STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-213977r617437_rule
V-213977
SRG-APP-000243-DB-000374
SQL6-D0-010000
CAT II
10
Remove any unauthorized permission grants from SQL Server data, log, and backup directories.
1) On the "Security" tab, highlight the user entry.
2) Click "Remove".
Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files.
To obtain the location of SQL Server data, transaction log, and backup files, open and execute the supplemental file "Get SQL Data and Backup Directories.sql".
For each of the directories returned by the above script, verify whether the correct permissions have been applied.
1) Launch Windows Explorer.
2) Navigate to the folder.
3) Right-click the folder and click "Properties".
4) Navigate to the "Security" tab.
5) Review the listing of principals and permissions.
Account Type Directory Type Permission
-----------------------------------------------------------------------------------------------
Database Administrators ALL Full Control
SQL Server Service SID Data; Log; Backup; Full Control
SQL Server Agent Service SID Backup Full Control
SYSTEM ALL Full Control
CREATOR OWNER ALL Full Control
For information on how to determine a "Service SID", go to:
https://aka.ms/sql-service-sids
Additional permission requirements, including full directory permissions and operating system rights for SQL Server, are documented at:
https://aka.ms/sqlservicepermissions
If any additional permissions are granted but not documented as authorized, this is a finding.
V-213977
False
SQL6-D0-010000
Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files.
To obtain the location of SQL Server data, transaction log, and backup files, open and execute the supplemental file "Get SQL Data and Backup Directories.sql".
For each of the directories returned by the above script, verify whether the correct permissions have been applied.
1) Launch Windows Explorer.
2) Navigate to the folder.
3) Right-click the folder and click "Properties".
4) Navigate to the "Security" tab.
5) Review the listing of principals and permissions.
Account Type Directory Type Permission
-----------------------------------------------------------------------------------------------
Database Administrators ALL Full Control
SQL Server Service SID Data; Log; Backup; Full Control
SQL Server Agent Service SID Backup Full Control
SYSTEM ALL Full Control
CREATOR OWNER ALL Full Control
For information on how to determine a "Service SID", go to:
https://aka.ms/sql-service-sids
Additional permission requirements, including full directory permissions and operating system rights for SQL Server, are documented at:
https://aka.ms/sqlservicepermissions
If any additional permissions are granted but not documented as authorized, this is a finding.
M
3993