StigData/Processed/SqlServer-2012-Instance-1.16.xml
|
<DISASTIG id="Microsoft_SQL_Server_2012_Database_Instance_Security_Technical_Implementation_Guide" version="1.16" created="8/22/2018"> <DocumentRule dscresourcemodule="None"> <Rule id="V-40907" severity="high" conversionstatus="pass" title="SRG-APP-000264-DB-000136" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the DBMS exists in the unclassified environment, and data transmission does not cross the boundary between the NIPRNet and the wider Internet, and the application owner and authorizing official have determined that encryption is not required, this is not a finding. Check SQL Server and network settings to determine whether cryptographic mechanisms are used to prevent the unauthorized disclosure of information during transmission. If not, this is a finding. Review system documentation to determine whether the system handles classified information. If the system does not handle classified information, the severity of this check should be downgraded to Category II. From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to "YES", examine the certificate used on the Certificate tab. If Force Encryption is set, a DoD Certificate is not utilized, and a physical encryption measure is utilized, examine the physical encryption devices to determine the following: 1. The plaintext connection to the database server is afforded the highest protections, allowing no access to unauthorized or non-cleared personnel. 2. The encryption device is configured to pass traffic to only the specific IP addresses as identified by the database documentation. 3. The encryption keys utilized are current and valid keys. 4. The keys utilized meet approved organizationally defined compliant algorithms. If any of the preceding requirements is not met, this is a finding. If Force Encryption is set to "NO" or a DoD Certificate is not utilized, and physical encryption measures are not utilized, this is a finding.</RawString> </Rule> <Rule id="V-40908" severity="medium" conversionstatus="pass" title="SRG-APP-000248-DB-000135" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If Database Availability Groups are not being used, this is not applicable (NA). Check the system documentation and check with the administrator regarding processing resources of the backup/secondary SQL Server. If the primary SQL Server has a backup/secondary server that is dedicated 100% to the primary server's processing, this is not a finding. If the secondary/backup SQL Server is already partly resourced to process something other than that of the primary SQL Server processing, then determine what resources would be required for the secondary/backup SQL Server. If the secondary/backup SQL Server is determined to not have enough processing resources to fulfill the function of the primary server's SQL Server process, this is a finding.</RawString> </Rule> <Rule id="V-40909" severity="low" conversionstatus="pass" title="SRG-APP-000248-DB-000135" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review system documentation and determine if one type or more of SQL Server users has a business need for priority usage over other types of users. The need for prioritization most frequently occurs when SQL Server resources are shared between two or more applications or systems where the number of users on more than one system is small or non-existent. This needs to be the case, because SQL Server limits resource based on user accounts and not what process is running. If SQL Server has users that are determined to run significantly high priority processes than other users and the SQL Server "Resource Governor" is not being implemented, this is a finding.</RawString> </Rule> <Rule id="V-40912" severity="low" conversionstatus="pass" title="SRG-APP-000203-DB-000146" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines. If the labeling of sensitive data is not required, this is NA. Obtain system configuration setting to determine how data labeling is being performed. This can be through triggers or some other SQL developed means or via a third-party tool. Check to ensure that labels are being associated to data when information is being exchanged between systems. If the labeling is not being associated to data when exchanging data between systems, this is a finding.</RawString> </Rule> <Rule id="V-40913" severity="medium" conversionstatus="pass" title="SRG-APP-000201-DB-000145" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If SQL Server is not housing or distributing publicly available information, this finding is NA. Obtain from the DBA or system documentation the list of publicly available data within SQL Server and the role names that assign read-only access to that public data. Obtain the publicly available user account name being used to access SQL Server. Navigate to Start >> Administrative Tools >> Server Manager >> Server Manager (<'server name'>) >> Configuration >> Local Users and Groups >> Groups >> right click 'Guests' >> Properties >> 'Members:' The publicly available user account will likely be in the OS 'Guests' group. Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'Server Roles'. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> Server Roles. If any 'Server Roles' are marked that grant more than read access to the publicly available information, this is a finding.</RawString> </Rule> <Rule id="V-40914" severity="medium" conversionstatus="pass" title="SRG-APP-000201-DB-000145" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If SQL Server is not housing or distributing publicly available information, this finding is NA. Obtain from the DBA or system documentation the list of publicly available data within SQL Server. Obtain the publicly available user account name being used to access SQL Server. Navigate to Start >> Administrative Tools >> Server Manager >> Server Manager (<'server name'>) >> Configuration >> Local Users and Groups >> Groups >> right click 'Guests' >> Properties >> 'Members:' The publicly available user account will likely be in the OS 'Guests' group. Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'User Mapping'. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> User Mapping. If any of the three system databases are checked (indicating a granted privilege): master, model, or msdb, this is a finding.</RawString> </Rule> <Rule id="V-40916" severity="medium" conversionstatus="pass" title="SRG-APP-000201-DB-000145" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If SQL Server is not housing or distributing publicly available information, this finding is NA. If SQL Server supports an application collecting information from the public, this is NA. Obtain from the DBA or system documentation the list of publicly available data within SQL Server. Obtain the publicly available user account(s) being used to access SQL Server. Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'Securables'. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> Securables. If any 'Securables' are listed, this is a finding.</RawString> </Rule> <Rule id="V-40917" severity="high" conversionstatus="pass" title="SRG-APP-000196-DB-000141" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the system exists in the non-classified environment, this is NA. For each database under the SQL Server instance, review the system documentation to determine whether the database holds classified or sensitive information. If it does not, this is not a finding. If it does handle classified or sensitive information, review the system documentation and configuration to determine whether the classified information is protected by NSA- and NIST-approved cryptography. If not, this is a finding. If DBMS data encryption is required, ensure the status of encryption by executing: SELECT d.name AS [Database Name], CASE e.encryption_state WHEN 0 THEN 'No database encryption key present, no encryption' WHEN 1 THEN 'Unencrypted' WHEN 2 THEN 'Encryption in progress' WHEN 3 THEN 'Encrypted' WHEN 4 THEN 'Key change in progress' WHEN 5 THEN 'Decryption in progress' WHEN 6 THEN 'Protection change in progress' END AS [Encryption State] FROM sys.dm_database_encryption_keys e RIGHT JOIN sys.databases d ON DB_NAME(e.database_id) = d.name WHERE d.name NOT IN ('master','model','msdb') ORDER BY 1 ; For each user database where encryption is required, verify that encryption is in effect. If not, this is a finding. </RawString> </Rule> <Rule id="V-40918" severity="medium" conversionstatus="pass" title="SRG-APP-000198-DB-000143" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. If the system documentation does not specify the type of information hosted on SQL Server: classified, sensitive and/or unclassified, this is a finding. If neither classified nor sensitive information exists within SQL Server databases or configuration, this requirement is NA. Note: If the SQL Server is compliant, nothing is displayed. If cryptography is being used by SQL Server, examine evidence that an audit record is created whenever the asymmetric key is accessed by other than authorized users. In particular, view evidence that access by a SYSADMIN or other system privileged account results in the generation of an audit record. This is required because system privileges allow access to encryption keys and can be used to access sensitive data where there is not a need-to-know. Note: The list of acceptable algorithms: "AES 128", "AES 192", "AES 256" and "Triple DES". If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 certified by running the following SQL query: EXEC sp_MSforeachdb ' DECLARE @nCount integer; SELECT @nCount = Count(*) FROM [?].sys.symmetric_keys WHERE key_algorithm NOT IN (''D3'',''A1'',''A2'',''A3''); IF @nCount > 0 SELECT ''?'' AS ''database ?'' , name , algorithm_desc FROM [?].sys.symmetric_keys WHERE key_algorithm NOT IN (''D3'',''A1'',''A2'',''A3'') ORDER BY name, algorithm_desc; ' ; If any items list showing an uncertified NIST FIPS 140-2 algorithm type, this is a finding. If an audit record is not generated for unauthorized access to the asymmetric key, this is a finding. Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html.</RawString> </Rule> <Rule id="V-40919" severity="medium" conversionstatus="pass" title="SRG-APP-000180-DB-000115" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review documentation, SQL Server settings and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system. If non-organizational users are not uniquely identified and authenticated, this is a finding.</RawString> </Rule> <Rule id="V-40927" severity="medium" conversionstatus="pass" title="SRG-APP-000145-DB-000098" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain authorized access list for backup and restoration procedures from system documentation. If documented procedures are insufficient to show or describe authorized personnel, this is a finding. Review file protections assigned to online backup and restoration files. Review access protections and procedures for offline backup and restoration files. If backup or restoration files are subject to unauthorized access, this is a finding. It may be necessary to review backup and restoration procedures to determine ownership and access during all phases of backup and recovery. In addition to physical and host system protections, consider other methods including encryption protection of the files.</RawString> </Rule> <Rule id="V-40928" severity="medium" conversionstatus="pass" title="SRG-APP-000145-DB-000097" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review SQL Server's documented testing and recovery procedures that exist in the system documentation. If the testing or recovery procedures are not documented in the system documentation, this is a finding. If the documented testing or recovery procedures are not sufficient to test or recover SQL Server configuration and databases, this is a finding. Review evidence of implementation of testing and verification procedures by reviewing logs from backup and recovery implementation. Logs may be in electronic form or hardcopy, and may include email or other notification. If the system recovery testing has not been implemented and documented, this is a finding.</RawString> </Rule> <Rule id="V-40929" severity="medium" conversionstatus="pass" title="SRG-APP-000145-DB-000096" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the database backup procedures and implementation evidence. Evidence of implementation includes records of backup events and physical review of backup media. Evidence should match the backup plan as recorded in the system documentation. If backup procedures do not exist or are not implemented in accordance with the procedures, this is a finding.</RawString> </Rule> <Rule id="V-40937" severity="medium" conversionstatus="pass" title="SRG-APP-000141-DB-000092" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the components and features included in SQL Server and capable of being disabled (by configuration settings, permissions and privileges, etc.). Take note of those which are enabled. Review the system documentation to verify that the enabled components or features are documented and authorized. If any enabled components or features are not authorized, this is a finding.</RawString> </Rule> <Rule id="V-40941" severity="high" conversionstatus="pass" title="SRG-APP-000141-DB-000091" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the list of components and features installed with the database. Using an account with System Administrator privileges, from Command Prompt, open control.exe. Navigate to Programs and Features. Check for the following entries in the 'Uninstall or change a program' window. Microsoft SQL Server Data Tools - Database Projects - Web installer entry point Prerequisites for SSDT If SQL Server Data Tools is not documented as a server requirement, and these entries exist, this is a finding.</RawString> </Rule> <Rule id="V-40947" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000198" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check system documentation for policy and procedures to restrict use of the SQL Server software installation account. Check OS settings to determine whether users are restricted from accessing SQL Server objects and data they are not authorized to access by checking the local OS user accounts. From a Command Prompt, open lusrmgr.msc. Navigate to Users >> right click individual user >> Properties >> Member Of. If appropriate access controls for all users are not implemented to restrict access to only authorized users and to restrict the access of those users to objects and data they are authorized, this is a finding. Review procedures for controlling and granting access to use of the SQL Server software installation account. If access or use of this account is not restricted to the minimum number of personnel required, or unauthorized access to this account has been granted, this is a finding.</RawString> </Rule> <Rule id="V-40948" severity="high" conversionstatus="pass" title="SRG-APP-000133-DB-000179" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If a security and data integrity tool is not used for monitoring and alerting files and folders based on cryptographic hashes, this is a finding. If the tool does not verify files/folder locations as listed in the documentation, this is a finding.</RawString> </Rule> <Rule id="V-40949" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000179" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify within the system documentation that SQL Server is monitoring for security-relevant configuration settings to discover unauthorized changes. This can be done by a third-party tool or a SQL script that does baselining and then comparisons. If the monitoring of security-relevant configuration settings to discover unauthorized changes is not implemented on SQL Server, this is a finding.</RawString> </Rule> <Rule id="V-41027" severity="medium" conversionstatus="pass" title="SRG-APP-000101-DB-000044 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41028" severity="medium" conversionstatus="pass" title="SRG-APP-000100-DB-000201 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41029" severity="medium" conversionstatus="pass" title="SRG-APP-000099-DB-000043 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41030" severity="medium" conversionstatus="pass" title="SRG-APP-000098-DB-000042 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41031" severity="medium" conversionstatus="pass" title="SRG-APP-000097-DB-000041 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41032" severity="medium" conversionstatus="pass" title="SRG-APP-000096-DB-000040 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41033" severity="medium" conversionstatus="pass" title="SRG-APP-000095-DB-000039 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41034" severity="low" conversionstatus="pass" title="SRG-APP-000080-DB-000063" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of authorized SQL Server accounts in the system documentation. If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. (The key is individual accountability. If this can be traced, this is not a finding.) If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding. Review contents of audit logs, traces and data tables to confirm that the identity of the individual user performing the action is captured. If shared identifiers are found, and not accompanied by individual identifiers, this is a finding. Note: Privileged installation accounts may be required to be accessed by the DBA or other administrators for system maintenance. In these cases, each use of the account must be logged in some manner to assign accountability for any actions taken during the use of the account.</RawString> </Rule> <Rule id="V-41035" severity="medium" conversionstatus="pass" title="SRG-APP-000091-DB-000066 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41038" severity="medium" conversionstatus="pass" title="SRG-APP-000063-DB-000022" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review system documentation to identify the installation account. Verify whether the account is used for anything beyond SQL Server software installation, upgrade, and maintenance actions. If the account is used for anything beyond SQL Server installation, upgrade, and maintenance actions, this is a finding.</RawString> </Rule> <Rule id="V-41039" severity="medium" conversionstatus="pass" title="SRG-APP-000063-DB-000021" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>From the system security documentation, obtain the list of SQL Server DBA accounts, the OS/domain Group(s) representing those DBAs' job role(s), and the OS permissions required by that/those role(s). To review local accounts and groups: Log on to the Windows server hosting SQL Server, using an account with administrator privileges. From a command prompt opened as administrator, type gpedit.msc, and press [ENTER]. In Group Policy Editor, navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Scan the list to determine which privileges are assigned to the Group(s) representing the SQL Server DBA job role(s). If any privileges are assigned that are not required by these roles, this is a finding. From the command prompt, type lusrmgr.msc, and press [ENTER]. In the Local Users and Groups console, navigate to Users. Right-click each DBA user. Click Properties. Click the 'Member of' tab. If any parent groups are listed that are not specific to DBA roles, this is a finding. In the Local Users and Groups console, navigate to Groups. Right-click each DBA Group. Click Properties. Review the list of group members. If any account that does not represent a DBA is listed, this is a finding. To review domain-level accounts and groups: Log on to a domain controller with the necessary privileges. Open Active Directory Users and Computers (available from menus or run dsa.msc) Determine the location of the accounts or groups to be reviewed. The default is the Users container, but they could have been created or moved to an Organizational Unit (OU) that is domain specific. Right-click each DBA user. Click Properties. Click the 'Member of' tab. If any parent groups are listed that are not specific to DBA roles, this is a finding. Right-click each DBA Group. Click Properties. Select the 'Members' tab. Review the list of group members. If any account that does not represent a DBA is listed, this is a finding.</RawString> </Rule> <Rule id="V-41041" severity="medium" conversionstatus="pass" title="SRG-APP-000063-DB-000019" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of all DBAs. Obtain documented role assignments for each DBA. Obtain from system documentation or use SQL Server to determine privilege assignment of user-defined roles. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'administrator account name'> >> Properties >> User >> Securables. If any item in the 'Permission' listing, for each highlighted item that exists in the 'Securables' listing, has excessive privileges, this is a finding. Navigate from 'Securables' to 'Server Roles'. If any checked 'Server roles' are determined to be excessive privileges, this is a finding. Navigate from 'Server Roles' to 'Users mapped to the login'. If any checked 'Database role membership' of each highlighted and checked 'Database' are determined to be excessive privileges, this is a finding.</RawString> </Rule> <Rule id="V-41042" severity="medium" conversionstatus="pass" title="SRG-APP-000063-DB-000018 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41044" severity="medium" conversionstatus="pass" title="SRG-APP-000062-DB-000016" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Use SQL Server and system documentation to determine privilege assignment of user-defined roles. Determine which user-defined roles grant privileges to system tables and configuration data stored in SQL Server. For each Login: In SQL Server Management Studio, Object Explorer, expand <SQL Server instance> >> Security >> Logins >> Right-click <login account name> >> Properties >> User >> Securables. If any item in the Explicit Permissions listing, for each highlighted item that exists in the Securables listing, indicates direct permission access, and that permission is anything other than Connect SQL, this is a finding. Navigate from Securables to Server Roles. If any Server Roles are checked from the following list, indicating direct permission access, this is a finding: bulkadmin dbcreator diskadmin processadmin securityadmin serveradmin setupadmin If the sysadmin server role is checked, review system documentation to determine whether this login's need for the sysadmin role is documented and approved. If it is not, this is a finding. If any user-defined server roles with system table or configuration data privileges are checked, review system documentation to determine whether this login's need for the role is documented and approved. If it is not, this is a finding. Navigate from Server Roles to User Mapping. Select in turn each entry where the User column is non-blank. If any Database Roles are checked from the following list, indicating direct permission access, this is a finding: db_accessadmin db_backupoperator db_datareader db_datawriter db_ddladmin db_denydatareader db_denydatawriter db_owner db_securityadmin</RawString> </Rule> <Rule id="V-41046" severity="medium" conversionstatus="pass" title="SRG-APP-000062-DB-000011" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of available user-defined server roles from system documentation. Obtain the list of available user-defined server roles from the SQL Server system by running the following script: /********************************************************************************** LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 END If any listed user-defined roles are not found in the system documentation, this is a finding. Obtain the list assigned privileges for all user-defined roles in the system documentation. Check all SQL Server user-defined server roles for access rights as it relates to the separation of duties. Repeat steps for each user-defined server role. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Server Roles >> right click <'user-defined server role name'> >> Properties >> General >> Securables. If any user-defined role is assigned privileges that are not documented in the system documentation, this is a finding. If any user-defined role contains permissions that are inconsistent with separation sensitive information assignment, this is a finding. If system access requires more than one level of sensitive information access and the user-defined role names do not clearly differentiate between the different levels of sensitive information, this is a finding.</RawString> </Rule> <Rule id="V-41202" severity="medium" conversionstatus="pass" title="SRG-APP-000062-DB-000009" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check for direct user assignment to server permissions by running the following script: /********************************************************************************** LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT SYSTEM ADMINISTRATOR accounts. DO NOT LIST ROLES. