SQL Server must prevent unauthorized and unintended information transfer via shared system resources.

From MS SQL Server 2016 Instance Security Technical Implementation Guide

Part of SRG-APP-000243-DB-000373

Associated with: CCI-001090

SV-93917r1_rule SQL Server must prevent unauthorized and unintended information transfer via shared system resources.

Vulnerability discussion

The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.

Check content

Review system documentation to determine if Common Criteria Compliance is not required due to potential impact on system performance. SQL Server Residual Information Protection (RIP) requires a memory allocation to be overwritten with a known pattern of bits before memory is reallocated to a new resource. Meeting the RIP standard can contribute to improved security; however, overwriting the memory allocation can slow performance. After the common criteria compliance enabled option is enabled, the overwriting occurs. Review the Instance configuration: SELECT name, value_in_use FROM sys.configurations WHERE name = 'common criteria compliance enabled' and value_in_use = 0 If no records are returned and an exception is not defined in the system documentation, this is a finding. NOTE: Enabling this feature may impact performance on highly active SQL Server instances. If enabling this feature impacts performance, this setting may be disabled and the category reduced to a CAT III finding.

Fix text

Configure SQL Server to effectively protect the private resources of one process or user from unauthorized access by another user or process. sp_configure 'show advanced options', 1; GO RECONFIGURE; GO sp_configure 'common criteria compliance enabled', 1; GO RECONFIGURE GO

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer