct user assignment to server permissions by running the following script: +ALTER SERVER ROLE [<'server role name'>] DROP MEMBER <'user name'>Check for direct user assignment to server permissions by running the following script: /********************************************************************************** LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT SYSTEM ADMINISTRATOR ACCOUNTS. DO NOT LIST ROLES. @@ -7145,22 +7149,22 @@ Notification of account creation is one method and best practice for mitigating To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001684Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -7168,34 +7172,34 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. -6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000027-DB-000186<GroupDescription></GroupDescription>SQL2-00-001900SQL Server must automatically audit account modification.<VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000027-DB-000186<GroupDescription></GroupDescription>SQL2-00-001900SQL Server must automatically audit account modification.<VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive application account management process ensures an audit trail automatically documents the modification of application user accounts and, as required, notifies administrators, application owners, and/or appropriate individuals. Applications must provide this capability directly, leverage complimentary technology providing this capability, or a combination thereof. -Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. +Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001403Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -7203,9 +7207,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000019-DB-000197<GroupDescription></GroupDescription>SQL2-00-001600SQL Server must ensure that remote sessions that access an organization-defined list of security functions and security-relevant information are audited.<VulnDiscussion>Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. @@ -7214,22 +7218,22 @@ Remote network and system access is accomplished by leveraging common communicat Numerous best practices are employed to protect remote connections, such as utilizing encryption to protect data sessions and firewalls to restrict and control network connectivity. In addition to these protections, auditing must also be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-002186Create a trace that meets all auditing requirements. -The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. +The script provided in the supplemental file, Trace.sql, can be used to do this; edit it as necessary to capture any additional, locally defined events.Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -7237,9 +7241,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.SRG-APP-000001-DB-000031<GroupDescription></GroupDescription>SQL2-00-000100The number of concurrent SQL Server sessions for each system account must be limited.<VulnDiscussion>A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization’s internal network from being directly affected by DoS attacks. @@ -7249,24 +7253,24 @@ When determining the appropriate values for this limit, take the characteristics Architectural note: In SQL Server, a count of active sessions by user can be obtained from one of the dynamic management views. For example: - SELECT original_login_name, count(*) - FROM sys.dm_exec_sessions - WHERE is_user_process = 1 - GROUP BY original_login_name; + SELECT original_login_name, count(*) + FROM sys.dm_exec_sessions + WHERE is_user_process = 1 + GROUP BY original_login_name; However, for this to return an accurate count in a logon trigger, the user would have to have the View Server State privilege. (Without this privilege, the trigger sees information only about the current session, so would always return a count of one.) View Server State would give that user access to a wide swath of information about the server, violating SQL2-00-004100. One way to avoid this exposure is to create a summary table, and a view of that table that restricts each user to seeing his/her own count, and establish a frequently-run background job to refresh the table (using the above query or similar). The logon trigger then queries the view to obtain a count that is accurate enough for most purposes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000054Establish the limit(s) appropriate to the type(s) of user account accessing the SQL Server instance, and record them in the system documentation. -Implement one or more logon triggers to enforce the limit(s), without exposing the dynamic management views to general users.Review the system documentation to determine whether any limits have been defined. If not, this is a finding. +Implement one or more logon triggers to enforce the limit(s), without exposing the dynamic management views to general users.Review the system documentation to determine whether any limits have been defined. If not, this is a finding. If one limit has been defined but is not applied to all users, including privileged administrative accounts, this is a finding. -If multiple limits have been defined, to accommodate different types of user, verify that together they cover all users. If not, this is a finding. +If multiple limits have been defined, to accommodate different types of user, verify that together they cover all users. If not, this is a finding. If a mechanism other than a logon trigger is used, verify its correct operation by the appropriate means. If it does not work correctly, this is a finding. Otherwise, determine if a logon trigger exists: -EITHER, in SQL Server Management Studio's Object Explorer tree: +EITHER, in SQL Server Management Studio's Object Explorer tree: Expand [SQL Server Instance] >> Security >> Server Objects >> Triggers OR run the query: @@ -7274,25 +7278,25 @@ SELECT * FROM master.sys.server_triggers; If no triggers are listed, this is a finding. -If triggers are listed, identify the one(s) limiting the number of concurrent sessions per user. If none are found, this is a finding. If they are present but disabled, this is a finding. +If triggers are listed, identify the one(s) limiting the number of concurrent sessions per user. If none are found, this is a finding. If they are present but disabled, this is a finding. Examine the trigger source code for logical correctness and for compliance with the documented limit(s). If errors or variances exist, this is a finding. Verify that the system does execute the trigger(s) each time a user session is established. If it does not operate correctly for all types of user, this is a finding.SRG-APP-000231-DB-000154<GroupDescription></GroupDescription>SQL2-00-024500The Service Master Key must be backed up, stored offline and off-site.<VulnDiscussion>Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001199Document and implement procedures to safely back up and store the Service Master Key. Include in the procedures methods to establish evidence of backup and storage, and careful, restricted access and restoration of the Service Master Key. Also, include provisions to store the key off-site. BACKUP SERVICE MASTER KEY TO FILE = 'path_to_file' -ENCRYPTION BY PASSWORD = 'password'Review procedures for, and evidence of backup of, the SQL Server Service Master Key in the System Security Plan. +ENCRYPTION BY PASSWORD = 'password'Review procedures for, and evidence of backup of, the SQL Server Service Master Key in the System Security Plan. If the procedures or evidence do not exist, this is a finding. If the procedures do not indicate offline and off-site storage of the Service Master Key, this is a finding. -If procedures do not indicate access restrictions to the Service Master Key backup, this is a finding.SRG-APP-999999-DB-000209 <GroupDescription></GroupDescription>SQL2-00-024600Domain accounts used to manage a SQL Server platform must be different from those used to manage other platforms.<VulnDiscussion>Separate accounts used to manage the SQL Server platform help prevent a lateral move within an environment if SQL were to be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Set up and use separate domain accounts to manage the SQL Server platform. These accounts must be different from those used to manage other platforms.Determine the accounts being used to manage the SQL Server operating system. Determine whether the same accounts are being used to manage other platforms. If the same account is used to manage more than one platform, this is a finding. +If procedures do not indicate access restrictions to the Service Master Key backup, this is a finding.SRG-APP-999999-DB-000209 <GroupDescription></GroupDescription>SQL2-00-024600Domain accounts used to manage a SQL Server platform must be different from those used to manage other platforms.<VulnDiscussion>Separate accounts used to manage the SQL Server platform help prevent a lateral move within an environment if SQL were to be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Set up and use separate domain accounts to manage the SQL Server platform. These accounts must be different from those used to manage other platforms.Determine the accounts being used to manage the SQL Server operating system. Determine whether the same accounts are being used to manage other platforms. If the same account is used to manage more than one platform, this is a finding. Note: If, because of the application configuration, there are multiple instances of SQL that would share a given exploit, a single account would be allowed to be used for the group and would not be considered a finding. SRG-APP-000196-DB-000301<GroupDescription></GroupDescription>SQL2-00-019601SQL Server databases in the unclassified environment, containing sensitive information, must be encrypted using approved cryptography.<VulnDiscussion>Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. -Data files that are not encrypted are vulnerable to theft. When data files are not encrypted, they can be copied and opened on a separate system. The data can be compromised without the information owner's knowledge that the theft has even taken place.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-002450Configure SQL Server to encrypt sensitive data stored in each database. Use only NIST-certified cryptography to provide encryption.If the system exists in the Classified environment, this is NA. +Data files that are not encrypted are vulnerable to theft. When data files are not encrypted, they can be copied and opened on a separate system. The data can be compromised without the information owner's knowledge that the theft has even taken place.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-002450Configure SQL Server to encrypt sensitive data stored in each database. Use only NIST-certified cryptography to provide encryption.If the system exists in the Classified environment, this is NA. For each database under the SQL Server instance, review the system documentation to determine whether the database holds sensitive information. If it does not, this is not a finding. @@ -7328,7 +7332,7 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission l Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. -Note 4: It may also be necessary to grant the SQL Server Agent permission to Delete the \Log directory and its contents.Obtain the SQL Server default data directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: +Note 4: It may also be necessary to grant the SQL Server Agent permission to Delete the \Log directory and its contents.Obtain the SQL Server default data directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft @@ -7384,10 +7388,10 @@ Note 3: In the interest of separation of responsibilities with least privilege, Note 4: It may also be necessary to grant the SQL Server Agent permission to Delete the \Log directory and its contents. This is not a finding.SRG-APP-000133-DB-000207<GroupDescription></GroupDescription>SQL2-00-025200The OS must limit privileges to the SQL Server data directories and their subordinate directories and files.<VulnDiscussion>Database files must be protected from unauthorized access. Although default data locations are created at installation time, sites can, and will, use other directories for site-created database files to comply with best practices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001499Navigate to the identified folder location(s). Right-click the folder, click Properties. On the Security tab, modify the security permissions so that files and folders have at most the permissions listed below. Right-click each folder under the identified folder(s), click Properties. On the Security tab, modify the security permissions so that at most the following permissions are present. CREATOR OWNER (Full Control) System (Full control) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] -SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] System Administrators (Full Control) [Note 3] @@ -7414,13 +7418,13 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission 9) Permission like a normal user from here -Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only.Obtain the SQL Server data directory location(s): in a tool such as SQL Server Management Studio, run the statement: -SELECT DISTINCT -LEFT(physical_name, (LEN(physical_name) - CHARINDEX('\',REVERSE(physical_name)) + 1 )) +Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only.Obtain the SQL Server data directory location(s): in a tool such as SQL Server Management Studio, run the statement: +SELECT DISTINCT +LEFT(physical_name, (LEN(physical_name) - CHARINDEX('\',REVERSE(physical_name)) + 1 )) AS "Database Data File Paths", type_desc FROM sys.master_files -WHERE database_id > 4 +WHERE database_id > 4 AND type = 0 The query result is a list of file systems locations used for databases other than the system databases. Navigate to each of those folder locations using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. @@ -7429,17 +7433,17 @@ The query result is a list of file systems locations used for databases other th Verify that the identified folders and their contents have only authorized privileges. Right-click each folder, click Properties. On the Security tab, verify that at most the following permissions are present: CREATOR OWNER (Full Control) System (Full control) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] System Administrators (Full Control) [Note 3] SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] -SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.SRG-APP-000133-DB-000207<GroupDescription></GroupDescription>SQL2-00-025300The OS must limit privileges to the SQL Server backup directories and files.<VulnDiscussion>Backups must be protected from unauthorized deletion and modification. They must also be protected from unauthorized use in database restoration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-001499Navigate to the SQL Server backup directory location. Right-click the folder, click Properties. On the Security tab, modify the security permissions, so that files and folders have at most the permissions listed below. Right-click each folder under the SQL Server backup folder, click Properties. On the Security tab, modify the security permissions, so that at most the following permissions are present. CREATOR OWNER (Full Control) System (Full control) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] -SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] System Administrators (Full Control) [Note 3] SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] @@ -7465,11 +7469,11 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission l 8) Click "OK" 9) Permission like a normal user from here -Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only.Obtain the SQL Server backup directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: -HKEY_LOCAL_MACHINE ->> SOFTWARE +Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only.Obtain the SQL Server backup directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: +HKEY_LOCAL_MACHINE +>> SOFTWARE >> Microsoft ->> Microsoft SQL Server +>> Microsoft SQL Server >> [INSTANCE NAME] >> MSSQLServer >> BackupDirectory @@ -7483,9 +7487,9 @@ Navigate to each folder location using a command prompt or Windows Explorer. Th Verify that backup files and folders have only authorized privileges. Right-click the backup folder, click Properties. On the Security tab, verify that at most the following permissions are present: CREATOR OWNER (Full Control) System (Full control) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] -SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] System Administrators (Full Control) [Note 3] SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. @@ -7526,7 +7530,7 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes USE master REVOKE VIEW ANY DATABASE TO <'account name'> -GO Obtain the list of accounts that have direct access to the server-level permission 'View Any Database' by running the following query: +GO Obtain the list of accounts that have direct access to the server-level permission 'View Any Database' by running the following query: SELECT who.name AS [Principal Name], @@ -7539,7 +7543,7 @@ sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE -what.permission_name = 'View Any Database' +what.permission_name = 'View Any Database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -7600,7 +7604,7 @@ ORDER BY what.permission_name, who.name ; -GOSRG-APP-000063-DB-000018<GroupDescription></GroupDescription>SQL2-00-009710Owners of privileged accounts must use non-privileged accounts for non-administrative activities.<VulnDiscussion>Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification, or exposure. In particular, DBA accounts, if used for non-administration application development or application maintenance, can lead to excessive privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in and provided by applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Require that DBAs and other privileged users use non-privileged accounts for non-administrative activities.Review procedures and practices. If there is not a policy requiring owners of privileged accounts to use non-privileged accounts for non-administrative activities, this is a finding. If there is evidence that owners of privileged accounts do not adhere to this policy, this is a finding.SRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-002500SQL Server must enforce access control policies to restrict the Alter any event notification permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. +GOSRG-APP-000063-DB-000018<GroupDescription></GroupDescription>SQL2-00-009710Owners of privileged accounts must use non-privileged accounts for non-administrative activities.<VulnDiscussion>Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification, or exposure. In particular, DBA accounts, if used for non-administration application development or application maintenance, can lead to excessive privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in and provided by applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366Require that DBAs and other privileged users use non-privileged accounts for non-administrative activities.Review procedures and practices. If there is not a policy requiring owners of privileged accounts to use non-privileged accounts for non-administrative activities, this is a finding. If there is evidence that owners of privileged accounts do not adhere to this policy, this is a finding.SRG-APP-000035-DB-000007<GroupDescription></GroupDescription>SQL2-00-002500SQL Server must enforce access control policies to restrict the Alter any event notification permission to only authorized roles.<VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations, or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. @@ -7610,7 +7614,7 @@ Additionally, the permission must not be denied to a role, because that could di The fix for this vulnerability specifies the use of REVOKE. Be aware that revoking a permission that is currently denied to a role or user does not necessarily disable the permission. If the user or role can inherent the permission from another role, revoking the denied permission from the user or the first role can effectively enable the inherited permission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-003014Remove the 'Alter any event notification' permission access from the role that is not authorized by executing the following query: -REVOKE Alter any event notification TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: +REVOKE Alter any event notification TO <'role name'>Obtain the list of roles that are authorized for the SQL Server 'Alter any event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], @@ -7638,7 +7642,7 @@ Ensure that files and folders that are part of, or related to, the SQL Server 20 Type: All Principal: Everyone Access: Modify -Applies to: This Folder, subfolder, and files [where applicable]Obtain the SQL Server software directory location: from a command prompt, open the registry editor by typing regedit.exe and pressing [ENTER]. Navigate to the following registry location: +Applies to: This Folder, subfolder, and files [where applicable]Obtain the SQL Server software directory location: from a command prompt, open the registry editor by typing regedit.exe and pressing [ENTER]. Navigate to the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft @@ -7649,7 +7653,7 @@ HKEY_LOCAL_MACHINE Determine the location of separate but related softare, such as audit file management tools. -Verify that files and folders that are part of, or related to, the SQL Server 2012 installation have auditing enabled. Right-click on the file/folder, click Properties. On the Security tab, click Advanced. On the Auditing tab, verify +Verify that files and folders that are part of, or related to, the SQL Server 2012 installation have auditing enabled. Right-click on the file/folder, click Properties. On the Security tab, click Advanced. On the Auditing tab, verify that the following is set up on at least one audit: Type: All Principal: Everyone @@ -7662,7 +7666,7 @@ This convenience also presents the possibility of unauthorized individuals gaini This requirement is not intended to prohibit use of the Browser service in any circumstances; rather, it calls for administrators and management to consider whether the benefits of its use outweigh the potential negative consequences.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SQL Server Installation 2012DISADPMS TargetSQL Server Installation 20122561CCI-000366If SQL Server Browser is needed, document the justification and obtain the appropriate approvals. -Where SQL Server Browser is judged unnecessary, in the Services tool, double-click on "SQL Server Browser" to open its "Properties" dialog. Set Startup Type to "Disabled". If Service Status is "Running", click on "Stop". Click on "OK".If the need for the SQL Server Browser service is documented, with appropriate approval, this is not a finding. +Where SQL Server Browser is judged unnecessary, in the Services tool, double-click on "SQL Server Browser" to open its "Properties" dialog. Set Startup Type to "Disabled". If Service Status is "Running", click on "Stop". Click on "OK".If the need for the SQL Server Browser service is documented, with appropriate approval, this is not a finding. Open the Services tool. @@ -7688,15 +7692,15 @@ To enforce this in SQL Server, configure each DBMS-managed login to inherit the In SQL Server Management Studio Object Explorer, navigate to <SQL Server instance name> >> Security >> Logins >> <login name>. Right-click, select Properties. Select the check box Enforce Password Policy. Click OK. Alternatively, for each identified Login, run the statement: -ALTER LOGIN <login name> CHECK_POLICY = ON;Run the statement: +ALTER LOGIN <login name> CHECK_POLICY = ON;Run the statement: SELECT name -FROM - sys.sql_logins +FROM + sys.sql_logins WHERE type_desc = 'SQL_LOGIN' AND is_disabled = 0 - AND is_policy_checked = 0 ; + AND is_policy_checked = 0 ; If no account names are listed, this is not a finding. @@ -7715,7 +7719,7 @@ To enforce this in SQL Server, configure each DBMS-managed login to inherit the In SQL Server Management Studio Object Explorer, navigate to <SQL Server instance name> >> Security >> Logins >> <login name>. Right-click, select Properties. Select the check box Enforce Password Expiration. Click OK. Alternatively, for each identified Login, run the statement: -ALTER LOGIN <login name> CHECK_EXPIRATION = ON;Run the statement: +ALTER LOGIN <login name> CHECK_EXPIRATION = ON;Run the statement: SELECT name FROM diff --git a/source/StigData/Processed/SqlServer-2012-Instance-1.17.org.default.xml b/source/StigData/Processed/SqlServer-2012-Instance-1.20.org.default.xml similarity index 95% rename from source/StigData/Processed/SqlServer-2012-Instance-1.17.org.default.xml rename to source/StigData/Processed/SqlServer-2012-Instance-1.20.org.default.xml index 4a7215249..98fa6dc26 100644 --- a/source/StigData/Processed/SqlServer-2012-Instance-1.17.org.default.xml +++ b/source/StigData/Processed/SqlServer-2012-Instance-1.20.org.default.xml @@ -5,7 +5,7 @@ Each setting in this file is linked by STIG ID and the valid range is in an associated comment. --> - + diff --git a/source/StigData/Processed/SqlServer-2012-Instance-1.17.xml b/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml similarity index 88% rename from source/StigData/Processed/SqlServer-2012-Instance-1.17.xml rename to source/StigData/Processed/SqlServer-2012-Instance-1.20.xml index 36497cc80..da4faec7f 100644 --- a/source/StigData/Processed/SqlServer-2012-Instance-1.17.xml +++ b/source/StigData/Processed/SqlServer-2012-Instance-1.20.xml @@ -1,7 +1,7 @@ - + - <VulnDiscussion>Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), VPN, or IPSEC tunnel. + <VulnDiscussion>Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), VPN, or IPSEC tunnel. Information in transmission is particularly vulnerable to attack. If the DBMS does not employ cryptographic mechanisms preventing unauthorized disclosure of information during transit, the information may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -43,7 +43,7 @@ Load balancing for the purpose of sharing a secondary/backup SQL Server is often If Database Availability Groups are not being used, this is not applicable (NA). -Check the system documentation and check with the administrator regarding processing resources of the backup/secondary SQL Server. +Check the system documentation and check with the administrator regarding processing resources of the backup/secondary SQL Server. If the primary SQL Server has a backup/secondary server that is dedicated 100% to the primary server's processing, this is not a finding. @@ -66,11 +66,11 @@ Even if SQL Server's utilization is very small and there may seem to be no need If SQL Server has users that are determined to run significantly high priority processes than other users and the SQL Server "Resource Governor" is not being implemented, this is a finding. - <VulnDiscussion>When data is exchanged between information systems, the security attributes associated with said data need to be maintained. + <VulnDiscussion>When data is exchanged between information systems, the security attributes associated with said data need to be maintained. -Security attributes are an abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information, typically associated with internal data structures (e.g., records, buffers, files) within the information system and used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. +Security attributes are an abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information, typically associated with internal data structures (e.g., records, buffers, files) within the information system and used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. -Security attributes may be explicitly or implicitly associated with the information contained within the information system. +Security attributes may be explicitly or implicitly associated with the information contained within the information system. If database security labels are not maintained as information moves between systems, handling instructions can be lost and data can be accidentally distributed to unauthorized individuals.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -81,7 +81,7 @@ If database security labels are not maintained as information moves between syst If the labeling of sensitive data is not required, this is NA. -Obtain system configuration setting to determine how data labeling is being performed. This can be through triggers or some other SQL developed means or via a third-party tool. Check to ensure that labels are being associated to data when information is being exchanged between systems. +Obtain system configuration setting to determine how data labeling is being performed. This can be through triggers or some other SQL developed means or via a third-party tool. Check to ensure that labels are being associated to data when information is being exchanged between systems. If the labeling is not being associated to data when exchanging data between systems, this is a finding. @@ -156,7 +156,7 @@ This requirement is not intended to prevent the establishment of public-facing s If SQL Server supports an application collecting information from the public, this is NA. Obtain from the DBA or system documentation the list of publicly available data within SQL Server. -Obtain the publicly available user account(s) being used to access SQL Server. +Obtain the publicly available user account(s) being used to access SQL Server. Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'Securables'. @@ -261,7 +261,7 @@ Detailed information on the NIST Cryptographic Module Validation Program (CMVP) Non-organizational users shall be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server. -This may be accomplished by a code embedded within the userid, or via a flag or code columns in a table of users, or by some other means. In any case, the user must be individually identified to, and within, SQL Server via a mapping to an individual account and not mapping to a shared account. +This may be accomplished by a code embedded within the userid, or via a flag or code columns in a table of users, or by some other means. In any case, the user must be individually identified to, and within, SQL Server via a mapping to an individual account and not mapping to a shared account. Accordingly, a risk assessment is used in determining the authentication needs of the organization. @@ -363,9 +363,9 @@ Unused and unnecessary SQL Server components increase the number of available at Review the system documentation to verify that the enabled components or features are documented and authorized. If any enabled components or features are not authorized, this is a finding. - <VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + <VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. +It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. @@ -443,7 +443,7 @@ Unmanaged changes that occur to SQL Server software libraries or configuration c Verify within the system documentation that SQL Server is monitoring for security-relevant configuration settings to discover unauthorized changes. -This can be done by a third-party tool or a SQL script that does baselining and then comparisons. +This can be done by a third-party tool or a SQL script that does baselining and then comparisons. If the monitoring of security-relevant configuration settings to discover unauthorized changes is not implemented on SQL Server, this is a finding. @@ -463,9 +463,9 @@ When shared accounts are utilized without another means of identifying individua Obtain the list of authorized SQL Server accounts in the system documentation. -If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. (The key is individual accountability. If this can be traced, this is not a finding.) +If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. (The key is individual accountability. If this can be traced, this is not a finding.) -If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding. +If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding. Review contents of audit logs, traces and data tables to confirm that the identity of the individual user performing the action is captured. If shared identifiers are found, and not accompanied by individual identifiers, this is a finding. @@ -552,7 +552,7 @@ If any checked 'Database role membership' of each highlighted and checked 'Datab To aid in tracking and administering such permissions, individual logins must not be directly granted permissions or built-in server roles. Instead, user-defined server roles must be created, with the permissions and built-in server roles granted to them; the individual logins must be assigned to the appropriate user-defined server roles. -The built-in server role "sysadmin" is a partial exception. This cannot be granted to a user-defined role, only to a login account. Most (not necessarily all) database administrators will need to be members of sysadmin. Without this, most DBCC commands and the system stored procedures/functions listed below are unavailable. The users who require such access must be documented and approved. +The built-in server role "sysadmin" is a partial exception. This cannot be granted to a user-defined role, only to a login account. Most (not necessarily all) database administrators will need to be members of sysadmin. Without this, most DBCC commands and the system stored procedures/functions listed below are unavailable. The users who require such access must be documented and approved. In addition, if the site uses backup-restore software that connects to SQL Server via the Virtual Device Interface (VDI), the account used by that software must have the sysadmin role. (See Microsoft Knowledge Base article 2926557, http://support.microsoft.com/kb/2926557). If this applies, it must be documented and approved. @@ -947,7 +947,7 @@ The DBMS must ensure the recipient of server permissions possesses only the acce Check for rights propagation assignment to DBMS server permissions by running the following query: USE master; -SELECT * +SELECT * FROM sys.server_permissions WHERE state_desc = 'GRANT_WITH_GRANT_OPTION'; @@ -1176,10 +1176,10 @@ When determining the appropriate values for this limit, take the characteristics Architectural note: In SQL Server, a count of active sessions by user can be obtained from one of the dynamic management views. For example: - SELECT original_login_name, count(*) - FROM sys.dm_exec_sessions - WHERE is_user_process = 1 - GROUP BY original_login_name; + SELECT original_login_name, count(*) + FROM sys.dm_exec_sessions + WHERE is_user_process = 1 + GROUP BY original_login_name; However, for this to return an accurate count in a logon trigger, the user would have to have the View Server State privilege. (Without this privilege, the trigger sees information only about the current session, so would always return a count of one.) View Server State would give that user access to a wide swath of information about the server, violating SQL2-00-004100. One way to avoid this exposure is to create a summary table, and a view of that table that restricts each user to seeing his/her own count, and establish a frequently-run background job to refresh the table (using the above query or similar). The logon trigger then queries the view to obtain a count that is accurate enough for most purposes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1190,13 +1190,13 @@ However, for this to return an accurate count in a logon trigger, the user would If one limit has been defined but is not applied to all users, including privileged administrative accounts, this is a finding. -If multiple limits have been defined, to accommodate different types of user, verify that together they cover all users. If not, this is a finding. +If multiple limits have been defined, to accommodate different types of user, verify that together they cover all users. If not, this is a finding. If a mechanism other than a logon trigger is used, verify its correct operation by the appropriate means. If it does not work correctly, this is a finding. Otherwise, determine if a logon trigger exists: -EITHER, in SQL Server Management Studio's Object Explorer tree: +EITHER, in SQL Server Management Studio's Object Explorer tree: Expand [SQL Server Instance] >> Security >> Server Objects >> Triggers OR run the query: @@ -1204,7 +1204,7 @@ SELECT * FROM master.sys.server_triggers; If no triggers are listed, this is a finding. -If triggers are listed, identify the one(s) limiting the number of concurrent sessions per user. If none are found, this is a finding. If they are present but disabled, this is a finding. +If triggers are listed, identify the one(s) limiting the number of concurrent sessions per user. If none are found, this is a finding. If they are present but disabled, this is a finding. Examine the trigger source code for logical correctness and for compliance with the documented limit(s). If errors or variances exist, this is a finding. @@ -1269,12 +1269,12 @@ To enforce this in SQL Server, configure each DBMS-managed login to inherit the Run the statement: SELECT name -FROM - sys.sql_logins +FROM + sys.sql_logins WHERE type_desc = 'SQL_LOGIN' AND is_disabled = 0 - AND is_policy_checked = 0 ; + AND is_policy_checked = 0 ; If no account names are listed, this is not a finding. @@ -1335,7 +1335,7 @@ Database logs can be monitored for specific security-related errors. Any error t False False - Security-related errors must be identified and monitored. In most cases, these items would appear in the SQL Server log file. + Security-related errors must be identified and monitored. In most cases, these items would appear in the SQL Server log file. If security-related error conditions are not being monitored to meet this requirement, this is a finding. @@ -1354,9 +1354,9 @@ Database Management Systems typically separate security functionality from nonse For any elements found, check SQL Server to determine if these objects or code implementing security functionality are located in a separate security domain, such as a separate database or schema created specifically for security functionality. Run the following queryto list all the user-defined databases: -SELECT Name -FROM sys.databases -WHERE database_id > 4 +SELECT Name +FROM sys.databases +WHERE database_id > 4 ORDER BY 1; If security-related database objects or code are not kept separate, this is a finding. @@ -1399,7 +1399,7 @@ Passwords stored in clear text are vulnerable to unauthorized disclosure. Databa False False - Since Windows security is being leveraged, this check applies to database configuration files, associated scripts, and applications external to SQL Server that access the database. + Since Windows security is being leveraged, this check applies to database configuration files, associated scripts, and applications external to SQL Server that access the database. Ask the DBA and/or IAO to determine if any SQL Server database objects, database configuration files, associated scripts, or applications defined as external to SQL Server that access the database/user environment files/settings contain database passwords. If any do, confirm that SQL Server passwords stored externally to the SQL Server are encoded or encrypted. If any passwords are stored in clear text, this is a finding. @@ -1518,14 +1518,14 @@ SELECT ''?'' AS ''database name'' WHERE type_desc = ''LOG'' AND state = 0; ' -; +; If any transaction log files are not configured correctly for size, max_size, and growth to log sufficient transaction information, this is a finding. - <VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + <VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -Additionally, it is sometimes convenient to provide multiple services from a single component of an information system (e.g., email and web services) but doing so increases risk over limiting the services provided by any one component. +Additionally, it is sometimes convenient to provide multiple services from a single component of an information system (e.g., email and web services) but doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. @@ -1575,9 +1575,9 @@ SELECT ''?'' AS ''Table Name'', * If any user-defined Stored Procedures and Functions are unauthorized and therefore should be prohibited or restricted and are not, this is a finding. - <VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + <VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements; or providing a wide array of functionality not required for every mission, but which cannot be disabled. +It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software, demonstrations, or browser plug-ins not related to requirements; or providing a wide array of functionality not required for every mission, but which cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. @@ -1599,7 +1599,7 @@ If the value of config_value is 1, this is a finding. <VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -It is detrimental for applications to provide or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software demonstrations or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. +It is detrimental for applications to provide or install by default, functionality exceeding requirements or mission objectives. Examples include, but are not limited to, installing advertising software demonstrations or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, yet cannot be disabled. Applications must adhere to the principles of least functionality by providing only essential capabilities. @@ -1762,7 +1762,7 @@ Note 2: Tips for adding a service SID/virtual account to a folder's permission l 8) Click "OK" 9) Permission like a normal user from here -Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. +Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. Note 4: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately, and this is considered acceptable where those permissions are required. (All SQL Server files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory.) @@ -1777,7 +1777,7 @@ If SQL Server were no longer supported, no patches from Microsoft would address False False - Check Microsoft's list of supported SQL Server versions. To locate the correct web page, perform a web search for "Microsoft SQL Server end of support." + Check Microsoft's list of supported SQL Server versions. To locate the correct web page, perform a web search for "Microsoft SQL Server end of support." To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerabilities. @@ -1786,10 +1786,14 @@ print @@version If the security patch support for SQL Server cannot be determined or SQL Server version is not shown as supported, this is a finding. -If SQL Server does not contain the latest security patches, this is a finding. +If SQL Server does not contain the latest security patches, this is a finding. + +SQL Server 2012 Service Pack 3 support end date: 10/9/2018 +SQL Server 2012 Enterprise Core mainstream support end date: 7/11/2018 +SQL Server 2012 Enterprise Core extended support end date: 7/12/2022 - <VulnDiscussion>When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. + <VulnDiscussion>When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit of one application can lead to an exploit of other applications sharing the same security context. For example, an exploit of a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to other applications’ database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -1806,15 +1810,15 @@ Analysis Services Instances are registered in the OLAP subfolder. Reporting Services Instances are registered in the RS subfolder. Standard SQL Server Instances are registered in the SQL subfolder. -Inside each of these folders, a single key is used to reference an Instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: +Inside each of these folders, a single key is used to reference an Instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME]. -An [INSTANCE NAME] is listed as the Data component of a key found in one of the above OLAP, RS, or SQL folders. +An [INSTANCE NAME] is listed as the Data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: -HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. +HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance. @@ -1848,7 +1852,7 @@ Standard SQL Server Instances are registered in the SQL subfolder. Inside each one of these folders, a single key is used to reference an instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME]. -An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. +An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance. @@ -1874,7 +1878,7 @@ Deletion of database audit data could mask the theft or unauthorized modificatio False Obtain the SQL Server audit file location(s) by running the following SQL script: -SELECT DISTINCT +SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION @@ -1890,10 +1894,10 @@ Administrator(read) Users (none) Audit Administrator (Full Control) Auditors group (Read) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. +If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding ----- @@ -1934,7 +1938,7 @@ Modification of database audit data could mask the theft or unauthorized modific False Obtain the SQL Server audit file location(s) by running the following SQL script: -SELECT DISTINCT +SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION @@ -1950,10 +1954,10 @@ Administrator(read) Users (none) Audit Administrator (Full Control) Auditors group (Read) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. +If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding. @@ -1974,7 +1978,7 @@ Audit information includes all information (e.g., audit records, audit settings, False Obtain the SQL Server audit file location(s) by running the following SQL script: -SELECT DISTINCT +SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION @@ -1990,11 +1994,11 @@ Administrator(read) Users (none) Audit Administrator (Full Control) Auditors group (Read) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. +If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding. @@ -2034,7 +2038,7 @@ If an attacker were to gain access to audit tools, they could analyze audit logs False Obtain the SQL Server audit file location(s) by running the following SQL script: -SELECT DISTINCT +SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION @@ -2074,7 +2078,7 @@ Expand Quota Management. Select Quotas. If Quotas have not been created for defined Audit Log storage locations that meet organizationally defined requirements, this is a finding. -In the center pane, select each quota to determine its Path, Limit, Type, and Description. +In the center pane, select each quota to determine its Path, Limit, Type, and Description. Right click the appropriate quota or quotas, and click Edit Quota Properties. Examine the Notification thresholds panel. If there are no Notification thresholds applied to this Quota, this is a finding. @@ -2092,12 +2096,12 @@ After the initial setup of SQL Server audit log configuration, it is best to che False False - Check the SQL Server audit setting on the maximum file size of the trace used for the auditing requirement. + Check the SQL Server audit setting on the maximum file size of the trace used for the auditing requirement. -Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. +Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. -The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. +The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. If auditing will outgrow the space reserved for logging before being overwritten, this is a finding. @@ -2186,7 +2190,7 @@ Many sites distribute a single SQL Server connection configuration file to all s Check procedures for providing SQL Server database connection information to users/applications. If procedures do not indicate or implement restrictions to connections required by the particular user/application which indicate process of least privilege and specific authorization was employed, this is a finding. - <VulnDiscussion>Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. + <VulnDiscussion>Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. The concept of separation of duties extends to processes. The DBMS must run under a custom, dedicated OS or domain account. When the DBMS is running under a shared account, users with access to that account could inadvertently or maliciously make changes to the DBMS’s settings, files, or permissions. Similarly, related services must run under dedicated accounts where this is possible. The SQL Server Browser and Writer services are exceptions: see http://msdn.microsoft.com/en-us/library/hh510203(v=sql.110).aspx and http://msdn.microsoft.com/en-us/library/ms175536(v=sql.110).aspx.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -2197,18 +2201,18 @@ The concept of separation of duties extends to processes. The DBMS must run und From a Command Prompt, type services.msc, and press [ENTER]. Scroll down to the SQL Server Services. SQL Server Services begin with SQL. The following services, when present, should be listed as follows: -Service Name: Log On As: -SQL Full-text Filter Daemon Launcher: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server [stand-alone]: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server [cluster]: <domain>\<CustomServiceAccount> -SQL Server Agent: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server Analysis Services: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server Browser: Local Service -SQL Server Distributed Replay Client: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server Distributed Replay Controller: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server Integration Services 11.0: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server Reporting Services: NT Service\UNIQUE CUSTOM ACCOUNT -SQL Server VSS Writer: Local System +Service Name: Log On As: +SQL Full-text Filter Daemon Launcher: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server [stand-alone]: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server [cluster]: <domain>\<CustomServiceAccount> +SQL Server Agent: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Analysis Services: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Browser: Local Service +SQL Server Distributed Replay Client: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Distributed Replay Controller: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Integration Services 11.0: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Reporting Services: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server VSS Writer: Local System UNIQUE CUSTOM ACCOUNT refers to an account with which no other service listed in the services.msc window is assigned. If any account requiring a unique custom account uses an account that any other service utilizes (regardless of service status), this is a finding. @@ -2228,18 +2232,18 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Unsafe assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Unsafe assembly' + what.permission_name = 'Unsafe assembly' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name @@ -2249,59 +2253,59 @@ GO If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Unsafe assembly' permission and the role is not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO - <VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. + <VulnDiscussion>The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Unauthorized access to sensitive data or SQL Server control may compromise the confidentiality of personnel privacy, threaten national security, compromise a variety of other sensitive operations or lead to a loss of system control. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. @@ -2318,18 +2322,18 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes Obtain the list of accounts that have direct access to the server-level permission 'Alter any availability group' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any availability group' + what.permission_name = 'Alter any availability group' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -2340,55 +2344,55 @@ GO If any user accounts have direct access to the 'Alter any availability group' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -2408,14 +2412,14 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the 'Shutdown' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -2424,59 +2428,59 @@ AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -2496,75 +2500,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'External access assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'External access assembly' + what.permission_name = 'External access assembly' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -2584,14 +2588,14 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Create trace event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -2600,59 +2604,59 @@ AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -2672,14 +2676,14 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Create server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -2688,59 +2692,59 @@ AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -2762,75 +2766,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Create endpoint' + what.permission_name = 'Create endpoint' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -2850,75 +2854,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Create DDL event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Create DDL event notification' + what.permission_name = 'Create DDL event notification' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -2938,75 +2942,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Create availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Create availability group' + what.permission_name = 'Create availability group' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3026,23 +3030,23 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter any server audit' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any server audit' + what.permission_name = 'Alter any server audit' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. @@ -3062,75 +3066,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'View any definition' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'View any definition' + what.permission_name = 'View any definition' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3152,14 +3156,14 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -3168,59 +3172,59 @@ AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3240,75 +3244,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter resources' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter resources' + what.permission_name = 'Alter resources' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3328,75 +3332,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter any availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any availability group' + what.permission_name = 'Alter any availability group' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3416,75 +3420,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter any login' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any login' + what.permission_name = 'Alter any login' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3504,75 +3508,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter any linked server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any linked server' + what.permission_name = 'Alter any linked server' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3592,75 +3596,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'View server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'View server state' + what.permission_name = 'View server state' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3680,75 +3684,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter trace' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter trace' + what.permission_name = 'Alter trace' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3768,75 +3772,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Control server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Control server' + what.permission_name = 'Control server' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3856,14 +3860,14 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter any server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -3872,59 +3876,59 @@ AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -3944,75 +3948,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter Settings' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter Settings' + what.permission_name = 'Alter Settings' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -4032,75 +4036,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Authenticate server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Authenticate server' + what.permission_name = 'Authenticate server' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -4120,75 +4124,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Create any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Create any database' + what.permission_name = 'Create any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO @@ -4208,23 +4212,23 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter any connection' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any connection' + what.permission_name = 'Alter any connection' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. @@ -4244,23 +4248,23 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter any credential' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any credential' + what.permission_name = 'Alter any credential' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. @@ -4280,23 +4284,23 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any database' + what.permission_name = 'Alter any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. @@ -4316,23 +4320,23 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter any endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any endpoint' + what.permission_name = 'Alter any endpoint' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. @@ -4352,23 +4356,23 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'Alter any event session' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any event session' + what.permission_name = 'Alter any event session' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. @@ -4386,27 +4390,27 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok False False - Obtain the list of roles that are authorized for the SQL Server 'Alter server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. + Obtain the list of roles that are authorized for the SQL Server 'Alter server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter server state' + what.permission_name = 'Alter server state' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. @@ -4502,12 +4506,12 @@ Note 4: It may also be necessary to grant the SQL Server Agent permission to Del False Obtain the SQL Server data directory location(s): in a tool such as SQL Server Management Studio, run the statement: -SELECT DISTINCT -LEFT(physical_name, (LEN(physical_name) - CHARINDEX('\',REVERSE(physical_name)) + 1 )) +SELECT DISTINCT +LEFT(physical_name, (LEN(physical_name) - CHARINDEX('\',REVERSE(physical_name)) + 1 )) AS "Database Data File Paths", type_desc FROM sys.master_files -WHERE database_id > 4 +WHERE database_id > 4 AND type = 0 The query result is a list of file systems locations used for databases other than the system databases. Navigate to each of those folder locations using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. @@ -4516,11 +4520,11 @@ The query result is a list of file systems locations used for databases other th Verify that the identified folders and their contents have only authorized privileges. Right-click each folder, click Properties. On the Security tab, verify that at most the following permissions are present: CREATOR OWNER (Full Control) System (Full control) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] System Administrators (Full Control) [Note 3] SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] -SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. @@ -4529,11 +4533,11 @@ If any less restrictive permissions are present (and not specifically justified False False - Obtain the SQL Server backup directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: -HKEY_LOCAL_MACHINE ->> SOFTWARE + Obtain the SQL Server backup directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: +HKEY_LOCAL_MACHINE +>> SOFTWARE >> Microsoft ->> Microsoft SQL Server +>> Microsoft SQL Server >> [INSTANCE NAME] >> MSSQLServer >> BackupDirectory @@ -4547,9 +4551,9 @@ Navigate to each folder location using a command prompt or Windows Explorer. Th Verify that backup files and folders have only authorized privileges. Right-click the backup folder, click Properties. On the Security tab, verify that at most the following permissions are present: CREATOR OWNER (Full Control) System (Full control) -SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] -SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] -SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] System Administrators (Full Control) [Note 3] SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. @@ -4636,13 +4640,13 @@ GO Traverse,ExecuteFile,ListDirectory,ReadData,ReadAttributes,ReadExtendedAttributes,CreateFiles,WriteData,CreateDirectories,AppendData,WriteAttributes,WriteExtendedAttributes,Delete,ReadPermissions - <VulnDiscussion>Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. + <VulnDiscussion>Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. -Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. +Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. -Access restrictions for change also include software libraries. +Access restrictions for change also include software libraries. -Examples of access restrictions include: physical access controls (such as locks and access cards), logical access controls (such as ACLs), automated auditing (logging) of logical access, workflow automation, media libraries, abstract layers (e.g., changes are implemented into a third-party interface rather than directly into the information system component), and change windows (e.g., changes occur only during specified times, making unauthorized changes outside the window easy to discover). +Examples of access restrictions include: physical access controls (such as locks and access cards), logical access controls (such as ACLs), automated auditing (logging) of logical access, workflow automation, media libraries, abstract layers (e.g., changes are implemented into a third-party interface rather than directly into the information system component), and change windows (e.g., changes occur only during specified times, making unauthorized changes outside the window easy to discover). This requirement focuses on the auditing aspect of the protections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4654,7 +4658,7 @@ This requirement focuses on the auditing aspect of the protections.