SQL6-D0-006600 - SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.

Information

If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.

Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Implement and document a process by which changes made to software libraries are monitored and alerted.

A PowerShell based hashing solution is one such process. The Get-FileHash command (https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.utility/get-filehash) can be used to compute the SHA-2 hash of one or more files.

Using the Export-Clixml command (https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Export-Clixml), a baseline can be established and exported to a file.

Using the Compare-Object command (https://technet.microsoft.com/en-us/library/ee156812.aspx), a comparison of the latest baseline versus the original baseline can be used to expose the differences.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2016_Y24M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-5(6), CAT|II, CCI|CCI-001499, Rule-ID|SV-213951r960960_rule, STIG-ID|SQL6-D0-006600, STIG-Legacy|SV-93871, STIG-Legacy|V-79165, Vuln-ID|V-213951

Plugin: MS_SQLDB

Control ID: d1ba1fbf12c57e7bae16986c7fc0aa6e85deb1a9cc25d68fec2e917a821a8258