SQL2-00-009000 - SQL Server must restrict access to sensitive information to authorized user roles.

Information

Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of information systems.

Unauthorized access to sensitive data may compromise the confidentiality of personnel privacy, threaten national security or compromise a variety of other sensitive operations. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user.

Solution

Add the user-defined server role to the system documentation.

Add the assigned privileges of the user-defined server role to the system documentation.

Remove the user from direct access to server permission by running the following script:
USE master
REVOKE <'server permission name'> TO <'account name'> CASCADE

Remove server role permission from the user-defined server role by running the following script:
USE master
REVOKE <'server role name'> TO [<'server role name'>]

Rename the user-defined role by running the following script:
USE master
ALTER SERVER ROLE [<'old role name'>] WITH NAME = [<'new role name'>]

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-5c., 800-53|CM-6b., CAT|II, CCI|CCI-000366, CCI|CCI-002220, Rule-ID|SV-53421r2_rule, STIG-ID|SQL2-00-009000, Vuln-ID|V-41046

Plugin: MS_SQLDB

Control ID: 63793abf621f140226520dc059beb02af387c84f87b7eddc26d674bb34f50970