Check: DG0122-SQLServer9
Database SQL Server 9:
DG0122-SQLServer9
(in version v8 r1.9)
Title
Access to sensitive data should be restricted to authorized users identified by the Information Owner. (Cat II impact)
Discussion
Unauthorized access to sensitive data can lead to unauthorized disclosure, modification or accountability. Access to sensitive data that is granted that is not restricted at all levels based on job function may be exploited regardless of attempts to control. An example of this is a web application that serves general users, but that access sensitive data in a backend database using an account with elevated privileges. This provides a means for the web application user to exploit the application to gain unauthorized access to data in the database. Where the user never has access to a path with excess privileges, unauthorized access is more difficult to gain.
Check Content
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. Review privilege assignments to sensitive data stored in the database. Compare assigned privileges to those that are authorized in the System Security Plan. If unauthorized access is granted or sensitive data access requirements are not documented, this is a Finding.
Fix Text
Have the Information Owner identify all sensitive data stored in the database specified in the System Security Plan. Define job functions and sensitive data access requirements for the job functions and included them in the System Security Plan. Assign only authorized users for job functions.
Additional Identifiers
Rule ID: SV-24307r1_rule
Vulnerability ID: V-15630
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |