| NaN |
Version: 5.20130214 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE ID |
CCE Description |
CCE Technical Mechanism |
CCE Parameters |
NaN |
DISA STIG SQL 2000 DB Version 8, Release 1.7 Benchmark Date: 27 August 2010 |
DISA STIG SQL 2000 INS Version 8, Release 1.7 Benchmark Date: 27 August 2010 |
| CCE-20013-9 |
Application object owner accounts for a specified database should be enabled or disabled as appropriate. |
(1) ALTER LOGIN |
(1) login_name (2) enable/disable (3) default_database |
NaN |
Rule ID: V0005683 Rule Title: Application object owner accounts should be disabled when not performing installation or maintenance actions. STIG ID: DG0004 Severity: CAT II Class: Unclass |
NaN |
| CCE-19816-8 |
Application object owner accounts for a specified database should be configured appropriately. |
(1)From the query prompt: USE [database name] SELECT DISTINCT u.name FROM sysusers u, sysobjects o WHERE u.uid = o.uid AND u.uid NOT IN ('1', '3', '4') |
(1) set of accounts (2) database name |
NaN |
Rule ID: V0015607 Rule Title: Application objects should be owned by accounts authorized for ownership. STIG ID: DG0008 Severity: CAT II Class: Unclass |
NaN |
| CCE-19517-2 |
Database application permissions allowing DDL statements to modify the application schema for a specified database should be configured appropriately. |
(1) USE [database name] SELECT USER_NAME(uid), name, crdate FROM sysobjects WHERE uid NOT IN (1, 3, 4) |
(1) list of permissons (2) set of accounts (3) database name |
NaN |
Rule ID: V0003727 Rule Title: Database applications should be restricted from using static DDL statements to modify the application schema for a specified database. STIG ID: DG0015 Severity: CAT II Class: Unclass |
NaN |
| CCE-19448-0 |
Custom and GOTS application source code for a specified databased should be encrypted or not encrypted as appropriate. |
(1) ALTER PROCEDURE |
(1) [procedure name] (2) WITH ENCRYPTION (3) Custom/GOTS procedures (4) Database Name |
NaN |
Rule ID: V0003823 Rule Title: Custom and GOTS application source code stored in the database should be protected with encryption or encoding. STIG ID: DG0091 Severity: CAT III Class: Unclass |
NaN |
| CCE-19649-3 |
Permissions on system tables for a specified database should be configured appropriately |
(1) REVOKE / GRANT |
(1) list of permissons (2) [object] (3) [user name] (4) [database name] |
NaN |
Rule ID: V0002458 Rule Title: Permissions on system tables should be restricted to authorized accounts. STIG ID: DM1749 Severity: CAT II Class: Unclass |
NaN |
| CCE-19926-5 |
DDL permissions for a specified database and specified account should be configured appropriately |
(1) CREATE (2) ALTER (3) DROP (1) REVOKE/GRANT CONTROL |
(1) set of accounts (2) list of permissions (3) database name |
NaN |
Rule ID: V0002463 Rule Title: DDL permissions should be granted only to authorized accounts. STIG ID: DM1760 Severity: CAT II Class: Unclass |
NaN |
| CCE-19822-6 |
Permissions using the WITH GRANT OPTION for a specified database should be configured appropriately |
(1) REVOKE / GRANT |
(1) list of permissons (2) [object] (3) [user name] (4) [database name] |
NaN |
Rule ID: V0002498 Rule Title : Permissions using the WITH GRANT OPTION should be granted only to DBA or application administrator accounts. STIG ID: DM5144 Severity: CAT II Class: Unclass |
NaN |
| CCE-19220-3 |
Object permissions assigned to PUBLIC or GUEST for a specified database should be configured appropriately. |
(1) REVOKE / GRANT |
(1) list of permissons (2) [object] (3) [public or guest] (4) dtaabase name |
NaN |
Rule ID: V0015172 Rule Title: Object permissions should not be assigned to PUBLIC or GUEST. STIG ID: DM6196 |
NaN |
| CCE-19886-1 |
Access to DBMS software files and directories should be configured appropriately. |
(1) defined by the object's DACL |
(1) set of accounts (2) list of permissions |
NaN |
NaN |
Rule ID: V0015608 Rule Title: Access to DBMS software files and directories should not be granted to unauthorized users. STIG ID: DG0009 Severity: CAT II Class: Unclass |
| CCE-19147-8 |
Default demonstration and sample database objects and applications should be available or removed as appropriate. |
(1) DROP DATABASE |
(1) database_name (2) database_snapshot_name |
NaN |
NaN |
Rule ID: V0015609 Rule Title: Default demonstration and sample database objects and applications should be removed. STIG ID: DG0014 Severity: CAT II Class: Unclass |
| CCE-19909-1 |
Required auditing parameters for database auditing should be set appropriately |
(1) EXEC SP_TRACE_SETSTATUS |
(1) TraceID |
NaN |
NaN |
Rule ID: V0005685 Rule Title: Required auditing parameters for database auditing should be set. STIG ID: DG0029 Severity: CAT II Class: Unclass |
| CCE-19687-3 |
DBMS privileges to restore database data or other DBMS configurations, features or objects in a specified database should be configured appropriately. |
(1) Use the SQL command to assign permissions to the appropriate roles |
(1) database name |
NaN |
NaN |
Rule ID: V0015107 Rule Title: DBMS privileges to restore database data or other DBMS configurations, features or objects should be restricted to authorized DBMS accounts. STIG ID: DG0063 Severity: CAT II Class: Unclass |
| CCE-19392-0 |
DBMS login account password complexity requirements should be configured appropriately |
(1) ALTER LOGIN (2) CHECK_POLICY |
(1) login name (2) on/off |
NaN |
NaN |
Rule ID: V0015152 Rule Title: DBMS login accounts require passwords to meet complexity requirements. STIG ID: DG0079 Severity: CAT II Class: Unclass |
| CCE-19857-2 |
Passwords for DBMS default accounts should be set appropriately |
(1) ALTER LOGIN |
(1) username (2) WITH PASSWORD [ new password ] |
NaN |
NaN |
Rule ID: V0015635 Rule Title: DBMS default accounts should be assigned custom passwords. STIG ID: DG0128 Severity: CAT I Class: Unclass |
| CCE-19749-1 |
Remote DBMS administration should be enabled or disabled as appropriate. |
(1) EXEC SP_CONFIGURE |
(1) remote admin connections (2) enable/disable |
NaN |
NaN |
Rule ID: V0015651 Rule Title: Remote DBMS administration should be documented and authorized or disabled. STIG ID: DG0157 Severity: CAT II Class: Unclass |
| CCE-19781-4 |
C2 Audit records should be configured appropriately |
(1) EXEC SP_CONFIGURE (2) RECONFIGURE |
(1) enable/disable (2) c2 audit mode |
NaN |
NaN |
Rule ID: V0002426 Rule Title: C2 Audit mode should be enabled or custom audit traces defined. STIG ID: DG0510 Severity: CAT II Class: Unclass |
| CCE-19784-8 |
The SQL Mail XPs should be enabled or disabled as appropriate. |
(1) EXEC SP_CONFIGURE (2) RECONFIGURE |
(1) enable/disable |
NaN |
NaN |
Rule ID: V0003335 Rule Title: SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are required and enabled. STIG ID DM0900 Severity: CAT II Class: Unclass |
| CCE-19831-7 |
The SQL Server Database Service account should be configured appropriately. |
(1) Configure the SQL Server Database Service account via the Computer Management Tool. |
(1) member/not member |
NaN |
NaN |
Rule ID: V0015170 Rule Title: SQL Server services should be assigned least privileges on the SQL Server Windows host. STIG ID: DM0919 Severity: CAT II Class: Unclass |
| CCE-19935-6 |
The SQL Server Agent account should be configured appropriately. |
(1) Configure the SQL Server Agent account via the Computer Management Tool. |
(1) member/not member |
NaN |
NaN |
Rule ID: V0015170 Rule Title: SQL Server services should be assigned least privileges on the SQL Server Windows host. STIG ID: DM0919 Severity: CAT II Class: Unclass |
| CCE-19971-1 |
The SQL Server Service for a specified instance should be configure appropriately. |
(1) net user <username> <password> /add |
(1) local account |
NaN |
NaN |
Rule ID: V0003835 Rule Title: The SQL Server service should use a least-privileged local or domain user account STIG ID: DM0924 Severity: CAT II Class: Unclass |
| CCE-19277-3 |
SQL Server registry keys and sub-keys permissions should be configured appropriately. |
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ MSSQLServer |
(1) granted/revoked |
NaN |
NaN |
Rule ID: V0003838 Rule Title: SQL Server registry keys should be properly secured. STIG ID: DM0927 Severity: CAT II Class: Unclass |
| CCE-19361-5 |
Access extended stored procedure xp_cmdshell should be configured appropriately |
(1) EXEC SP_CONFIGURE |
(1) user (2) xp_cmdshell |
NaN |
NaN |
Rule ID: V0002461 Rule Title: Extended stored procedure xp_cmdshell should be restricted to authorized accounts. STIG ID: DM1758 Severity: CAT I Class: Unclass |
| CCE-19930-7 |
The xp_cmdshell should be enabled or disabled as appropriate. |
(1) EXEC SP_CONFIGURE (2) RECONFIGURE |
(1) enabled/disabled (2) xp_cmdshell |
NaN |
NaN |
Rule ID: V0002461 Rule Title: Extended stored procedure xp_cmdshell should be restricted to authorized accounts. STIG ID: DM1758 Severity: CAT I Class: Unclass |
| CCE-19289-8 |
OLE Automation extended stored procedures should be configured appropriately. |
(1) GRANT OR REVOKE Command |
(1) permission (2) object name (3) user name |
NaN |
NaN |
Rule ID; V0002472 Rule Title: OLE Automation extended stored procedures should be restricted to sysadmin access STIG ID: DM2095 Severity: CAT II Class: Unclass |
| CCE-19735-0 |
Access to registry exended stored procedures should be configured appropriately. |
From the SQL Server Management Studio GUI: 1. Connect/expand SQL Server 2. Expand Databases 3. Expand System databases 4. Expand Master 5. Expand Programmability 6. Expand Extended Stored Procedures 7. Expand System Extended Stored Procedures 8. Locate and select each of the Registry extended stored procedures listed in the Check section 9. Right click on the extended stored procedure 10. Select Properties 11. Click on the Permissions page 12. Select each user or role and select or deselect the Grant (and With Grant if checked) permissions from all users, database roles and public except from SYSADMINs and authorized roles when permitted 13. Click OK |
(1) user/role |
NaN |
NaN |
Rule ID: V0002473 Rule Title: Registry extended stored procedures should be restricted to sysadmin access. STIG ID: DM2119 Severity: CAT II Class: Unclass |
| CCE-19835-8 |
Remote access should be configured appropriately |
(1) EXEC SP_CONFIGURE (2) RECONFIGURE |
(1) remote access', (2) enabled/disabled |
NaN |
NaN |
Rule ID: V0002485 Rule Title: Remote access should be disabled if not authorized. STIG ID: DM2142 Severity: CAT II Class: Unclass |
| CCE-19989-3 |
SQL Server authentication should be configured appropriately. |
(1) EXEC XP_LOGINCONFIG |
(1) 'login mode' (2) number |
NaN |
NaN |
Rule ID: V0002487 Rule Title: SQL Server authentication mode should be set to Windows authentication mode or Mixed mode. STIG ID: DM3566 Severity: CAT II Class: Unclass |
| CCE-19398-7 |
Access to CmdExec and ActiveScripting jobs should be configured appropriately. |
(1) HKEY_LOCAL_MACHINE / SOFTWARE / MICROSOFT / MSSQLServer / SQLSERVERAGENT / (Click on the SYSAdminOnly value) or From the SQL Server Enterprise Manager GUI: 1. Connect/expand SQL Server 2. Expand Management 3. Right-click on SQL Server Agent 4. Select Properties 5. Select Job System tab 6. Select or do not select the checkbox for ‘Only users with SysAdmin privileges can execute CmdExec and ActiveScripting job steps’ 7. Click Ok. |
enable/disable |
NaN |
NaN |
Rule ID: V0002488 Rule Title: SQL Server Agent CmdExec or ActiveScripting jobs should be restricted to sysadmins. STIG ID: DM3763 Severity: CAT II Class: Unclass |
| CCE-19498-5 |
Error log retention should be configured appropriately. |
(1) HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.# \MSSQLServer \ NumErrorLogs (2) HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ Instance Names \ SQL\[instance name] or From the SQL Server Management Studio GUI: 1. Connect to and expand the SQL Server instance 2. Expand Management 3. Right-click on SQL Server Logs 4. Select Configure 5. Under the General Page, select or deselect Limit the number of error logs before they are recycled 6. Enter the number of error log files determined for the SQL Server instance 7. Click OK |
(1) number of error logs |
NaN |
NaN |
Rule ID: V0015137 Rule Title: Error log retention shoud be set to meet log retention policy. STIG ID: DM3930 Severity: CAT II Class: Unclass |
| CCE-19734-3 |
Trace rollover should be configured appropriately. |
(1) EXEC SP_TRACE_CREATE [ @traceid = ] trace_id OUTPUT , [ @options = ] option_value , [ @tracefile = ] 'trace_file' [ , [ @maxfilesize = ] max_file_size ] [ , [ @stoptime = ] 'stop_time' ] [ , [ @filecount = ] 'max_rollover_files' ] |
(1) enable/disable (2) trace_id (3) trace_file (4) max_file_size (5) stop_time (6) max_rollover_files (2) value query (remove) |
NaN |
NaN |
Rule ID: V0002500 Rule Title: Trace Rollover should be enabled for audit traces that have a maximum trace file size. STIG ID: DM5267 Severity: CAT II Class: Unclass |
| CCE-19855-6 |
Named Pipes network protocol should be configured appropriately. |
From SQL Server Network Utility: Under Enabled protocols: 1. Select Named Pipes 2. Click on the appropriate option (enable or disable) 3. Click OK ( to save) 4. Click OK (to exit) |
(1) enable/disable |
NaN |
NaN |
Rule ID: V0015124 Rule Title: The Named Pipes network protocol should be documented and approved if enabled. STIG ID: DM6015 Severity: CAT II Class: Unclass |
| CCE-19788-9 |
SQL Server event forwarding should be configured appropriately |
(1) HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Sever \ MSSQL.[#] \SQLServerAgent \ AlertForwardingServer or From the SQL Server Management Studio GUI: 1. Expand instance 2. Right-click on SQL Server Agent 3. Select Properties 4. Select the Advanced page 5. Click or do not click on Forward events to a different server check box 6. Click the OK button to save and close |
(1) enable/disable |
NaN |
NaN |
Rule ID: V0015176 Rule Title: SQL Server event forwarding, if enabled, should be operational. STIG ID: DM6030 Severity: CAT II Class: Unclass |
|
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |