STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.

DISA Rule

SV-213951r617437_rule

Vulnerability Number

V-213951

Group Title

SRG-APP-000133-DB-000179

Rule Version

SQL6-D0-006600

Severity

CAT II

CCI(s)

• CCI-001499 - The organization limits privileges to change software resident within software libraries.

Weight

10

Fix Recommendation

Implement and document a process by which changes made to software libraries are monitored and alerted.

A PowerShell based hashing solution is one such process. The Get-FileHash command (https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.utility/get-filehash) can be used to compute the SHA-2 hash of one or more files.

Using the Export-Clixml command (https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Export-Clixml), a baseline can be established and exported to a file.

Using the Compare-Object command (https://technet.microsoft.com/en-us/library/ee156812.aspx), a comparison of the latest baseline versus the original baseline can be used to expose the differences.

Check Contents

Review server documentation to determine the process by which shared software libraries are monitored for change. Ensure the process alerts for changes in a file's ownership, modification dates, and hash value at a minimum.

If alerts do not at least hash their value, this is a finding.

To determine the location for these instance-specific binaries:

Launch SQL Server Management Studio (SSMS) >> Connect to the instance to be reviewed >> Right-click server name in Object Explorer >> Click Facets >> Select the Server facet >> Record the value for the "RootDirectory" facet property

TIP: Use the Get-FileHash cmdlet shipped with PowerShell 5.0 to get the SHA-2 hash of one or more files.

Vulnerability Number

V-213951

Documentable

False

Rule Version

SQL6-D0-006600

Severity Override Guidance

Review server documentation to determine the process by which shared software libraries are monitored for change. Ensure the process alerts for changes in a file's ownership, modification dates, and hash value at a minimum.

If alerts do not at least hash their value, this is a finding.

To determine the location for these instance-specific binaries:

Launch SQL Server Management Studio (SSMS) >> Connect to the instance to be reviewed >> Right-click server name in Object Explorer >> Click Facets >> Select the Server facet >> Record the value for the "RootDirectory" facet property

TIP: Use the Get-FileHash cmdlet shipped with PowerShell 5.0 to get the SHA-2 hash of one or more files.

Check Content Reference

M

Target Key

3993

Comments