Detections
Analytics

SQL2-00-020000 - SQL Server must protect the integrity of publicly available information and SQL Servers configuration from unauthorized Securables access.

Information

The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of other security controls.

SQL Server must be configured to contain publicly available information. Though not concerned with confidentiality, SQL Server must maintain the integrity of the data. If data available to the public is not protected from unauthorized modification or deletion, then the data cannot be trusted by those accessing it. A publicly available user account must not have access to the OS or SQL Server configuration information, including read access to schema information. Determine what publicly available user account is being used to access SQL Server and validate that the publicly available user account only has read access to the public data and nothing else. This read-only access does not include SQL Server 'Securables' assignments.

SQL Server 'Securables' assignments grant the assignee privileges that are beyond read access to data. No public user account must have SQL Server 'Securables' privileges. Any assigned 'Securables' privileges to the public user account must be removed.

Likely the only 'Server roles' assignment for the publicly available user account would be 'public'. The only other 'Server roles' that could be authorized as read-only is a user-defined 'Server role'. It is more likely that read-only access is set up at the user database instance in role(s) specifically set up for this purpose. Assignment to the user database instances are made in the 'User Mapping' highlight within a user's properties.

This requirement is not intended to prevent the establishment of public-facing systems for the purpose of collecting data from the public.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> Securables >> highlight 'Securable Name'.

Uncheck all 'Grant', 'With Grant', and 'Deny' for the highlighted 'Securable'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-53270r3_rule, STIG-ID|SQL2-00-020000, Vuln-ID|V-40916

Plugin: MS_SQLDB

Control ID: 270b47d9c94692991832a721eb13bbd1812fd88b8303cadcab7aaec8fae5f1bd