STIGQter: STIG Summary: MS SQL Server 2014 Database Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 26 Jan 2018: STIGQter: STIG Summary: MS SQL Server 2014 Database Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 26 Jan 2018:SV-81867r2_rule
V-67377
SRG-APP-000226-DB-000147
SQL4-00-021210
CAT II
10
Modify the system security plan, to include whether the database is static, the correct recovery model to be used, the backup schedule, and the plan for testing database restoration.
In SQL Server Management Studio, Object Explorer, right-click on the name of the database; select Properties. Select the Options page. Set the Recovery Model field, near the top of the page, to the correct value.
In Object Explorer, expand <server name> >> SQL Server Agent >> Jobs. Create, modify and delete jobs to implement the backup schedule. (Alternatively, this may done using T-SQL code.)
Correct any issues that have been causing backups to fail.
Test the restoration of the database at least once a year; correct any issues that cause it to fail. Maintain a record of these tests.
Review the system security plan (SSP) to determine whether the database is static, the recovery model to be used, the backup schedule, and the plan for testing database restoration. If the SSP does not state that the database is static, assume that it is not static. If any of the other information is absent, this is a finding.
If the database is not static, but the documented recovery model is Simple, this is a finding.
If the database is not static, and the documented recovery model is Bulk Logged, but the justification and authorization for this are not documented, this is a finding.
In SQL Server Management Studio, Object Explorer, right-click on the name of the database; select Properties. Select the Options page.
Observe the Recovery Model field, near the top of the page. If this does not match the documented recovery model, this is a finding.
In Object Explorer, expand <server name> >> SQL Server Agent >> Jobs.
Review the jobs set up to implement the backup plan. If they are absent, this is a finding.
Right-click on each backup job; select View History. If the history indicates a pattern of job failures, this is a finding.
Review evidence that database recovery is tested annually or more often, and that the most recent test was successful. If not, this is a finding.
V-67377
False
SQL4-00-021210
Review the system security plan (SSP) to determine whether the database is static, the recovery model to be used, the backup schedule, and the plan for testing database restoration. If the SSP does not state that the database is static, assume that it is not static. If any of the other information is absent, this is a finding.
If the database is not static, but the documented recovery model is Simple, this is a finding.
If the database is not static, and the documented recovery model is Bulk Logged, but the justification and authorization for this are not documented, this is a finding.
In SQL Server Management Studio, Object Explorer, right-click on the name of the database; select Properties. Select the Options page.
Observe the Recovery Model field, near the top of the page. If this does not match the documented recovery model, this is a finding.
In Object Explorer, expand <server name> >> SQL Server Agent >> Jobs.
Review the jobs set up to implement the backup plan. If they are absent, this is a finding.
Right-click on each backup job; select View History. If the history indicates a pattern of job failures, this is a finding.
Review evidence that database recovery is tested annually or more often, and that the most recent test was successful. If not, this is a finding.
M
2637