Access to database files must be limited to relevant processes and to authorized, administrative users.

From MS SQL Server 2016 Instance Security Technical Implementation Guide

Part of SRG-APP-000243-DB-000374

Associated with: CCI-001090

SV-93921r2_rule Access to database files must be limited to relevant processes and to authorized, administrative users.

Vulnerability discussion

SQL Server must prevent unauthorized and unintended information transfer via shared system resources. Permitting only SQL Server processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.

Check content

Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files. To obtain the location of SQL Server data, transaction log, and backup files, open and execute the supplemental file "Get SQL Data and Backup Directories.sql". For each of the directories returned by the above script, verify whether the correct permissions have been applied. 1) Launch Windows Explorer. 2) Navigate to the folder. 3) Right-click the folder and click "Properties". 4) Navigate to the "Security" tab. 5) Review the listing of principals and permissions. Account Type Directory Type Permission ----------------------------------------------------------------------------------------------- Database Administrators ALL Full Control SQL Server Service SID Data; Log; Backup; Full Control SQL Server Agent Service SID Backup Full Control SYSTEM ALL Full Control CREATOR OWNER ALL Full Control For information on how to determine a "Service SID", go to: https://aka.ms/sql-service-sids Additional permission requirements, including full directory permissions and operating system rights for SQL Server, are documented at: https://aka.ms/sqlservicepermissions If any additional permissions are granted but not documented as authorized, this is a finding.

Fix text

Remove any unauthorized permission grants from SQL Server data, log, and backup directories. 1) On the "Security" tab, highlight the user entry. 2) Click "Remove".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer