| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 4E0BE29691469BB6268E1305E905DFBC61DC8366 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 59 -882091564 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatDeletionEventProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatFragmentProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatMediaProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatPieceIdTableProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo DeleteOrphandedResourcesProc SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo InsertVirtualSet SQL_USER dbo
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: A5133F4A8B2717CDEB397EC5433932ABBE14A87B ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 2260 -1243632689 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable ------------ ------- ---------- --------------- --------------- --------------- --------- CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT CONNECT DATABASE master CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT EXECUTE DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT CONNECT DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE sys sp_syspolicy_execute_policy SQL_USER dbo GRANT CONNECT DATABASE master SQL_USER guest GRANT CONNECT DATABASE master DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1005... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1030... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1042... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1046... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1059... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1063... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1069... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1078... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1090... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1104... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1163... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1182... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1189... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1337... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1361... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1369... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1425... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1465... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1529... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1786... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1792... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1814... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2059... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2063... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2144... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2271... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2318... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2397... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2520... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2610... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2978... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3055... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3144... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3160... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3226... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3319... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3508... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3624... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3825... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3984... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4083... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4095... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4129... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4159... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4258... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4317... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4438... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4633... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4642... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4714... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4730... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4810... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4828... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4975... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5004... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5043... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5200... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5221... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5233... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5261... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5313... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5378... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5381... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5576... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5683... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5846... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -590 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5905... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -591 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -592 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -593 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5963... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6084... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6219... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6234... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6259... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6366... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6383... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6385... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6495... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6584... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6724... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6980... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7264... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7310... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7327... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7362... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7494... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7578... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7644... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7786... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7850... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7909... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7947... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7989... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8028... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8186... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8248... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8268... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8300... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8481... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8483... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8604... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8752... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8824... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8834... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8962... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8986... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9111... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9139... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9273... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9343... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9442... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9679... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9764... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9798... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9861... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9886... DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_db DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_dev DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_usg DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_monitor DATABASE_ROLE public GRANT SELECT VIEW dbo spt_values DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CHECK_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_PRIVILEGES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAIN_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAINS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA KEY_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA PARAMETERS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINE_COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA SCHEMATA DATABASE_ROLE public GRANT SELECT VIEW INFORMA ---truncated results. met character limit---
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 67138811F3D3035DB7C13B6F224A4015F4C21EB3 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 3 -2020448801 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE model SQL_USER dbo
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: CD95A213FC4476B7F4C08031802041EE9D911C58 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 391 -403485259 Roles 17 348690621 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo SQLAgentUserRole SQLAgentReaderRole SQLAgentReaderRole SQLAgentOperatorRole SQLAgentUserRole dc_operator db_ssisltduser dc_operator db_ssisoperator dc_operator dc_operator dc_admin db_ssisltduser dc_proxy db_ssisoperator dc_proxy SQLAgentUserRole MS_DataCollectorInternalUser db_ssisoperator MS_DataCollectorInternalUser dc_admin MS_DataCollectorInternalUser SQLAgentOperatorRole PolicyAdministratorRole ServerGroupReaderRole ServerGroupAdministratorRole PolicyAdministratorRole ##MS_PolicyEventProcessingLogin## PolicyAdministratorRole ##MS_PolicyTsqlExecutionLogin## UtilityIMRReader UtilityIMRWriter Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable ------------ ------- ---------- --------------- --------------- --------------- --------- SQL_USER ##MS_PolicyEventProcessingLogin## GRANT CONNECT DATABASE msdb SQL_USER ##MS_PolicyEventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_events_reader SQL_USER ##MS_PolicyTsqlExecutionLogin## GRANT CONNECT DATABASE msdb DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_send_dbmail DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_allitems DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_delete_mailitems_sp DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_event_log DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_faileditems DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_help_status_sp DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_mailattachments DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_sentitems DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_unsentitems DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles DATABASE_ROLE db_ssisadmin GRANT DELETE USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT REFERENCES USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT SELECT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT UPDATE USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles DATABASE_ROLE db_ssisltduser GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisltduser GRANT SELECT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisoperator GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisoperator GRANT SELECT USER_TABLE dbo sysssislog SQL_USER dbo GRANT CONNECT DATABASE msdb DATABASE_ROLE dc_admin GRANT IMPERSONATE DATABASE_PRINCIPAL MS_DataCollectorInternalUser DATABASE_ROLE dc_admin GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_cleanup_collector DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_item DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_set DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collector_type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_item DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_set DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collector_type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_directory DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_window DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_database_name DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_instance_name DATABASE_ROLE dc_operator GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_find_collection_set_root DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_details DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_log_tree DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_stats DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_execution_log_tree DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_disable_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_enable_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_run_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_start_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_stop_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_item DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_upload_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_verify_subsystems DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collection_items DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collection_sets DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collector_types DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_config_store DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_log DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_log_full DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_stats DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionbegin DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionend DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onerror DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackagebegin DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageend DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageupdate DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onstatsupdate DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_warehouse_connection_string DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_query_stats DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_requests DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collection_items DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collection_sets DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collector_types DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_config_store SQL_USER guest GRANT CONNECT DATABASE msdb SQL_USER MS_DataCollectorInternalUser GRANT CONNECT DATABASE msdb DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_object_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category_subscription DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set_level DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_configure DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_create_purge_job DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_object_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category_subscription DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_dispatch_event DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_detail DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_end DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_start DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_health_state DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_history DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_repair_policy_automation DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_enabled DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_history_retention DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_log_on_success DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE ---truncated results. met character limit---
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: E72A43AA1F56BC880CAFBD122F108E27602D0980 ~~~~~ This is the 'tempdb' database so this requirement is NA.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||