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO administrator account found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name AND NOT pe.permission_name = 'connect sql' ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END If any user account list indicates direct access to any server permission, this is a finding. Obtain the list of available user-defined server roles from system documentation. Obtain the list of available user-defined server roles from the SQL Server system by running the following script: /********************************************************************************** LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name AND NOT pe.permission_name = 'connect sql' ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 END If any listed user-defined roles are not found in the system documentation, this is a finding. Obtain the list of assigned privileges for all user-defined roles in the system documentation. Check all SQL Server user-defined server roles for access rights as it relates to the separation of duties. Repeat steps for each user-defined server role. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Server Roles >> right click <'user-defined server role name'> >> Properties >> General >> Securables. If any roles are found that do not enforce separation of duties, this is a finding.</RawString> </Rule> <Rule id="V-41204" severity="medium" conversionstatus="pass" title="SRG-APP-000085-DB-000038" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check for rights propagation assignment to DBMS server permissions by running the following query: USE master; SELECT * FROM sys.server_permissions WHERE state_desc = 'GRANT_WITH_GRANT_OPTION'; If any of the permissions listed have not been documented and approved as requiring GRANT_WITH_GRANT_OPTION, this is a finding.</RawString> </Rule> <Rule id="V-41205" severity="medium" conversionstatus="pass" title="SRG-APP-000036-DB-000174" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check for direct user assignment to server permissions by running the following script: /********************************************************************************** LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT SYSTEM ADMINISTRATOR accounts. DO NOT LIST ROLES. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO Administrator account found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END If any user account list indicates direct access to any server permission, this is a finding. Obtain the list of available user-defined server roles from system documentation. Obtain the list of available user-defined server roles from the SQL Server system by running the following script: /********************************************************************************** LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 END If any listed user-defined roles are not found in the system documentation, this is a finding. Obtain the list of user role assignments in the system documentation. Check all SQL Server user-defined server roles for authorized and documented permission assignments. Repeat steps for each user-defined server role. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Server Roles >> right click <'user-defined server role name'> >> Properties >> Members. If any roles are found that are not authorized and documented, this is a finding.</RawString> </Rule> <Rule id="V-41304" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check for direct user assignment to server permissions by running the following script: /********************************************************************************** LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT SYSTEM ADMINISTRATOR ACCOUNTS. DO NOT LIST ROLES. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO administrator account found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name AND NOT pe.permission_name = 'connect sql' ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END; GO If any user account listed indicates direct access to any server permission, this is a finding. Obtain the list of available user-defined server roles from system documentation. Obtain the list of available user-defined server roles from the SQL Server system by running the following script: /********************************************************************************** LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. ***********************************************************************************/ DECLARE @admin_Account_name sysname SET @admin_Account_name = 'NO admin ACCOUNT found' DECLARE @server_name sysname SET @server_name = 'NO Server found' SELECT @server_name = name FROM sys.servers WHERE server_id = 0 SET @admin_Account_name = @server_name + '\Administrator' SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name AND NOT pe.permission_name = 'connect sql' ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 END; GO Obtain the list of user role assignments in the system documentation. Check all SQL Server user-defined server roles for authorized and documented permission assignments. Repeat steps for each user-defined server role. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Server Roles >> right click <'user-defined server role name'> >> Properties >> Members. If both user-defined role(s) and user(s) are listed as "Member of this role", this is a propagation of access rights, and this is a finding.</RawString> </Rule> <Rule id="V-41305" severity="medium" conversionstatus="pass" title="SRG-APP-000292-DB-000138 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41306" severity="medium" conversionstatus="pass" title="SRG-APP-000027-DB-000186 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41307" severity="medium" conversionstatus="pass" title="SRG-APP-000019-DB-000197 Duplicate" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> </Rule> <Rule id="V-41311" severity="medium" conversionstatus="pass" title="SRG-APP-000001-DB-000031" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the system documentation to determine whether any limits have been defined. If not, this is a finding. If one limit has been defined but is not applied to all users, including privileged administrative accounts, this is a finding. If multiple limits have been defined, to accommodate different types of user, verify that together they cover all users. If not, this is a finding. If a mechanism other than a logon trigger is used, verify its correct operation by the appropriate means. If it does not work correctly, this is a finding. Otherwise, determine if a logon trigger exists: EITHER, in SQL Server Management Studio's Object Explorer tree: Expand [SQL Server Instance] >> Security >> Server Objects >> Triggers OR run the query: SELECT * FROM master.sys.server_triggers; If no triggers are listed, this is a finding. If triggers are listed, identify the one(s) limiting the number of concurrent sessions per user. If none are found, this is a finding. If they are present but disabled, this is a finding. Examine the trigger source code for logical correctness and for compliance with the documented limit(s). If errors or variances exist, this is a finding. Verify that the system does execute the trigger(s) each time a user session is established. If it does not operate correctly for all types of user, this is a finding.</RawString> </Rule> <Rule id="V-53877" severity="medium" conversionstatus="pass" title="SRG-APP-000196-DB-000301" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the system exists in the Classified environment, this is NA. For each database under the SQL Server instance, review the system documentation to determine whether the database holds sensitive information. If it does not, this is not a finding. If it does handle sensitive information, review the system documentation and configuration to determine whether the sensitive information is protected by NIST-approved cryptography. If not, this is a finding.</RawString> </Rule> <Rule id="V-70625" severity="low" conversionstatus="pass" title="SRG-APP-000516-DB-999900" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the need for the SQL Server Browser service is documented, with appropriate approval, this is not a finding. Open the Services tool. Either navigate, via the Windows Start Menu and/or Control Panel, to "Administrative Tools", and select "Services" or at a command prompt, type "services.msc" and press the "Enter" key. Scroll to "SQL Server Browser". If its Startup Type is not shown as "Disabled", this is a finding.</RawString> </Rule> <Rule id="V-72413" severity="medium" conversionstatus="pass" title="SRG-APP-000164-DB-000401" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run the statement: SELECT name FROM sys.sql_logins WHERE type_desc = 'SQL_LOGIN' AND is_disabled = 0 AND is_policy_checked = 0 ; If no account names are listed, this is not a finding. For each account name listed, determine whether it is documented as requiring exemption from the standard password complexity rules. If it is not, this is a finding.</RawString> </Rule> <Rule id="V-72415" severity="medium" conversionstatus="pass" title="SRG-APP-000164-DB-000401" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run the statement: SELECT name FROM sys.sql_logins WHERE type_desc = 'SQL_LOGIN' AND is_disabled = 0 AND is_expiration_checked = 0; If no account names are listed, this is not a finding. For each account name listed, determine whether it is documented as requiring exemption from the standard password lifetime rules, if it is not, this is a finding.</RawString> </Rule> </DocumentRule> <ManualRule dscresourcemodule="None"> <Rule id="V-40905" severity="medium" conversionstatus="pass" title="SRG-APP-000268-DB-000164" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check the configuration of SQL Server, the operating system and any monitoring/management tools to verify the system activates an alarm and/or triggers a shutdown of SQL Server when a component failure is detected. If system does not take either or both actions, this is a finding.</RawString> </Rule> <Rule id="V-40906" severity="medium" conversionstatus="pass" title="SRG-APP-000265-DB-000161" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Security-related errors must be identified and monitored. In most cases, these items would appear in the SQL Server log file. If security-related error conditions are not being monitored to meet this requirement, this is a finding.</RawString> </Rule> <Rule id="V-40910" severity="medium" conversionstatus="pass" title="SRG-APP-000233-DB-000124" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine elements of security functionality (lists of permissions, additional authentication information, stored procedures, application specific auditing, etc.) which are being housed inside SQL server. For any elements found, check SQL Server to determine if these objects or code implementing security functionality are located in a separate security domain, such as a separate database or schema created specifically for security functionality. Run the following queryto list all the user-defined databases: SELECT Name FROM sys.databases WHERE database_id > 4 ORDER BY 1; If security-related database objects or code are not kept separate, this is a finding.</RawString> </Rule> <Rule id="V-40915" severity="medium" conversionstatus="pass" title="SRG-APP-000201-DB-000145" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If SQL Server is not housing or distributing publicly available information, this finding is NA. If SQL Server supports an application collecting information from the public, this is NA. Obtain the publicly available user account name being used to access SQL Server. Using an account with System Administrator privileges, from a command prompt, type lusrmgr.msc, and press [ENTER]. Navigate to Groups >> right click 'Guests' >> Properties >> 'Members:' The publicly available user account will be in the OS 'Guests' group, or another explicitly defined group. Determine if the obtained publicly available user account is located in any other groups. In lusrmgr.msc, navigate to Users. Right click publicly available account name. Click Properties, then click the 'Member of' tab. If the publicly available user account is found in any group 'Members' listing other than 'Guests', this is a finding. In SQL, for the account that is used for public access, ensure that read-only access is the only access granted. If any other access is granted, this is a finding.