Documentation - V-213978

Title

SQL Server must reveal detailed error messages only to documented and approved individuals or roles.

Description

<VulnDiscussion>If SQL Server provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Some default DBMS error messages can contain information that could aid an ...

Fix Text (Documentation Requirement)

Configure audit logging, tracing and/or custom code in the database or application to record detailed error messages generated by SQL Server, for review by authorized personnel. If any nonauthorized users have access to the SQL Server Error Log in SQL Server Management Studio, use the REVOKE or DENY commands to remove them from the security admin or sysadmin roles. If any nonauthorized users have access to the SQL Server Error Log located at Program Files\Microsoft SQL Server\MSSQL.n\MSSQL\LOG, remove their permissions. Consider enabling trace flag 3625 to mask certain system-level error information returned to nonadministrative users. Configure audit logging, tracing and/or custom code in the database or application to record detailed error messages generated by SQL Server, f...