Title

Application objects should be owned by accounts authorized for ownership. (Cat II impact)

Discussion

Database object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of objects can lead to unauthorized object grants and alterations.

Check Content

From the query prompt: SELECT name AS [Database Name] FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [Database Name] SELECT DISTINCT s.name AS [Schema Name], u.name AS [Principal], u.type_desc AS [Type] FROM sys.schemas s JOIN sys.database_principals u ON s.principal_id = u.principal_id JOIN sys.all_objects o ON s.schema_id = o.schema_id WHERE u.name NOT IN ('dbo', 'INFORMATION_SCHEMA', 'sys') ORDER BY s.name, u.name Review the object ownerships listed. Verify any listed accounts are authorized application installation accounts and documented in the System Security Plan. If any accounts are not authorized, this is a Finding. If any authorized accounts listed are not documented in the System Security Plan, this is a Finding.

Fix Text

Create database accounts dedicated for application object ownership. To simplify access authorizations, use a single account for each application to avoid cross chaining of ownership, which makes security configuration more complex and degrades system performance. Document all application object ownership in the System Security Plan and authorize with the IAO.

Additional Identifiers

Rule ID: SV-24068r2_rule

Vulnerability ID: V-15607

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.