</RawString> </Rule> <Rule id="V-40922" severity="medium" conversionstatus="pass" title="SRG-APP-000171-DB-000074" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Since Windows security is being leveraged, this check applies to database configuration files, associated scripts, and applications external to SQL Server that access the database. Ask the DBA and/or IAO to determine if any SQL Server database objects, database configuration files, associated scripts, or applications defined as external to SQL Server that access the database/user environment files/settings contain database passwords. If any do, confirm that SQL Server passwords stored externally to the SQL Server are encoded or encrypted. If any passwords are stored in clear text, this is a finding.</RawString> </Rule> <Rule id="V-40923" severity="medium" conversionstatus="pass" title="SRG-APP-000153-DB-000108" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review SQL Server users to determine whether shared accounts exist. If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding.</RawString> </Rule> <Rule id="V-40924" severity="medium" conversionstatus="pass" title="SRG-APP-000148-DB-000103" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review SQL Server users to determine whether shared accounts exist. (This does not include when SQL Server has a guest or public account that is providing access to publicly available information.) If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding.</RawString> </Rule> <Rule id="V-40925" severity="medium" conversionstatus="pass" title="SRG-APP-000146-DB-000100" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review evidence of inclusion of SQL Server software libraries in current backup records. If the backup tool does not include SQL Server, this is a finding.</RawString> </Rule> <Rule id="V-40926" severity="medium" conversionstatus="pass" title="SRG-APP-000146-DB-000099" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Windows Server Backup, or a 3rd Party Backup Tool, can be utilized to perform this function. Determine how SQL Server is being backed up. If there is no scheduled backup or if organizationally defined backup policy and procedures does not exist, this is finding. Check evidence of inclusion of system-level information into current backup records, if the organizationally defined backup policy, procedures, and backup configurations is not including system-level information backups, this is a finding.</RawString> </Rule> <Rule id="V-40930" severity="medium" conversionstatus="pass" title="SRG-APP-000145-DB-000095" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Windows Server Backup, or a 3rd Party Backup Tool, can be utilized to perform this function. Determine how SQL Server is being backed up. If there is no scheduled backup or if organizationally defined backup policy and procedures does not exist, this is finding. Check evidence of inclusion user-level information into current backup records, if the organizationally defined backup policy, procedures, and backup configurations is not including user-level information backups, this is a finding.</RawString> </Rule> <Rule id="V-40932" severity="high" conversionstatus="pass" title="SRG-APP-000144-DB-000101" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server recovery procedures and technical system features to determine if mechanisms exist and are in place to specify use of trusted files during SQL Server recovery. If recovery procedures do not exist or are not sufficient to ensure recovery is done in a secure and verifiable manner, this is a finding. Check the configurations of all transaction log files that are enabled by running the following SQL Server query: EXEC sp_MSforeachdb ' SELECT ''?'' AS ''database name'' , name AS ''log file name'' , physical_name AS ''log file location and name'' , state_desc , size , max_size , growth , is_percent_growth FROM [?].sys.database_files WHERE type_desc = ''LOG'' AND state = 0; ' ; If any transaction log files are not configured correctly for size, max_size, and growth to log sufficient transaction information, this is a finding.</RawString> </Rule> <Rule id="V-40933" severity="medium" conversionstatus="pass" title="SRG-APP-000142-DB-000094" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the SQL Server configuration and settings for functions, ports, protocols, and services that are not approved or are not used, but are available. To determine the protocol(s) enabled for SQL Server, open SQL Server Configuration Manager. In the left-hand pane, expand SQL Server Network Configuration. Click on the entry for the SQL Server instance under review: "Protocols for <instance name>". The right-hand pane displays the protocols enabled for the instance. To determine whether SQL Server is configured to use a fixed port or dynamic ports, in the right-hand pane double-click on the TCP/IP entry, to open the Properties dialog. (The default fixed port is 1433.) To see which ports are open on the server, run netstat-a from a Windows command prompt. If any ports, protocols, and/or services that are not approved or are not used, are available, this is a finding.</RawString> </Rule> <Rule id="V-40934" severity="medium" conversionstatus="pass" title="SRG-APP-000142-DB-000094" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review the list of user-defined Stored Procedures and Functions by running the following SQL query: EXEC sp_MSforeachdb ' DECLARE @nCount integer; SELECT @nCount = Count(*) FROM [?].sys.objects WHERE type in (''FN'', ''P'') AND is_ms_shipped <> 1; IF @nCount > 0 SELECT ''?'' AS ''Table Name'', * FROM [?].sys.objects WHERE type in (''FN'', ''P'') AND is_ms_shipped <> 1; ' ; If any user-defined Stored Procedures and Functions are unauthorized and therefore should be prohibited or restricted and are not, this is a finding.</RawString> </Rule> <Rule id="V-40935" severity="medium" conversionstatus="pass" title="SRG-APP-000141-DB-000093" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>To determine if xp_cmdshell is enabled, execute the following commands: EXEC SP_CONFIGURE 'show advanced option', '1'; RECONFIGURE WITH OVERRIDE; EXEC SP_CONFIGURE 'xp_cmdshell'; If the value of config_value is 1, this is a finding.</RawString> </Rule> <Rule id="V-40936" severity="medium" conversionstatus="pass" title="SRG-APP-000141-DB-000092" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER GO SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1; Verify that the "name" column contains the current name of the sa database server account (see note). If the "is_disabled" column is not set to 1, this is a finding. Note: If the 'sa' account name has been changed per SQL2-00-010200, its new name should appear in the query results.</RawString> </Rule> <Rule id="V-40938" severity="medium" conversionstatus="pass" title="SRG-APP-000141-DB-000091" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the SQL Server service "SQL Server Analysis Services (MSSQLSERVER)" is used and the service satisfies functional organizational requirement, this is not a finding. If there is no functional organizational requirement for the "SQL Server Analysis Services (MSSQLSERVER)" service make sure that the service is not installed or is disabled. From command prompt, using an account with System Administrator Privilege, open dcomcnfg. Navigate to Console Root >> Services (Local) >> [sort by name] >> locate: "SQL Server Analysis Services (MSSQLSERVER)". If the "SQL Server Analysis Services (MSSQLSERVER)" service does not exist, this is not a finding. If the "SQL Server Analysis Services (MSSQLSERVER)" status is "Started" or the "Startup Type" is not "Disabled", this is a finding.</RawString> </Rule> <Rule id="V-40939" severity="medium" conversionstatus="pass" title="SRG-APP-000141-DB-000091" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If the SQL Server service "SQL Server Integration Services 11.0" is used and the service satisfies functional organizational requirement, this is not a finding. If there is no functional organizational requirement for the "SQL Server Integration Services 11.0" service make sure that the service is not installed or is disabled. From command prompt, using an account with System Administrator Privilege, open dcomcnfg. Navigate to Console Root >> Services (Local) >> [sort by name] >> locate: "SQL Server Integration Services 11.0". If the "SQL Server Integration Services 11.0" service does not exist, this is not a finding. If the "SQL Server Integration Services 11.0" status is "Started" or the "Startup Type" is not "Disabled", this is a finding.</RawString> </Rule> <Rule id="V-40940" severity="medium" conversionstatus="pass" title="SRG-APP-000141-DB-000091" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>If there is no functional organizational requirement for the "SQL Server Reporting Services (MSSQLSERVER)" service, make sure that the service is not installed or that the service is disabled. If the SQL Server service "SQL Server Reporting Services (MSSQLSERVER)" is used and the service satisfies functional organizational requirement, this is not a finding. From command prompt, using an account with System Administrator Privilege, open dcomcnfg. Navigate to Console Root >> Services (Local) >> [sort by name] >> locate: "SQL Server Reporting Services (MSSQLSERVER)". If the "SQL Server Reporting Services (MSSQLSERVER)" service does not exist, this is not a finding. If the "SQL Server Reporting Services (MSSQLSERVER)" status is "Started" or the "Startup Type" is not set to "Disabled", this is a finding.</RawString> </Rule> <Rule id="V-40944" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000207" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server software directory location: from a command prompt, open the registry editor by typing regedit.exe and pressing [ENTER]. Navigate to the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup >> SQLBinRoot In the registry tree, the [INSTANCE NAME] for a SQL Server 2012 database engine instance is normally shown as "MSSQL11" followed by a period and the name that was specified for the SQL Server service at installation time. If multiple SQL Server instances are installed, each will have its own [INSTANCE NAME] node and subtree in the registry. The value in the Data column for the SQLBinRoot registry entry is the file system path for the SQL Server 2012 binaries. Navigate to that folder location using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. Verify that files and folders that are part of the SQL Server 2012 instance have only authorized privileges. Right-click the binaries (\binn) folder, click Properties. On the Security tab, verify that at most the following permissions are present: Trusted Installer (Full Control) CREATOR OWNER (Full Control) SYSTEM (Full Control) Administrators (Full Control) [See Note 3] Users (Read, List Folder Contents, Read & Execute) Creator Owner (Special Permissions - Full control - Subfolders and files only) All Application Packages (Read & Execute) [Only as needed - see Note 4] SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Full Control) [Notes 1, 2] SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read & Execute) [Notes 1, 2] System Administrators (Full Control) [Note 3] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. Right-click each folder under the binaries folder; click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. Right-click the \Install folder, which is a peer of \binn, under ...\MSSQL. On the Security tab, verify that at most the permissions listed in the preceding paragraphs are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. Locate the ...\Microsoft SQL Server\110\Shared folder, either by stepping up the tree in Windows Explorer or by finding the file path in the registry at: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> 110 >> SharedCode Right-click on the ...\110\Shared folder; click Properties. On the Security tab, verify that at most the following permissions are present: Trusted Installer (Full Control) CREATOR OWNER (Full Control) System (Full Control) SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2] System Administrators (Full Control) [Note 3] Local Administrators (Read) SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] Users (Read, List Folder Contents, Read & Execute) [MsDtsServer110 (Read & Execute) is also permitted, if SSIS/DTS is in use.] [NT AUTHORITY\NETWORK SERVICE (Read & Execute) may also be required for SQL Server Configuration Manager to operate.] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. Right-click each folder under the ...\110\Shared folder; click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. ----- Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control because these permissions are available only to the specific service when it is running and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx. Note 2: Tips for adding a service SID/virtual account to a folder's permission list. 1) In Windows Explorer, right-click on the folder and select "Properties." 2) Select the "Security" tab 3) Click "Edit" 4) Click "Add" 5) Click "Locations" 6) Select the computer name 7) Search for the name 7.a) SQL Server Service 7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.) 7.a.ii) Select the "MSSQL$<instance name>" user and click "OK" 7.b) SQL Agent Service 7.b.i) Type "NT SERVICE\SQL" and click "Check Names" 7.b.ii) Select the "SQLAgent$<instance name>" user and click "OK" 8) Click "OK" 9) Permission like a normal user from here Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. Note 4: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately, and this is considered acceptable where those permissions are required. (All SQL Server files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory.) </RawString> </Rule> <Rule id="V-40945" severity="high" conversionstatus="pass" title="SRG-APP-000133-DB-000205" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check Microsoft's list of supported SQL Server versions. To locate the correct web page, perform a web search for "Microsoft SQL Server end of support." To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerabilities. Check SQL Server version by running the following command: print @@version If the security patch support for SQL Server cannot be determined or SQL Server version is not shown as supported, this is a finding. If SQL Server does not contain the latest security patches, this is a finding.</RawString> </Rule> <Rule id="V-40946" severity="low" conversionstatus="pass" title="SRG-APP-000133-DB-000199" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the SQL Server installations present on the server. From a Command Prompt, type regedit.exe, and press [ENTER]. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> Instance Names. Each instance installed on the server possesses a key inside a folder under this registry entry. Analysis Services Instances are registered in the OLAP subfolder. Reporting Services Instances are registered in the RS subfolder. Standard SQL Server Instances are registered in the SQL subfolder. Inside each of these folders, a single key is used to reference an Instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME]. An [INSTANCE NAME] is listed as the Data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance. Navigate to that folder location using a Command Prompt or Windows Explorer. Only applications that are required for the functioning and administration, not use, of the SQL Server should be located on the same directory node as the SQL Server software libraries. If any files or subfolders that are not part of the SQL Server installation are in the folder, this is a finding.</RawString> </Rule> <Rule id="V-40950" severity="medium" conversionstatus="pass" title="SRG-APP-000130-DB-000088" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify that Files and Folders that are part of the SQL Server 2012 Installation have auditing enabled. Right click the root folder of the SQL Server installation. Typically, this is at <drive>:\Program Files\Microsoft SQL Server\. Select Properties. Click on the Security tab Click on the Advanced button Click on the Auditing tab If "Everyone" is not listed in the "Name" column, this is a finding. If "This folder, subfolders and files" is not listed in the "Apply To" column, this is a finding. When "Everyone" ... " is listed, select the "Everyone" row and click on the Edit button. If either the Successful or Failed checkbox is not selected for any of the following access types, this is a finding: Traverse folder/execute file List folder/read data Read attributes Read extended attributes Create files/write data Create folders/append data Write attributes Write extended attributes Delete Read permissions</RawString> </Rule> <Rule id="V-40951" severity="medium" conversionstatus="pass" title="SRG-APP-000129-DB-000087" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server software library installation directory location. From a command prompt, type regedit.exe, and press [ENTER]. Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> Instance Names. Each instance installed on the server possesses a key inside a folder under this registry entry. Analysis Services Instances are registered in the OLAP subfolder. Reporting Services Instances are registered in the RS subfolder. Standard SQL Server Instances are registered in the SQL subfolder. Inside each one of these folders, a single key is used to reference an instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME]. An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. To find the installation location of a particular instance, navigate to the following location in the Windows Registry: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance. Navigate to that folder location using a command prompt or Windows Explorer. Note any custom subdirectories within the SQL Server software library directory. Only applications that are required for the functioning and administration of SQL Server should be located in the same disk directory as the SQL Server software libraries. If any directories or files not installed with the SQL Server software exist within the SQL Server software library directory, this is a finding.</RawString> </Rule> <Rule id="V-40952" severity="low" conversionstatus="pass" title="SRG-APP-000120-DB-000061" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server audit file location(s) by running the following SQL script: SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION SELECT log_file_path AS "Audit Path" FROM sys.server_file_audits For each audit, the path column will give the location of the file. Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right-click the file/folder, click Properties. On the Security tab, verify that at most the following permissions are applied: Administrator(read) Users (none) Audit Administrator (Full Control) Auditors group (Read) SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding ----- Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control, because these permissions are available only to the specific service when it is running, and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.120).aspx. Note 2: Tips for adding a service SID/virtual account to a folder's permission list. 1) In Windows Explorer, right-click on the folder and select "Properties." 2) Select the "Security" tab 3) Click "Edit" 4) Click "Add" 5) Click "Locations" 6) Select the computer name 7) Search for the name 7.a) SQL Server Service 7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.) 7.a.ii) Select the "MSSQL$<instance name>" user and click OK 7.b) SQL Agent Service 7.b.i) Type "NT SERVICE\SQL" and click "Check Names" 7.b.ii) Select the "SQLAgent$<instance name>" user and click OK 8) Click OK 9) Permission like a normal user from here</RawString> </Rule> <Rule id="V-40953" severity="low" conversionstatus="pass" title="SRG-APP-000119-DB-000060" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server audit file location(s) by running the following SQL script: SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION SELECT log_file_path AS "Audit Path" FROM sys.server_file_audits For each audit, the Audit Path column will give the location of the file. Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. The following instructions assume Windows Explorer is used. Right-click the file/folder, click Properties. On the Security tab, verify that at most the following permissions are applied: Administrator(read) Users (none) Audit Administrator (Full Control) Auditors group (Read) SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding. If Trace is in use, SQL Server creates each trace file with a standard set of permissions, overriding the folder permissions. It grants full control to OWNER RIGHTS, Administrators and <SQL Server Instance name>. Since this is not configurable, this is not a finding.</RawString> </Rule> <Rule id="V-41016" severity="medium" conversionstatus="pass" title="SRG-APP-000118-DB-000059" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server audit file location(s) by running the following SQL script: SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION SELECT log_file_path AS "Audit Path" FROM sys.server_file_audits For each audit, the path column will give the location of the file. Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right-click the file/folder, click Properties. On the Security tab, verify that at most the following permissions are applied: Administrator(read) Users (none) Audit Administrator (Full Control) Auditors group (Read) SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding. ----- Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control, because these permissions are available only to the specific service when it is running, and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.120).aspx. Note 2: Tips for adding a service SID/virtual account to a folder's permission list. 1) In Windows Explorer, right-click on the folder and select "Properties." 2) Select the "Security" tab 3) Click "Edit" 4) Click "Add" 5) Click "Locations" 6) Select the computer name 7) Search for the name 7.a) SQL Server Service 7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.) 7.a.ii) Select the "MSSQL$<instance name>" user and click OK 7.b) SQL Agent Service 7.b.i) Type "NT SERVICE\SQL" and click "Check Names" 7.b.ii) Select the "SQLAgent$<instance name>" user and click OK 8) Click OK 9) Permission like a normal user from here</RawString> </Rule> <Rule id="V-41017" severity="medium" conversionstatus="pass" title="SRG-APP-000127-DB-000172" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server audit file location(s) by running the following SQL script: SELECT DISTINCT LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" FROM sys.traces UNION SELECT log_file_path AS "Audit Path" FROM sys.server_file_audits For each audit, the path column will give the location of the file. Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. Right-click the file/folder, click Properties. On the Security tab, verify that at most the following permissions are applied: Administrator(read) Users (none) Audit Administrator (Full Control) Auditors group (Read) SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.</RawString> </Rule> <Rule id="V-41022" severity="medium" conversionstatus="pass" title="SRG-APP-000107-DB-000169" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL Server instance will be listed. If no traces are returned, this is a finding. Determine the trace being used for the auditing requirement. Replace # in the following code with a traceid being used for the auditing requirements. From the query prompt, determine whether the trace options include the value 4, which means SHUTDOWN_ON_ERROR: SELECT CAST(value AS INT) FROM sys.fn_trace_getinfo(#) where property = 1; If the query does not return a value, this is a finding. If a value is returned but is not 4 or 6, this is a finding. (6 represents the combination of values 2 and 4. 2 means TRACE_FILE_ROLLOVER.) NOTE: Microsoft has flagged the trace techniques and tools used in this STIG as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use and configured to satisfy this requirement, this is not a finding. The following code can be used to check Extended Events settings. /********************************** Check to verify shutdown on failure is set. The following settings are what should be returned: name = <name of audit> on_failure = 1 on_failure_desc = SHUTDOWN SERVER INSTANCE **********************************/ SELECT name, on_failure, on_failure_desc FROM sys.server_audits </RawString> </Rule> <Rule id="V-41023" severity="low" conversionstatus="pass" title="SRG-APP-000103-DB-000050" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Since SQL Server does not support the monitoring of the available audit log file space, utilize Windows File Server Resource Manager or a third-party application to perform this activity. From a Command Prompt, open fsrm.msc. If fsrm.msc is not installed, the File Server Resource Manager is not installed, File and Folder Quota Management is not enabled. If File Server Resource Manager or a third-party tool capable of sending alert notifications based on audit log store requirements is not installed, this is a finding. If fsrm.msc is installed, expand File Server Resource Manager in the left pane. Expand Quota Management. Select Quotas. If Quotas have not been created for defined Audit Log storage locations that meet organizationally defined requirements, this is a finding. In the center pane, select each quota to determine its Path, Limit, Type, and Description. Right click the appropriate quota or quotas, and click Edit Quota Properties. Examine the Notification thresholds panel. If there are no Notification thresholds applied to this Quota, this is a finding. If a Notification Threshold is applied, and it does not send an email alert, or provide an Event Log entry which is handled by an automated Log Alert reporting application, this is a finding. If a third-party application is utilized to fulfill this requirement, and it is not configured to provide a notification, this is a finding.</RawString> </Rule> <Rule id="V-41024" severity="medium" conversionstatus="pass" title="SRG-APP-000071-DB-000047" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. If auditing will outgrow the space reserved for logging before being overwritten, this is a finding.</RawString> </Rule> <Rule id="V-41025" severity="medium" conversionstatus="pass" title="SRG-APP-000071-DB-000047" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check the SQL Server audit setting on the maximum file size of the trace used for the auditing requirement. Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. If auditing will outgrow the space reserved for logging before being overwritten, this is a finding.</RawString> </Rule> <Rule id="V-41026" severity="medium" conversionstatus="pass" title="SRG-APP-000072-DB-000046" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>From a Command Prompt, open fsrm.msc. If fsrm.msc is not installed, the File Server Resource Manager is not installed; File and Folder Quota Management is not enabled. If File Server Resource Manager or a third-party tool capable of sending alert notifications based on audit log store requirements is not installed, this is a finding. If fsrm.msc is installed, expand File Server Resource Manager in the left pane. Expand Quota Management. Expand Quotas. If Quotas have not been created for defined Audit Log storage locations, this is a finding.</RawString> </Rule> <Rule id="V-41036" severity="medium" conversionstatus="pass" title="SRG-APP-999999-DB-000209" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>To determine the Server Authentication Mode, execute the following: EXEC XP_LOGINCONFIG 'login mode' If the config_value does not equal "Windows NT Authentication", this is a finding.</RawString> </Rule> <Rule id="V-41037" severity="low" conversionstatus="pass" title="SRG-APP-000063-DB-000023" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the SQL Server default 'sa' account name has been changed. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins. If SQL Server default 'sa' account name is in the 'Logins' list, this is a finding.</RawString> </Rule> <Rule id="V-41040" severity="medium" conversionstatus="pass" title="SRG-APP-000063-DB-000020" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine which OS or domain accounts are used by SQL Server to run external procedures. Validate that these accounts have only the privileges necessary to perform the required functionality. If any OS or domain accounts utilized by SQL Server are running external procedures and have privileges beyond those required for running the external procedures, this is a finding.</RawString> </Rule> <Rule id="V-41043" severity="medium" conversionstatus="pass" title="SRG-APP-000063-DB-000017" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain a list of SQL Server DBAs or other administrative accounts. Run the following SQL script to check all users’ permissions: SELECT SP1.[name] AS 'Login', 'Role: ' + SP2.[name] COLLATE DATABASE_DEFAULT AS 'ServerPermission' FROM sys.server_principals SP1 JOIN sys.server_role_members SRM ON SP1.principal_id = SRM.member_principal_id JOIN sys.server_principals SP2 ON SRM.role_principal_id = SP2.principal_id UNION ALL SELECT SP.[name] AS 'Login' , SPerm.state_desc + ' ' + SPerm.permission_name COLLATE DATABASE_DEFAULT AS 'ServerPermission' FROM sys.server_principals SP JOIN sys.server_permissions SPerm ON SP.principal_id = SPerm.grantee_principal_id ORDER BY [Login], [ServerPermission] If any DBA or administrative objects are owned by non-DBA or non-administrative accounts, this is a finding. If any DBA or administrator has authorization for non- administrative access to the system for which they are the administrator and they do not have a non-administrator account, this is a finding.</RawString> </Rule> <Rule id="V-41045" severity="medium" conversionstatus="pass" title="SRG-APP-000062-DB-000012" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check procedures for providing SQL Server database connection information to users/applications. If procedures do not indicate or implement restrictions to connections required by the particular user/application which indicate process of least privilege and specific authorization was employed, this is a finding.</RawString> </Rule> <Rule id="V-41047" severity="medium" conversionstatus="pass" title="SRG-APP-000062-DB-000010" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check OS settings to determine whether SQL Server processes are running under a dedicated OS or domain account. If the SQL Server processes are running under shared accounts, this is a finding. From a Command Prompt, type services.msc, and press [ENTER]. Scroll down to the SQL Server Services. SQL Server Services begin with SQL. The following services, when present, should be listed as follows: Service Name: Log On As: SQL Full-text Filter Daemon Launcher: NT Service\UNIQUE CUSTOM ACCOUNT SQL Server [stand-alone]: NT Service\UNIQUE CUSTOM ACCOUNT SQL Server [cluster]: <domain>\<CustomServiceAccount> SQL Server Agent: NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Analysis Services: NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Browser: Local Service SQL Server Distributed Replay Client: NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Distributed Replay Controller: NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Integration Services 11.0: NT Service\UNIQUE CUSTOM ACCOUNT SQL Server Reporting Services: NT Service\UNIQUE CUSTOM ACCOUNT SQL Server VSS Writer: Local System UNIQUE CUSTOM ACCOUNT refers to an account with which no other service listed in the services.msc window is assigned. If any account requiring a unique custom account uses an account that any other service utilizes (regardless of service status), this is a finding.</RawString> </Rule> <Rule id="V-41206" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Unsafe assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Unsafe assembly' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Unsafe assembly' permission and the role is not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41247" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any availability group' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any availability group' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any availability group' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41251" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41253" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the 'Shutdown' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Shutdown' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41254" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'External access assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'External access assembly' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41255" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Create trace event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create trace event notification' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41256" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Create server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create server role' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41257" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Create endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create endpoint' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41258" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Create DDL event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create DDL event notification' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41259" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Create availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create availability group' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41260" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any server audit' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server audit' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.</RawString> </Rule> <Rule id="V-41261" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'View any definition' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View any definition' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41269" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Administer bulk operations' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Administer bulk operations' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41270" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter resources' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter resources' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41280" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any availability group' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41281" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any login' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any login' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41283" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any linked server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any linked server' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41285" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'View server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View server state' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41286" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter trace' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter trace' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41288" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Control server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Control server' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41290" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server role' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41291" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter Settings' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter Settings' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41292" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Authenticate server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Authenticate server' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41293" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Create any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.type_desc = 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> </Rule> <Rule id="V-41297" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any connection' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any connection' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.</RawString> </Rule> <Rule id="V-41298" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any credential' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any credential' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.</RawString> </Rule> <Rule id="V-41299" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any database' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.</RawString> </Rule> <Rule id="V-41300" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any endpoint' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.</RawString> </Rule> <Rule id="V-41302" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any event session' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event session' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.</RawString> </Rule> <Rule id="V-41303" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter server state' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding.</RawString> </Rule> <Rule id="V-41419" severity="medium" conversionstatus="pass" title="SRG-APP-000231-DB-000154" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review procedures for, and evidence of backup of, the SQL Server Service Master Key in the System Security Plan. If the procedures or evidence do not exist, this is a finding. If the procedures do not indicate offline and off-site storage of the Service Master Key, this is a finding. If procedures do not indicate access restrictions to the Service Master Key backup, this is a finding.</RawString> </Rule> <Rule id="V-43196" severity="medium" conversionstatus="pass" title="SRG-APP-999999-DB-000209 " dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Determine the accounts being used to manage the SQL Server operating system. Determine whether the same accounts are being used to manage other platforms. If the same account is used to manage more than one platform, this is a finding. Note: If, because of the application configuration, there are multiple instances of SQL that would share a given exploit, a single account would be allowed to be used for the group and would not be considered a finding. </RawString> </Rule> <Rule id="V-54859" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000207" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server default data directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup >> SqlDataRoot In the registry tree, the [INSTANCE NAME] for a SQL Server 2012 database engine instance is normally shown as "MSSQL11" followed by a period and the name that was specified for the SQL Server service at installation time. If multiple SQL Server instances are installed, each will have its own [INSTANCE NAME] node and subtree in the registry. The value in the Data column for the SqlDataRootregistry entry is the default file system path for the SQL Server 2012 data files. Navigate to that folder location using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. Determine whether a DefaultData registry entry also exists. Repeat the above for the path: ...[INSTANCE NAME] >> MSSQLServer >> DefaultData Verify that the identified folder(s) and their contents have only authorized privileges. Right-click the folder, click Properties. On the Security tab, verify that at most the following permissions are present: CREATOR OWNER (Full Control) System (Full control) SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] System Administrators (Full Control) [Note 3] SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2, 4] SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Execute, Write) [Notes 1, 2] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. Right-click each folder, if any, under the above folder(s); click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. ----- Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control because these permissions are available only to the specific service when it is running and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx. Note 2: Tips for adding a service SID/virtual account to a folder's permission list. 1) In Windows Explorer, right-click on the folder and select "Properties." 2) Select the "Security" tab 3) Click "Edit" 4) Click "Add" 5) Click "Locations" 6) Select the computer name 7) Search for the name 7.a) SQL Server Service 7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.) 7.a.ii) Select the "MSSQL$<instance name>" user and click OK 7.b) SQL Agent Service 7.b.i) Type "NT SERVICE\SQL" and click "Check Names" 7.b.ii) Select the "SQLAgent$<instance name>" user and click OK 8) Click OK 9) Permission like a normal user from here Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. Note 4: It may also be necessary to grant the SQL Server Agent permission to Delete the \Log directory and its contents. This is not a finding.</RawString> </Rule> <Rule id="V-54879" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000207" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server data directory location(s): in a tool such as SQL Server Management Studio, run the statement: SELECT DISTINCT LEFT(physical_name, (LEN(physical_name) - CHARINDEX('\',REVERSE(physical_name)) + 1 )) AS "Database Data File Paths", type_desc FROM sys.master_files WHERE database_id > 4 AND type = 0 The query result is a list of file systems locations used for databases other than the system databases. Navigate to each of those folder locations using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. Verify that the identified folders and their contents have only authorized privileges. Right-click each folder, click Properties. On the Security tab, verify that at most the following permissions are present: CREATOR OWNER (Full Control) System (Full control) SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] System Administrators (Full Control) [Note 3] SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.</RawString> </Rule> <Rule id="V-54881" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000207" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server backup directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> MSSQLServer >> BackupDirectory In the registry tree, the [INSTANCE NAME] for a SQL Server 2012 database engine instance is normally shown as "MSSQL11" followed by a period and the name that was specified for the SQL Server service at installation time. If multiple SQL Server instances are installed, each will have its own [INSTANCE NAME] node and subtree in the registry. The value in the Data column for the BackupDirectory registry entry is the file system path for the SQL Server 2012 backups. Also, review backup jobs to identify any additional directories used for backups. Navigate to each folder location using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. Verify that backup files and folders have only authorized privileges. Right-click the backup folder, click Properties. On the Security tab, verify that at most the following permissions are present: CREATOR OWNER (Full Control) System (Full control) SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] System Administrators (Full Control) [Note 3] SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. Right-click each folder, if any, under the backup folder; click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. ----- Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control because these permissions are available only to the specific service when it is running and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx. Note 2: Tips for adding a service SID/virtual account to a folder's permission list. 1) In Windows Explorer, right-click on the folder and select "Properties." 2) Select the "Security" tab 3) Click "Edit" 4) Click "Add" 5) Click "Locations" 6) Select the computer name 7) Search for the name 7.a) SQL Server Service 7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.) 7.a.ii) Select the "MSSQL$<instance name>" user and click "OK" 7.b) SQL Agent Service 7.b.i) Type "NT SERVICE\SQL" and click "Check Names" 7.b.ii) Select the "SQLAgent$<instance name>" user and click "OK" 8) Click "OK" 9) Permission like a normal user from here Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only.</RawString> </Rule> <Rule id="V-59857" severity="medium" conversionstatus="pass" title="SRG-APP-000063-DB-000018" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Review procedures and practices. If there is not a policy requiring owners of privileged accounts to use non-privileged accounts for non-administrative activities, this is a finding. If there is evidence that owners of privileged accounts do not adhere to this policy, this is a finding.</RawString> </Rule> <Rule id="V-59915" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of roles that are authorized for the SQL Server 'Alter any event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event notification' AND who.type_desc = 'SERVER_ROLE' ORDER BY who.name ; GO </RawString> </Rule> <Rule id="V-69169" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000179" dscresource="None"> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the SQL Server software directory location: from a command prompt, open the registry editor by typing regedit.exe and pressing [ENTER]. Navigate to the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup >> SQLBinRoot Determine the location of separate but related softare, such as audit file management tools. Verify that files and folders that are part of, or related to, the SQL Server 2012 installation have auditing enabled. Right-click on the file/folder, click Properties. On the Security tab, click Advanced. On the Auditing tab, verify that the following is set up on at least one audit: Type: All Principal: Everyone Access: Modify Applies to: This Folder, subfolder, and files [where applicable] If the required audit settings are not configured, there is a risk that unauthorized changes to the software will go undetected, and this is a finding.</RawString> </Rule> </ManualRule> <SqlScriptQueryRule dscresourcemodule="SqlServerDsc"> <Rule id="V-40942" severity="medium" conversionstatus="pass" title="SRG-APP-000141-DB-000090" dscresource="SqlScriptQuery"> <GetScript>SELECT name from sysdatabases where name like 'AdventureWorks%';</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: SELECT name from sysdatabases where name like 'AdventureWorks%'; If the "AdventureWorks" database is present, this is a finding.</RawString> <SetScript>DROP DATABASE AdventureWorks;</SetScript> <TestScript>SELECT name from sysdatabases where name like 'AdventureWorks%';</TestScript> </Rule> <Rule id="V-40943" severity="medium" conversionstatus="pass" title="SRG-APP-000141-DB-000090" dscresource="SqlScriptQuery"> <GetScript>SELECT name from sysdatabases where name like 'Northwind%';</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: SELECT name from sysdatabases where name like 'Northwind%'; If the "Northwind" database is present, this is a finding.</RawString> <SetScript>DROP DATABASE Northwind;</SetScript> <TestScript>SELECT name from sysdatabases where name like 'Northwind%';</TestScript> </Rule> <Rule id="V-41021" severity="medium" conversionstatus="pass" title="SRG-APP-000115-DB-000056" dscresource="SqlScriptQuery"> <GetScript>BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Check to see that all required events are being audited. From the query prompt: SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. Determine the trace(s) being used for the auditing requirement. In the following, replace # with a trace ID being used for the auditing requirements. From the query prompt: SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); The following required event IDs should be listed: 14, 15, 18, 20, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175, 176, 177, 178. If any of the audit event IDs required above is not listed, this is a finding. Notes: 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. 3. It is acceptable to trace additional event IDs. This is the minimum list. 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) Use the following query to obtain a list of all event IDs, and their meaning: SELECT * FROM sys.trace_events; 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString> <SetScript>BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\PowerStig', @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END</SetScript> <TestScript>BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END</TestScript> </Rule> <Rule id="V-41207" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any endpoint' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any endpoint' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41208" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any database' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any database' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41209" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any credential' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any credential' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any credential' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any credential' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any credential' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41246" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any connection' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any connection' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any connection' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any connection' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any connection' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41248" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter server state' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter server state' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter server state' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter server state' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter server state' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41250" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any event notification' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any event notification' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41252" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server audit' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server audit' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any server audit' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any server audit' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server audit' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41262" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'AUTHENTICATE SERVER' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'AUTHENTICATE SERVER' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Authenticate Server' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'AUTHENTICATE SERVER' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'AUTHENTICATE SERVER' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41263" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Administer bulk operations' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Administer bulk operations' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Administer bulk operations' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Administer bulk operations' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Administer bulk operations' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41264" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Create endpoint' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create endpoint' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41265" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create DDL Event Notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Create DDL Event Notification' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create DDL Event Notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Create DDL Event Notification' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create DDL Event Notification' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create DDL Event Notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41266" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create availability group' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create availability group' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Create availability group' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create availability group' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create availability group' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41267" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Create any database' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create any database' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41268" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Control server' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Control server' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Control server' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Control server' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Control server' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41271" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any linked server' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any linked server' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any linked server' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any linked server' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any linked server' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41273" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event session' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event session' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any event session' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any event session' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event session' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41274" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter trace' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter trace' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter trace' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter trace' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter trace' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41275" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter Settings' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter Settings' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter Settings' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter Settings' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter Settings' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41276" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create trace event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create trace event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Create trace event notification' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create trace event notification' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create trace event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41277" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter resources' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter resources' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter resources' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter resources' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter resources' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41278" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'External access assembly' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'External access assembly' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'External access assembly' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'External access assembly' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'External access assembly' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41279" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any login' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any login' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any login' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any login' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any login' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41284" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Shutdown' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Shutdown' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Shutdown' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Shutdown' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Shutdown' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41287" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Unsafe assembly' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Unsafe assembly' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Unsafe assembly' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Unsafe assembly' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Unsafe assembly' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41289" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create server role' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create server role' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Create server role' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Create server role' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create server role' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41294" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View server state' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View server state' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user account has direct access to the 'View server state' permission, and the need for this has not been documented and approved, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'View server state' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View server state' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41295" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server role' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server role' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'Alter any server role' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'Alter any server role' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server role' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-41296" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View any definition' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View any definition' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'View any definition' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'View any definition' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View any definition' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> <Rule id="V-55805" severity="medium" conversionstatus="pass" title="SRG-APP-000035-DB-000007" dscresource="SqlScriptQuery"> <GetScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View Any Database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</GetScript> <IsNullOrEmpty>False</IsNullOrEmpty> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Obtain the list of accounts that have direct access to the server-level permission 'View Any Database' by running the following query: SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View Any Database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name ; GO If any user accounts have direct access to the 'View Any Database' permission, this is a finding. Alternatively, to provide a combined list for all requirements of this type: SELECT what.permission_name AS [Permission Name], what.state_desc AS [Permission State], who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name IN ( 'Administer bulk operations', 'Alter any availability group', 'Alter any connection', 'Alter any credential', 'Alter any database', 'Alter any endpoint ', 'Alter any event notification ', 'Alter any event session ', 'Alter any linked server', 'Alter any login', 'Alter any server audit', 'Alter any server role', 'Alter resources', 'Alter server state ', 'Alter Settings ', 'Alter trace', 'Authenticate server ', 'Control server', 'Create any database ', 'Create availability group', 'Create DDL event notification', 'Create endpoint', 'Create server role', 'Create trace event notification', 'External access assembly', 'Shutdown', 'Unsafe Assembly', 'View any database', 'View any definition', 'View server state' ) AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY what.permission_name, who.name ; GO</RawString> <SetScript>DECLARE @name as varchar(512) DECLARE @permission as varchar(512) DECLARE @sqlstring1 as varchar(max) SET @sqlstring1 = 'use master;' SET @permission = 'View Any Database' DECLARE c1 cursor for SELECT who.name AS [Principal Name], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' AND who.name <> 'sa' AND what.permission_name = @permission OPEN c1 FETCH next FROM c1 INTO @name,@permission WHILE (@@FETCH_STATUS = 0) BEGIN SET @sqlstring1 = @sqlstring1 + 'REVOKE ' + @permission + ' FROM [' + @name + '];' FETCH next FROM c1 INTO @name,@permission END CLOSE c1 DEALLOCATE c1 EXEC ( @sqlstring1 );</SetScript> <TestScript>SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View Any Database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;</TestScript> </Rule> </SqlScriptQueryRule> </DISASTIG> |