STIGQter: STIG Summary: MS SQL Server 2016 Database Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

SQL Server must protect against a user falsely repudiating by ensuring databases are not in a trust relationship.

DISA Rule

SV-213904r508025_rule

Vulnerability Number

V-213904

Group Title

SRG-APP-000080-DB-000063

Rule Version

SQL6-D0-000600

Severity

CAT I

CCI(s)

• CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

Weight

10

Fix Recommendation

Disable trustworthy on the database.

ALTER DATABASE [<database name>] SET TRUSTWORTHY OFF

Check Contents

If the database being reviewed is MSDB, trustworthy is required to be enabled, and therefore this is not a finding.

Execute the following query:

SELECT SUSER_SNAME(d.owner_sid) AS DatabaseOwner,
CASE
WHEN d.is_trustworthy_on = 0 THEN 'No'
WHEN d.is_trustworthy_on = 1 THEN 'Yes'
END AS IsTrustworthy,
CASE
WHEN role.name IN ('sysadmin','securityadmin')
OR permission.permission_name = 'CONTROL SERVER'
THEN 'YES'
ELSE 'No'
END AS 'IsOwnerPrivileged'
FROM sys.databases d
LEFT JOIN sys.server_principals login ON d.owner_sid = login.sid
LEFT JOIN sys.server_role_members rm ON login.principal_id = rm.member_principal_id
LEFT JOIN sys.server_principals role ON rm.role_principal_id = role.principal_id
LEFT JOIN sys.server_permissions permission ON login.principal_id = permission.grantee_principal_id
WHERE d.name = DB_NAME()

If trustworthy is not enabled, this is not a finding.

If trustworthy is enabled and the database owner is not a privileged account, this is not a finding.

If trustworthy is enabled and the database owner is a privileged account, review the system documentation to determine if the trustworthy property is required and authorized. If this is not documented, this is a finding.

Vulnerability Number

V-213904

Documentable

False

Rule Version

SQL6-D0-000600

Severity Override Guidance

If the database being reviewed is MSDB, trustworthy is required to be enabled, and therefore this is not a finding.

Execute the following query:

SELECT SUSER_SNAME(d.owner_sid) AS DatabaseOwner,
CASE
WHEN d.is_trustworthy_on = 0 THEN 'No'
WHEN d.is_trustworthy_on = 1 THEN 'Yes'
END AS IsTrustworthy,
CASE
WHEN role.name IN ('sysadmin','securityadmin')
OR permission.permission_name = 'CONTROL SERVER'
THEN 'YES'
ELSE 'No'
END AS 'IsOwnerPrivileged'
FROM sys.databases d
LEFT JOIN sys.server_principals login ON d.owner_sid = login.sid
LEFT JOIN sys.server_role_members rm ON login.principal_id = rm.member_principal_id
LEFT JOIN sys.server_principals role ON rm.role_principal_id = role.principal_id
LEFT JOIN sys.server_permissions permission ON login.principal_id = permission.grantee_principal_id
WHERE d.name = DB_NAME()

If trustworthy is not enabled, this is not a finding.

If trustworthy is enabled and the database owner is not a privileged account, this is not a finding.

If trustworthy is enabled and the database owner is a privileged account, review the system documentation to determine if the trustworthy property is required and authorized. If this is not documented, this is a finding.

Check Content Reference

M

Target Key

3992

Comments