SQL Server must recover to a known state that is verifiable.

From Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide

Part of SRG-APP-000144-DB-000101

Associated with: CCI-000553

SV-53286r4_rule SQL Server must recover to a known state that is verifiable.

Vulnerability discussion

Application recovery and reconstitution constitutes executing an information system contingency plan comprising activities that restore essential missions and business functions.SQL Server utilizes transaction-based processing and is a good example of information systems that are transaction-based. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery.SQL Server may be vulnerable to use of compromised data or other critical files during recovery. Use of compromised files could introduce maliciously altered application code, relaxed security settings, or loss of data integrity. SQL Server mechanisms must be configured to protect all files that could compromise the system or its data during a SQL Server recovery.

Check content

Obtain the SQL Server recovery procedures and technical system features to determine if mechanisms exist and are in place to specify use of trusted files during SQL Server recovery. If recovery procedures do not exist or are not sufficient to ensure recovery is done in a secure and verifiable manner, this is a finding. Check the configurations of all transaction log files that are enabled by running the following SQL Server query: EXEC sp_MSforeachdb ' SELECT ''?'' AS ''database name'' , name AS ''log file name'' , physical_name AS ''log file location and name'' , state_desc , size , max_size , growth , is_percent_growth FROM [?].sys.database_files WHERE type_desc = ''LOG'' AND state = 0; ' ; If any transaction log files are not configured correctly for size, max_size, and growth to log sufficient transaction information, this is a finding.

Fix text

Implement SQL Server recovery procedures to ensure the use of trusted files during SQL Server recovery. Modify the parameters for the transaction log file(s) for the system databases: Navigate to SQL Server Management Studio >> Object Explorer >> >> Databases >> System Databases >> right-click on >> Properties >> Files. OR Modify the parameters for the transaction log file(s) for application databases: Navigate to SQL Server Management Studio >> Object Explorer >> >> Databases >> right-click on >> Properties >> Files. THEN Define additional space for the transaction log file, or extra transaction log files, as necessary. To modify Initial Size (MB), click in the "Initial Size (MB)" field for the log file in question, then edit the value. To modify Autogrowth, click on the "Autogrowth/Maxsize" button for the log file in question, choose "In Percent" or "In Megabytes", enter value, and then click OK. To modify Maximum File Size, click on the "Autogrowth/Maxsize" button for the log file in question, choose "Limited to (MB)", enter value, and then click OK. Do not select "Unlimited".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer