SQL2-00-020100 - SQL Server must protect the integrity of publicly available information and applications.

Information

The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of other security controls. If SQL Server contains publicly available information, though not concerned with confidentiality, SQL Server OS must maintain the integrity of the data. If data available to the public is not protected from unauthorized modification or deletion, then the data cannot be trusted by those accessing it.

The user account associated with public access must not have access to the OS configuration information. Determine what publicly available user account is being used to access SQL Server and validate that the publicly available user account only has read access to the public data and nothing else.

The OS level 'Guests' role grants connection access to the server without granting any other privileges. SQL Server configuration settings are used to grant access to the publicly available information, but this control ensures that the OS only is granted connection access to the server.

This requirement is not intended to prevent the establishment of public-facing systems for the purpose of collecting data from the public.

Solution

Using an account with System Administrator privileges, from a command prompt, type lusrmgr.msc, and press [ENTER].
Navigate to Groups.

Locate the additional group(s) from which the publicly available user account must be removed.

Right click <'the group to modify' >> Properties >> 'Members:'

Remove the publicly available user account from the group by clicking/highlighting the account and then clicking the 'Remove' button.

Revoke any update permissions for a guest being used in the context of a guest account.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-53269r3_rule, STIG-ID|SQL2-00-020100, Vuln-ID|V-40915

Plugin: Windows

Control ID: 5b2d50d7832921ef7fcace67657bfcf8b3751deec638c5aca33daa2a1c3f3b68