STIGQter: STIG Summary: MS SQL Server 2016 Database Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.

DISA Rule

SV-213902r508025_rule

Vulnerability Number

V-213902

Group Title

SRG-APP-000080-DB-000063

Rule Version

SQL6-D0-000400

Severity

CAT I

CCI(s)

CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

Weight

Fix Recommendation

Remove all users that were returned in the check SQL Statement:

SELECT name
FROM sys.database_principals
WHERE type in ('U','G')
AND name LIKE '%$'

To remove users:

Run the following command for each user:

DROP USER [ IF EXISTS ] <user_name>;

Check Contents

Execute the following query:

SELECT name
FROM sys.database_principals
WHERE type in ('U','G')
AND name LIKE '%$'

If no users are returned, this is not a finding.

If users are returned, determine whether each user is a computer account.

Launch PowerShell.

Execute the following code:

Note: <name> represents the username portion of the user. For example; if the user is "CONTOSO\user1$", the username is "user1".

([ADSISearcher]"(&(ObjectCategory=Computer)(Name=<name>))").FindAll()

If no account information is returned, this is not a finding.

If account information is returned, this is a finding.

SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments