Check: SQL4-00-035500
MS SQL Server 2014 Instance STIG:
SQL4-00-035500
(in versions v2 r3 through v1 r4)
Title
Software updates to SQL Server must be tested before being applied to production systems. (Cat II impact)
Discussion
While it is important to apply SQL Server updates in a timely manner, it is also incumbent upon the database administrator and/or system administrator to ensure that their deployment will not interfere with the operation of the database and its applications. Other than in emergency situations, SQL Server updates must be applied to appropriately configured non-production systems, and the resulting version of SQL Server assessed for correct operation.
Check Content
Obtain evidence that SQL Server software updates are tested before being applied to production servers, and that any exceptions are approved by the ISSM. If such evidence cannot be obtained, or the evidence that is obtained indicates a pattern of noncompliance, this is a finding.
Fix Text
Institute and adhere to policies and procedures to ensure that SQL Server updates are tested prior to installation on production servers.
Additional Identifiers
Rule ID: SV-213880r855552_rule
Vulnerability ID: V-213880
Group Title: SRG-APP-000456-DB-000390
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002605 |
The organization installs security-relevant software updates within an organization-defined time period of the release of the updates. |
Controls
Number | Title |
---|---|
SI-2 |
Flaw Remediation |