</VulnDisc Verify that Files and Folders that are part of the SQL Server 2012 Installation have auditing enabled. -Right click the root folder of the SQL Server installation. Typically, this is at <drive>:\Program Files\Microsoft SQL Server\. Select Properties. +Right click the root folder of the SQL Server installation. Typically, this is at <drive>:\Program Files\Microsoft SQL Server\. Select Properties. Click on the Security tab @@ -4669,7 +4673,7 @@ If "This folder, subfolders and files" is not listed in the "Apply To" column, t When "Everyone" ... " is listed, select the "Everyone" row and click on the Edit button. If either the Successful or Failed checkbox is not selected for any of the following access types, this is a finding: - Traverse folder/execute file + Traverse folder/execute file List folder/read data Read attributes Read extended attributes @@ -4715,7 +4719,7 @@ HKEY_LOCAL_MACHINE Determine the location of separate but related softare, such as audit file management tools. -Verify that files and folders that are part of, or related to, the SQL Server 2012 installation have auditing enabled. Right-click on the file/folder, click Properties. On the Security tab, click Advanced. On the Auditing tab, verify +Verify that files and folders that are part of, or related to, the SQL Server 2012 installation have auditing enabled. Right-click on the file/folder, click Properties. On the Security tab, click Advanced. On the Auditing tab, verify that the following is set up on at least one audit: Type: All Principal: Everyone @@ -4743,8 +4747,8 @@ Some applications that run on SQL Server require the 'sa' account to be enabled USE MASTER GO -SELECT name, is_disabled -FROM sys.sql_logins +SELECT name, is_disabled +FROM sys.sql_logins WHERE principal_id = 1; Verify that the "name" column contains the current name of the sa database server account (see note). @@ -4817,17 +4821,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -4835,9 +4839,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -4867,7 +4871,7 @@ All currently defined traces for the SQL Server instance will be listed. If no t Determine the trace being used for the auditing requirement. Replace # in the following code with a traceid being used for the auditing requirements. From the query prompt, determine whether the trace options include the value 4, which means SHUTDOWN_ON_ERROR: -SELECT CAST(value AS INT) +SELECT CAST(value AS INT) FROM sys.fn_trace_getinfo(#) where property = 1; @@ -4877,15 +4881,15 @@ If a value is returned but is not 4 or 6, this is a finding. NOTE: Microsoft has flagged the trace techniques and tools used in this STIG as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use and configured to satisfy this requirement, this is not a finding. The following code can be used to check Extended Events settings. -/********************************** +/********************************** Check to verify shutdown on failure is set. -The following settings are what should be returned: -name = <name of audit> -on_failure = 1 -on_failure_desc = SHUTDOWN SERVER INSTANCE -**********************************/ -SELECT name, on_failure, on_failure_desc -FROM sys.server_audits +The following settings are what should be returned: +name = <name of audit> +on_failure = 1 +on_failure_desc = SHUTDOWN SERVER INSTANCE +**********************************/ +SELECT name, on_failure, on_failure_desc +FROM sys.server_audits DECLARE @new_trace_id INT; DECLARE @traceid INT; SET @traceId = (SELECT traceId FROM ::fn_trace_getinfo(NULL) WHERE Value = 6) EXECUTE master.dbo.sp_trace_create @results = @new_trace_id OUTPUT, @options = 6, @traceFilePath = N'$(TraceFilePath)' DECLARE @traceId int SET @traceId = (SELECT traceId FROM ::fn_trace_getinfo(NULL) WHERE Value = 6) IF (@traceId IS NULL) SELECT traceId FROM ::fn_trace_getinfo(NULL) ELSE Print NULL @@ -4903,12 +4907,12 @@ After the initial setup of SQL Server audit log configuration, it is best to che False True - Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. + Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. -Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. +Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. -The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. +The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. If auditing will outgrow the space reserved for logging before being overwritten, this is a finding. DECLARE @new_trace_id INT; DECLARE @maxsize bigint DECLARE @maxRolloverFiles int DECLARE @traceId int DECLARE @traceFilePath nvarchar(500) SET @traceFilePath = N'$(TraceFilePath)' SET @traceId = (Select Id from sys.traces where path LIKE (@traceFilePath + '%')) SET @maxsize = $(MaxTraceFileSize) SET @maxRolloverFiles = $(MaxRollOverFileCount) EXEC sp_trace_setstatus @traceid, @status = 2 EXECUTE master.dbo.sp_trace_create @new_trace_id OUTPUT, 6, @traceFilePath, @maxsize, NULL, @maxRolloverFiles DECLARE @traceFilePath nvarchar(500) DECLARE @desiredFileSize bigint DECLARE @desiredMaxFiles int DECLARE @currentFileSize bigint DECLARE @currentMaxFiles int SET @traceFilePath = N'$(TraceFilePath)' SET @currentFileSize = (SELECT max_size from sys.traces where path LIKE (@traceFilePath + '%')) SET @currentMaxFiles = (SELECT max_files from sys.traces where path LIKE (@traceFilePath + '%')) IF (@currentFileSize != $(MaxTraceFileSize)) BEGIN PRINT 'file size not in desired state' SELECT max_size from sys.traces where path LIKE (@traceFilePath + '%') END IF (@currentMaxFiles != $(MaxRollOverFileCount)) BEGIN PRINT 'max files not in desired state'SELECT max_files from sys.traces where path LIKE (@traceFilePath + '%') END @@ -4931,17 +4935,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -4949,9 +4953,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -4960,7 +4964,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Database software is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed a given action. If user identification information is not recorded and stored with the audit record, the record itself is of very limited use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> V-41021 @@ -4973,17 +4977,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -4991,9 +4995,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -5002,7 +5006,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know the outcome of attempted actions. This requires specific information regarding the outcome of the action or event that the audit record is referring to. If outcome status information is not recorded and stored with the audit record, the record itself is of very limited use. @@ -5019,17 +5023,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -5037,9 +5041,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -5048,7 +5052,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly who performed what actions. This requires specific information regarding the source of the event an audit record is referring to. If the source of the event information is not recorded and stored with the audit record, the record itself is of very limited use. @@ -5063,17 +5067,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -5081,9 +5085,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -5092,7 +5096,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly where actions were performed. This requires specific information regarding the event location an audit record is referring to. If event location information is not recorded and stored with the audit record, the record itself is of very limited use. @@ -5107,17 +5111,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -5125,9 +5129,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -5136,7 +5140,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly when actions were performed. This requires specific information regarding the date and time an audit record is referring to. If date and time information is not recorded and stored with the audit record, the record itself is of very limited use. @@ -5151,17 +5155,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -5169,9 +5173,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -5180,7 +5184,7 @@ Use the following query to obtain a list of all event IDs, and their meaning: - <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. + <VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content which may be necessary to satisfy the requirement of this control includes, but is not limited to: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. SQL Server is capable of a range of actions on data stored within the database. It is important, for accurate forensic analysis, to know exactly what actions were performed. This requires specific information regarding the event type an audit record is referring to. If event type information is not recorded and stored with the audit record, the record itself is of very limited use. @@ -5195,17 +5199,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -5213,9 +5217,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -5241,17 +5245,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -5259,9 +5263,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -5349,18 +5353,18 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes Obtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any endpoint' + what.permission_name = 'Alter any endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -5371,55 +5375,55 @@ GO If any user accounts have direct access to the 'Alter any endpoint' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any endpoint' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -5444,18 +5448,18 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes Obtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any database' + what.permission_name = 'Alter any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -5466,55 +5470,55 @@ GO If any user accounts have direct access to the 'Alter any database' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any database' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -5539,18 +5543,18 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any credential' + what.permission_name = 'Alter any credential' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -5561,55 +5565,55 @@ GO If any user accounts have direct access to the 'Alter any credential' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any credential' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -5634,18 +5638,18 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes Obtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any connection' + what.permission_name = 'Alter any connection' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -5656,55 +5660,55 @@ GO If any user accounts have direct access to the 'Alter any connection' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any connection' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -5729,14 +5733,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -5751,55 +5755,55 @@ GO If any user accounts have direct access to the 'Alter server state' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter server state' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -5824,14 +5828,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -5846,55 +5850,55 @@ GO If any user accounts have direct access to the 'Alter any event notification' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any event notification' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -5919,75 +5923,75 @@ The fix for this vulnerability specifies the use of REVOKE. Be aware that revok Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'View any database' + what.permission_name = 'View any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; -GO +GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) -AND who.type_desc = 'SERVER_ROLE' + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO REVOKE External access assembly TO '$(ViewAnyDbUser)' @@ -6012,18 +6016,18 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Alter any server audit' + what.permission_name = 'Alter any server audit' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -6034,55 +6038,55 @@ GO If any user accounts have direct access to the 'Alter any server audit' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any server audit' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -6107,14 +6111,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6129,55 +6133,55 @@ GO If any user accounts have direct access to the 'Authenticate Server' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'AUTHENTICATE SERVER' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -6202,14 +6206,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6224,55 +6228,55 @@ GO If any user accounts have direct access to the 'Administer bulk operations' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Administer bulk operations' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -6297,14 +6301,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6319,55 +6323,55 @@ GO If any user accounts have direct access to the 'Create endpoint' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create endpoint' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -6403,7 +6407,7 @@ sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE -what.permission_name = 'Create DDL Event Notification' +what.permission_name = 'Create DDL Event Notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -6414,55 +6418,55 @@ GO If any user accounts have direct access to the 'Create DDL Event Notification' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create DDL Event Notification' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -6488,14 +6492,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6510,55 +6514,55 @@ GO If any user accounts have direct access to the 'Create availability group' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create availability group' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -6583,14 +6587,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6605,55 +6609,55 @@ GO If any user accounts have direct access to the 'Create any database' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create any database' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -6678,14 +6682,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6700,55 +6704,55 @@ GO If any user accounts have direct access to the 'Control server' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Control server' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -6773,14 +6777,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6795,55 +6799,55 @@ GO If any user accounts have direct access to the 'Alter any linked server' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any linked server' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -6868,14 +6872,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6890,55 +6894,55 @@ GO If any user accounts have direct access to the 'Alter any event session' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any event session' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -6963,14 +6967,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -6985,55 +6989,55 @@ GO If any user accounts have direct access to the 'Alter trace' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter trace' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -7058,14 +7062,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -7080,55 +7084,55 @@ GO If any user accounts have direct access to the 'Alter Settings' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter Settings' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -7153,18 +7157,18 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Create trace event notification' + what.permission_name = 'Create trace event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -7175,55 +7179,55 @@ GO If any user accounts have direct access to the 'Create trace event notification' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create trace event notification' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -7248,14 +7252,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -7270,55 +7274,55 @@ GO If any user accounts have direct access to the 'Alter resources' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter resources' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -7343,14 +7347,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -7365,55 +7369,55 @@ GO If any user accounts have direct access to the 'External access assembly' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'External access assembly' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -7438,14 +7442,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -7460,55 +7464,55 @@ GO If any user accounts have direct access to the 'Alter any login' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any login' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -7533,18 +7537,18 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes Obtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name = 'Shutdown' + what.permission_name = 'Shutdown' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY @@ -7555,55 +7559,55 @@ GO If any user accounts have direct access to the 'Shutdown' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Shutdown' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -7628,14 +7632,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -7650,55 +7654,55 @@ GO If any user accounts have direct access to the 'Unsafe assembly' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Unsafe assembly' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -7723,14 +7727,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. Thes Obtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -7745,55 +7749,55 @@ GO If any user accounts have direct access to the 'Create server role' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create server role' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -7818,14 +7822,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -7840,55 +7844,55 @@ GO If any user account has direct access to the 'View server state' permission, and the need for this has not been documented and approved, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'View server state' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -7913,14 +7917,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -7935,55 +7939,55 @@ GO If any user accounts have direct access to the 'Alter any server role' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any server role' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -8008,14 +8012,14 @@ Note that this does not apply to logins with names of the form '##MS...##'. The Obtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: -SELECT +SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] -FROM - sys.server_permissions what +FROM + sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE @@ -8030,55 +8034,55 @@ GO If any user accounts have direct access to the 'View any definition' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: -SELECT - what.permission_name AS [Permission Name], - what.state_desc AS [Permission State], - who.name AS [Principal Name], - who.type_desc AS [Principal Type], - who.is_disabled AS [Principal Is Disabled] -FROM - sys.server_permissions what - INNER JOIN sys.server_principals who - ON who.principal_id = what.grantee_principal_id +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id WHERE - what.permission_name IN - ( - 'Administer bulk operations', - 'Alter any availability group', - 'Alter any connection', - 'Alter any credential', - 'Alter any database', - 'Alter any endpoint ', - 'Alter any event notification ', - 'Alter any event session ', - 'Alter any linked server', - 'Alter any login', - 'Alter any server audit', - 'Alter any server role', - 'Alter resources', - 'Alter server state ', - 'Alter Settings ', - 'Alter trace', - 'Authenticate server ', - 'Control server', - 'Create any database ', - 'Create availability group', - 'Create DDL event notification', - 'Create endpoint', - 'Create server role', - 'Create trace event notification', - 'External access assembly', - 'Shutdown', - 'Unsafe Assembly', - 'View any database', - 'View any definition', - 'View server state' - ) + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY - what.permission_name, - who.name + what.permission_name, + who.name ; GO DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'View any definition' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 ); @@ -8102,17 +8106,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -8120,9 +8124,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -8131,11 +8135,11 @@ Use the following query to obtain a list of all event IDs, and their meaning: - <VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. + <VulnDiscussion>Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method and best practice for mitigating this risk. A comprehensive application account management process ensures an audit trail automatically documents the modification of application user accounts and, as required, notifies administrators, application owners, and/or appropriate individuals. Applications must provide this capability directly, leverage complimentary technology providing this capability, or a combination thereof. -Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. +Automated account-auditing processes greatly reduce the risk that accounts will be surreptitiously modified, and provides logging that can be used for forensic purposes. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> V-41021 @@ -8148,17 +8152,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -8166,9 +8170,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -8193,17 +8197,17 @@ From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. -Determine the trace(s) being used for the auditing requirement. +Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: - 14, 15, 18, 20, - 102, 103, 104, 105, 106, 107, 108, 109, 110, - 111, 112, 113, 115, 116, 117, 118, - 128, 129, 130, - 131, 132, 133, 134, 135, - 152, 153, + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. @@ -8211,9 +8215,9 @@ Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. -4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: - SELECT * FROM sys.trace_events; + SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @dir nvarchar(4000) DECLARE @tracefile nvarchar(4000) DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\Setup', N'SQLPath', @dir OUTPUT, 'no_output' SET @tracefile = @dir + N'\Log\PowerStig' EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = @tracefile, @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END @@ -8249,7 +8253,7 @@ sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE -what.permission_name = 'View Any Database' +what.permission_name = 'View Any Database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY