SQL Server must limit the use of resources by priority and not impede the host from servicing processes designated as a higher priority.

From Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide

Part of SRG-APP-000248-DB-000135

Associated with: CCI-001096

SV-53263r2_rule SQL Server must limit the use of resources by priority and not impede the host from servicing processes designated as a higher priority.

Vulnerability discussion

Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does not apply to components in the information system for which there is only a single user/role. The application must limit the use of resources by priority.SQL Server often runs queries for multiple users at the same time. If lower priority processes are utilizing a disproportionately high amount of database resources, this can severely impact higher priority processes.Even if SQL Server's utilization is very small and there may seem to be no need to priority protection, often resources grow exponentially and must be implemented as part of an initial deployment.

Check content

Review system documentation and determine if one type or more of SQL Server users has a business need for priority usage over other types of users. The need for prioritization most frequently occurs when SQL Server resources are shared between two or more applications or systems where the number of users on more than one system is small or non-existent. This needs to be the case, because SQL Server limits resource based on user accounts and not what process is running. If SQL Server has users that are determined to run significantly high priority processes than other users and the SQL Server "Resource Governor" is not being implemented, this is a finding.

Fix text

SQL Server utilizes the "Resource Governor" to determine who is allowed high processing resources. There are several configurations regarding the "Resource Governor" that mostly comes down to users or groups of users having a "MAX_CPU_PERCENT", "MIN_CPU_PERCENT", "MIN_MEMORY_PERCENT", and/or "MAX_MEMORY_PERCENT" settings. Users are assigned to Workgroups and the Workgroups are configured processing resources via the "Resource Governor".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer