| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-213900 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server databases must integrate with an organi... | - | |||
Check TextDetermine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM). Fix TextIf mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213900 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server databases must integrate with an organi... | - | |||
Check TextDetermine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM). Fix TextIf mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213900 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server databases must integrate with an organi... | - | |||
Check TextDetermine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM). Fix TextIf mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213900 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server databases must integrate with an organi... | - | |||
Check TextDetermine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM). Fix TextIf mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213900 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server databases must integrate with an organi... | - | |||
Check TextDetermine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM). Fix TextIf mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 4E0BE29691469BB6268E1305E905DFBC61DC8366 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 59 -882091564 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatDeletionEventProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatFragmentProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatMediaProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatPieceIdTableProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo DeleteOrphandedResourcesProc SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo InsertVirtualSet SQL_USER dbo
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: A5133F4A8B2717CDEB397EC5433932ABBE14A87B ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 2260 -1243632689 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable ------------ ------- ---------- --------------- --------------- --------------- --------- CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT CONNECT DATABASE master CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT EXECUTE DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT CONNECT DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE sys sp_syspolicy_execute_policy SQL_USER dbo GRANT CONNECT DATABASE master SQL_USER guest GRANT CONNECT DATABASE master DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1005... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1030... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1042... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1046... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1059... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1063... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1069... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1078... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1090... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1104... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1163... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1182... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1189... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1337... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1361... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1369... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1425... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1465... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1529... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1786... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1792... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1814... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2059... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2063... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2144... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2271... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2318... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2397... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2520... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2610... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2978... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3055... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3144... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3160... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3226... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3319... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3508... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3624... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3825... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3984... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4083... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4095... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4129... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4159... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4258... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4317... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4438... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4633... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4642... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4714... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4730... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4810... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4828... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4975... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5004... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5043... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5200... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5221... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5233... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5261... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5313... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5378... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5381... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5576... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5683... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5846... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -590 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5905... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -591 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -592 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -593 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5963... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6084... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6219... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6234... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6259... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6366... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6383... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6385... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6495... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6584... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6724... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6980... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7264... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7310... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7327... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7362... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7494... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7578... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7644... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7786... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7850... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7909... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7947... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7989... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8028... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8186... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8248... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8268... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8300... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8481... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8483... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8604... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8752... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8824... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8834... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8962... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8986... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9111... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9139... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9273... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9343... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9442... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9679... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9764... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9798... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9861... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9886... DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_db DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_dev DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_usg DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_monitor DATABASE_ROLE public GRANT SELECT VIEW dbo spt_values DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CHECK_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_PRIVILEGES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAIN_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAINS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA KEY_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA PARAMETERS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINE_COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA SCHEMATA DATABASE_ROLE public GRANT SELECT VIEW INFORMA ---truncated results. met character limit---
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 67138811F3D3035DB7C13B6F224A4015F4C21EB3 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 3 -2020448801 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE model SQL_USER dbo
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: CD95A213FC4476B7F4C08031802041EE9D911C58 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 391 -403485259 Roles 17 348690621 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo SQLAgentUserRole SQLAgentReaderRole SQLAgentReaderRole SQLAgentOperatorRole SQLAgentUserRole dc_operator db_ssisltduser dc_operator db_ssisoperator dc_operator dc_operator dc_admin db_ssisltduser dc_proxy db_ssisoperator dc_proxy SQLAgentUserRole MS_DataCollectorInternalUser db_ssisoperator MS_DataCollectorInternalUser dc_admin MS_DataCollectorInternalUser SQLAgentOperatorRole PolicyAdministratorRole ServerGroupReaderRole ServerGroupAdministratorRole PolicyAdministratorRole ##MS_PolicyEventProcessingLogin## PolicyAdministratorRole ##MS_PolicyTsqlExecutionLogin## UtilityIMRReader UtilityIMRWriter Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable ------------ ------- ---------- --------------- --------------- --------------- --------- SQL_USER ##MS_PolicyEventProcessingLogin## GRANT CONNECT DATABASE msdb SQL_USER ##MS_PolicyEventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_events_reader SQL_USER ##MS_PolicyTsqlExecutionLogin## GRANT CONNECT DATABASE msdb DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_send_dbmail DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_allitems DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_delete_mailitems_sp DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_event_log DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_faileditems DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_help_status_sp DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_mailattachments DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_sentitems DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_unsentitems DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles DATABASE_ROLE db_ssisadmin GRANT DELETE USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT REFERENCES USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT SELECT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT UPDATE USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles DATABASE_ROLE db_ssisltduser GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisltduser GRANT SELECT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisoperator GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisoperator GRANT SELECT USER_TABLE dbo sysssislog SQL_USER dbo GRANT CONNECT DATABASE msdb DATABASE_ROLE dc_admin GRANT IMPERSONATE DATABASE_PRINCIPAL MS_DataCollectorInternalUser DATABASE_ROLE dc_admin GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_cleanup_collector DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_item DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_set DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collector_type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_item DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_set DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collector_type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_directory DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_window DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_database_name DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_instance_name DATABASE_ROLE dc_operator GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_find_collection_set_root DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_details DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_log_tree DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_stats DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_execution_log_tree DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_disable_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_enable_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_run_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_start_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_stop_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_item DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_upload_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_verify_subsystems DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collection_items DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collection_sets DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collector_types DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_config_store DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_log DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_log_full DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_stats DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionbegin DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionend DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onerror DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackagebegin DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageend DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageupdate DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onstatsupdate DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_warehouse_connection_string DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_query_stats DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_requests DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collection_items DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collection_sets DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collector_types DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_config_store SQL_USER guest GRANT CONNECT DATABASE msdb SQL_USER MS_DataCollectorInternalUser GRANT CONNECT DATABASE msdb DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_object_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category_subscription DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set_level DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_configure DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_create_purge_job DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_object_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category_subscription DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_dispatch_event DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_detail DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_end DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_start DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_health_state DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_history DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_repair_policy_automation DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_enabled DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_history_retention DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_log_on_success DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE ---truncated results. met character limit---
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: E72A43AA1F56BC880CAFBD122F108E27602D0980 ~~~~~ This is the 'tempdb' database so this requirement is NA.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213926 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213926 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213926 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213926 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213926 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-251040 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must use NSA-approved cryptography to p... | - | |||
Check TextDetailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html. Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. If the system documentation does not specify the type of information hosted on SQL Server as classified, sensitive, and/or unclassified, this is a finding. If neither classified nor sensitive information exists within SQL Server databases or configuration, this is not a finding. Verify that Windows is configured to require the use of FIPS-compliant algorithms. Click "Start", enter "Local Security Policy", and then press "Enter". Expand "Local Policies", select "Security Options", and then locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". If the Security Setting for this option is "Disabled", this is a finding. Note: The list of acceptable algorithms is "AES 256" and "Triple DES". If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 or 140-3 certified by running the following SQL query: SELECT DISTINCT name, algorithm_desc FROM sys.symmetric_keys WHERE key_algorithm NOT IN ('D3','A3') ORDER BY name If any items listed show an uncertified NIST FIPS 140-2 algorithm type, this is a finding. Fix TextConfigure cryptographic functions to use NSA-approved cryptography compliant algorithms. Use DoD code-signing certificates to create asymmetric keys stored in the database used to encrypt sensitive data stored in the database. Run the following SQL script to create a certificate: USE CREATE CERTIFICATE ENCRYPTION BY PASSWORD = <'password'> FROM FILE = <'path/file_name'> WITH SUBJECT = 'name of person creating key', EXPIRY_DATE = '<'expiration date: yyyymmdd'>' Run the following SQL script to create a symmetric key and assign an existing certificate: USE CREATE SYMMETRIC KEY <'key name'> WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE For Transparent Data Encryption (TDE): USE master; CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''; CREATE CERTIFICATE . . .; USE ; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE ; ALTER DATABASE SET ENCRYPTION ON; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-251040 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must use NSA-approved cryptography to p... | - | |||
Check TextDetailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html. Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. If the system documentation does not specify the type of information hosted on SQL Server as classified, sensitive, and/or unclassified, this is a finding. If neither classified nor sensitive information exists within SQL Server databases or configuration, this is not a finding. Verify that Windows is configured to require the use of FIPS-compliant algorithms. Click "Start", enter "Local Security Policy", and then press "Enter". Expand "Local Policies", select "Security Options", and then locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". If the Security Setting for this option is "Disabled", this is a finding. Note: The list of acceptable algorithms is "AES 256" and "Triple DES". If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 or 140-3 certified by running the following SQL query: SELECT DISTINCT name, algorithm_desc FROM sys.symmetric_keys WHERE key_algorithm NOT IN ('D3','A3') ORDER BY name If any items listed show an uncertified NIST FIPS 140-2 algorithm type, this is a finding. Fix TextConfigure cryptographic functions to use NSA-approved cryptography compliant algorithms. Use DoD code-signing certificates to create asymmetric keys stored in the database used to encrypt sensitive data stored in the database. Run the following SQL script to create a certificate: USE CREATE CERTIFICATE ENCRYPTION BY PASSWORD = <'password'> FROM FILE = <'path/file_name'> WITH SUBJECT = 'name of person creating key', EXPIRY_DATE = '<'expiration date: yyyymmdd'>' Run the following SQL script to create a symmetric key and assign an existing certificate: USE CREATE SYMMETRIC KEY <'key name'> WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE For Transparent Data Encryption (TDE): USE master; CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''; CREATE CERTIFICATE . . .; USE ; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE ; ALTER DATABASE SET ENCRYPTION ON; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-251040 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must use NSA-approved cryptography to p... | - | |||
Check TextDetailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html. Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. If the system documentation does not specify the type of information hosted on SQL Server as classified, sensitive, and/or unclassified, this is a finding. If neither classified nor sensitive information exists within SQL Server databases or configuration, this is not a finding. Verify that Windows is configured to require the use of FIPS-compliant algorithms. Click "Start", enter "Local Security Policy", and then press "Enter". Expand "Local Policies", select "Security Options", and then locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". If the Security Setting for this option is "Disabled", this is a finding. Note: The list of acceptable algorithms is "AES 256" and "Triple DES". If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 or 140-3 certified by running the following SQL query: SELECT DISTINCT name, algorithm_desc FROM sys.symmetric_keys WHERE key_algorithm NOT IN ('D3','A3') ORDER BY name If any items listed show an uncertified NIST FIPS 140-2 algorithm type, this is a finding. Fix TextConfigure cryptographic functions to use NSA-approved cryptography compliant algorithms. Use DoD code-signing certificates to create asymmetric keys stored in the database used to encrypt sensitive data stored in the database. Run the following SQL script to create a certificate: USE CREATE CERTIFICATE ENCRYPTION BY PASSWORD = <'password'> FROM FILE = <'path/file_name'> WITH SUBJECT = 'name of person creating key', EXPIRY_DATE = '<'expiration date: yyyymmdd'>' Run the following SQL script to create a symmetric key and assign an existing certificate: USE CREATE SYMMETRIC KEY <'key name'> WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE For Transparent Data Encryption (TDE): USE master; CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''; CREATE CERTIFICATE . . .; USE ; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE ; ALTER DATABASE SET ENCRYPTION ON; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-251040 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must use NSA-approved cryptography to p... | - | |||
Check TextDetailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html. Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. If the system documentation does not specify the type of information hosted on SQL Server as classified, sensitive, and/or unclassified, this is a finding. If neither classified nor sensitive information exists within SQL Server databases or configuration, this is not a finding. Verify that Windows is configured to require the use of FIPS-compliant algorithms. Click "Start", enter "Local Security Policy", and then press "Enter". Expand "Local Policies", select "Security Options", and then locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". If the Security Setting for this option is "Disabled", this is a finding. Note: The list of acceptable algorithms is "AES 256" and "Triple DES". If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 or 140-3 certified by running the following SQL query: SELECT DISTINCT name, algorithm_desc FROM sys.symmetric_keys WHERE key_algorithm NOT IN ('D3','A3') ORDER BY name If any items listed show an uncertified NIST FIPS 140-2 algorithm type, this is a finding. Fix TextConfigure cryptographic functions to use NSA-approved cryptography compliant algorithms. Use DoD code-signing certificates to create asymmetric keys stored in the database used to encrypt sensitive data stored in the database. Run the following SQL script to create a certificate: USE CREATE CERTIFICATE ENCRYPTION BY PASSWORD = <'password'> FROM FILE = <'path/file_name'> WITH SUBJECT = 'name of person creating key', EXPIRY_DATE = '<'expiration date: yyyymmdd'>' Run the following SQL script to create a symmetric key and assign an existing certificate: USE CREATE SYMMETRIC KEY <'key name'> WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE For Transparent Data Encryption (TDE): USE master; CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''; CREATE CERTIFICATE . . .; USE ; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE ; ALTER DATABASE SET ENCRYPTION ON; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-251040 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must use NSA-approved cryptography to p... | - | |||
Check TextDetailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html. Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. If the system documentation does not specify the type of information hosted on SQL Server as classified, sensitive, and/or unclassified, this is a finding. If neither classified nor sensitive information exists within SQL Server databases or configuration, this is not a finding. Verify that Windows is configured to require the use of FIPS-compliant algorithms. Click "Start", enter "Local Security Policy", and then press "Enter". Expand "Local Policies", select "Security Options", and then locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". If the Security Setting for this option is "Disabled", this is a finding. Note: The list of acceptable algorithms is "AES 256" and "Triple DES". If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 or 140-3 certified by running the following SQL query: SELECT DISTINCT name, algorithm_desc FROM sys.symmetric_keys WHERE key_algorithm NOT IN ('D3','A3') ORDER BY name If any items listed show an uncertified NIST FIPS 140-2 algorithm type, this is a finding. Fix TextConfigure cryptographic functions to use NSA-approved cryptography compliant algorithms. Use DoD code-signing certificates to create asymmetric keys stored in the database used to encrypt sensitive data stored in the database. Run the following SQL script to create a certificate: USE CREATE CERTIFICATE ENCRYPTION BY PASSWORD = <'password'> FROM FILE = <'path/file_name'> WITH SUBJECT = 'name of person creating key', EXPIRY_DATE = '<'expiration date: yyyymmdd'>' Run the following SQL script to create a symmetric key and assign an existing certificate: USE CREATE SYMMETRIC KEY <'key name'> WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE For Transparent Data Encryption (TDE): USE master; CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''; CREATE CERTIFICATE . . .; USE ; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE ; ALTER DATABASE SET ENCRYPTION ON; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213902 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must protect against a user falsely rep... | - | |||
Check TextExecute the following query: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' If no users are returned, this is not a finding. If users are returned, determine whether each user is a computer account. Launch PowerShell. Execute the following code: Note: <name> represents the username portion of the user. For example; if the user is "CONTOSO\user1$", the username is "user1". ([ADSISearcher]"(&(ObjectCategory=Computer)(Name=<name>))").FindAll() If no account information is returned, this is not a finding. If account information is returned, this is a finding. Fix TextRemove all users that were returned in the check SQL Statement: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' To remove users: Run the following command for each user: DROP USER [ IF EXISTS ] <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: B63E0AD1F33856D056FB50B5C1C7A78CE1BAEA67 ~~~~~ NOT A FINDING: The check query returned no results.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213902 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must protect against a user falsely rep... | - | |||
Check TextExecute the following query: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' If no users are returned, this is not a finding. If users are returned, determine whether each user is a computer account. Launch PowerShell. Execute the following code: Note: <name> represents the username portion of the user. For example; if the user is "CONTOSO\user1$", the username is "user1". ([ADSISearcher]"(&(ObjectCategory=Computer)(Name=<name>))").FindAll() If no account information is returned, this is not a finding. If account information is returned, this is a finding. Fix TextRemove all users that were returned in the check SQL Statement: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' To remove users: Run the following command for each user: DROP USER [ IF EXISTS ] <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: B63E0AD1F33856D056FB50B5C1C7A78CE1BAEA67 ~~~~~ NOT A FINDING: The check query returned no results.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213902 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must protect against a user falsely rep... | - | |||
Check TextExecute the following query: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' If no users are returned, this is not a finding. If users are returned, determine whether each user is a computer account. Launch PowerShell. Execute the following code: Note: <name> represents the username portion of the user. For example; if the user is "CONTOSO\user1$", the username is "user1". ([ADSISearcher]"(&(ObjectCategory=Computer)(Name=<name>))").FindAll() If no account information is returned, this is not a finding. If account information is returned, this is a finding. Fix TextRemove all users that were returned in the check SQL Statement: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' To remove users: Run the following command for each user: DROP USER [ IF EXISTS ] <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: B63E0AD1F33856D056FB50B5C1C7A78CE1BAEA67 ~~~~~ NOT A FINDING: The check query returned no results.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213902 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must protect against a user falsely rep... | - | |||
Check TextExecute the following query: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' If no users are returned, this is not a finding. If users are returned, determine whether each user is a computer account. Launch PowerShell. Execute the following code: Note: <name> represents the username portion of the user. For example; if the user is "CONTOSO\user1$", the username is "user1". ([ADSISearcher]"(&(ObjectCategory=Computer)(Name=<name>))").FindAll() If no account information is returned, this is not a finding. If account information is returned, this is a finding. Fix TextRemove all users that were returned in the check SQL Statement: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' To remove users: Run the following command for each user: DROP USER [ IF EXISTS ] <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: B63E0AD1F33856D056FB50B5C1C7A78CE1BAEA67 ~~~~~ NOT A FINDING: The check query returned no results.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213902 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must protect against a user falsely rep... | - | |||
Check TextExecute the following query: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' If no users are returned, this is not a finding. If users are returned, determine whether each user is a computer account. Launch PowerShell. Execute the following code: Note: <name> represents the username portion of the user. For example; if the user is "CONTOSO\user1$", the username is "user1". ([ADSISearcher]"(&(ObjectCategory=Computer)(Name=<name>))").FindAll() If no account information is returned, this is not a finding. If account information is returned, this is a finding. Fix TextRemove all users that were returned in the check SQL Statement: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' To remove users: Run the following command for each user: DROP USER [ IF EXISTS ] <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: B63E0AD1F33856D056FB50B5C1C7A78CE1BAEA67 ~~~~~ NOT A FINDING: The check query returned no results.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213904 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must protect against a user falsely rep... | - | |||
Check TextIf the database being reviewed is MSDB, trustworthy is required to be enabled, and therefore this is not a finding. Execute the following query: SELECT SUSER_SNAME(d.owner_sid) AS DatabaseOwner, CASE WHEN d.is_trustworthy_on = 0 THEN 'No' WHEN d.is_trustworthy_on = 1 THEN 'Yes' END AS IsTrustworthy, CASE WHEN role.name IN ('sysadmin','securityadmin') OR permission.permission_name = 'CONTROL SERVER' THEN 'YES' ELSE 'No' END AS 'IsOwnerPrivileged' FROM sys.databases d LEFT JOIN sys.server_principals login ON d.owner_sid = login.sid LEFT JOIN sys.server_role_members rm ON login.principal_id = rm.member_principal_id LEFT JOIN sys.server_principals role ON rm.role_principal_id = role.principal_id LEFT JOIN sys.server_permissions permission ON login.principal_id = permission.grantee_principal_id WHERE d.name = DB_NAME() If trustworthy is not enabled, this is not a finding. If trustworthy is enabled and the database owner is not a privileged account, this is not a finding. If trustworthy is enabled and the database owner is a privileged account, review the system documentation to determine if the trustworthy property is required and authorized. If this is not documented, this is a finding. Fix TextDisable trustworthy on the database. ALTER DATABASE [<database name>] SET TRUSTWORTHY OFF Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 0ACECDF9E0767F6A2D9E77EB2554ACC2AC0ACA4B ~~~~~ DBA, Confirm that an approved server documentation documents the need for TRUSTWORTHY in the following: InstanceName Database DatabaseOwner IsOwnerPrivileged ------------ -------- ------------- ----------------- MONT-BE-002\BKUPEXEC64 BEDB sa YES
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213904 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must protect against a user falsely rep... | - | |||
Check TextIf the database being reviewed is MSDB, trustworthy is required to be enabled, and therefore this is not a finding. Execute the following query: SELECT SUSER_SNAME(d.owner_sid) AS DatabaseOwner, CASE WHEN d.is_trustworthy_on = 0 THEN 'No' WHEN d.is_trustworthy_on = 1 THEN 'Yes' END AS IsTrustworthy, CASE WHEN role.name IN ('sysadmin','securityadmin') OR permission.permission_name = 'CONTROL SERVER' THEN 'YES' ELSE 'No' END AS 'IsOwnerPrivileged' FROM sys.databases d LEFT JOIN sys.server_principals login ON d.owner_sid = login.sid LEFT JOIN sys.server_role_members rm ON login.principal_id = rm.member_principal_id LEFT JOIN sys.server_principals role ON rm.role_principal_id = role.principal_id LEFT JOIN sys.server_permissions permission ON login.principal_id = permission.grantee_principal_id WHERE d.name = DB_NAME() If trustworthy is not enabled, this is not a finding. If trustworthy is enabled and the database owner is not a privileged account, this is not a finding. If trustworthy is enabled and the database owner is a privileged account, review the system documentation to determine if the trustworthy property is required and authorized. If this is not documented, this is a finding. Fix TextDisable trustworthy on the database. ALTER DATABASE [<database name>] SET TRUSTWORTHY OFF Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213904 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must protect against a user falsely rep... | - | |||
Check TextIf the database being reviewed is MSDB, trustworthy is required to be enabled, and therefore this is not a finding. Execute the following query: SELECT SUSER_SNAME(d.owner_sid) AS DatabaseOwner, CASE WHEN d.is_trustworthy_on = 0 THEN 'No' WHEN d.is_trustworthy_on = 1 THEN 'Yes' END AS IsTrustworthy, CASE WHEN role.name IN ('sysadmin','securityadmin') OR permission.permission_name = 'CONTROL SERVER' THEN 'YES' ELSE 'No' END AS 'IsOwnerPrivileged' FROM sys.databases d LEFT JOIN sys.server_principals login ON d.owner_sid = login.sid LEFT JOIN sys.server_role_members rm ON login.principal_id = rm.member_principal_id LEFT JOIN sys.server_principals role ON rm.role_principal_id = role.principal_id LEFT JOIN sys.server_permissions permission ON login.principal_id = permission.grantee_principal_id WHERE d.name = DB_NAME() If trustworthy is not enabled, this is not a finding. If trustworthy is enabled and the database owner is not a privileged account, this is not a finding. If trustworthy is enabled and the database owner is a privileged account, review the system documentation to determine if the trustworthy property is required and authorized. If this is not documented, this is a finding. Fix TextDisable trustworthy on the database. ALTER DATABASE [<database name>] SET TRUSTWORTHY OFF Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213904 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must protect against a user falsely rep... | - | |||
Check TextIf the database being reviewed is MSDB, trustworthy is required to be enabled, and therefore this is not a finding. Execute the following query: SELECT SUSER_SNAME(d.owner_sid) AS DatabaseOwner, CASE WHEN d.is_trustworthy_on = 0 THEN 'No' WHEN d.is_trustworthy_on = 1 THEN 'Yes' END AS IsTrustworthy, CASE WHEN role.name IN ('sysadmin','securityadmin') OR permission.permission_name = 'CONTROL SERVER' THEN 'YES' ELSE 'No' END AS 'IsOwnerPrivileged' FROM sys.databases d LEFT JOIN sys.server_principals login ON d.owner_sid = login.sid LEFT JOIN sys.server_role_members rm ON login.principal_id = rm.member_principal_id LEFT JOIN sys.server_principals role ON rm.role_principal_id = role.principal_id LEFT JOIN sys.server_permissions permission ON login.principal_id = permission.grantee_principal_id WHERE d.name = DB_NAME() If trustworthy is not enabled, this is not a finding. If trustworthy is enabled and the database owner is not a privileged account, this is not a finding. If trustworthy is enabled and the database owner is a privileged account, review the system documentation to determine if the trustworthy property is required and authorized. If this is not documented, this is a finding. Fix TextDisable trustworthy on the database. ALTER DATABASE [<database name>] SET TRUSTWORTHY OFF Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213904 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must protect against a user falsely rep... | - | |||
Check TextIf the database being reviewed is MSDB, trustworthy is required to be enabled, and therefore this is not a finding. Execute the following query: SELECT SUSER_SNAME(d.owner_sid) AS DatabaseOwner, CASE WHEN d.is_trustworthy_on = 0 THEN 'No' WHEN d.is_trustworthy_on = 1 THEN 'Yes' END AS IsTrustworthy, CASE WHEN role.name IN ('sysadmin','securityadmin') OR permission.permission_name = 'CONTROL SERVER' THEN 'YES' ELSE 'No' END AS 'IsOwnerPrivileged' FROM sys.databases d LEFT JOIN sys.server_principals login ON d.owner_sid = login.sid LEFT JOIN sys.server_role_members rm ON login.principal_id = rm.member_principal_id LEFT JOIN sys.server_principals role ON rm.role_principal_id = role.principal_id LEFT JOIN sys.server_permissions permission ON login.principal_id = permission.grantee_principal_id WHERE d.name = DB_NAME() If trustworthy is not enabled, this is not a finding. If trustworthy is enabled and the database owner is not a privileged account, this is not a finding. If trustworthy is enabled and the database owner is a privileged account, review the system documentation to determine if the trustworthy property is required and authorized. If this is not documented, this is a finding. Fix TextDisable trustworthy on the database. ALTER DATABASE [<database name>] SET TRUSTWORTHY OFF Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213905 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must allow only the ISSM (or individual... | - | |||
Check TextObtain the list of approved audit maintainers from the system documentation. Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. SELECT R.name AS role_name, RM.name AS role_member_name, RM.type_desc FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' AND R.name = 'db_owner' ORDER BY role_member_name If any role memberships are not documented and authorized, this is a finding. Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. ALTER ANY DATABASE AUDIT CONTROL Use the following query to determine the roles and users that have the listed permissions: SELECT PERM.permission_name, DP.name AS principal_name, DP.type_desc AS principal_type, DBRM.role_member_name FROM sys.database_permissions PERM JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id LEFT OUTER JOIN ( SELECT R.principal_id AS role_principal_id, R.name AS role_name, RM.name AS role_member_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' ) DBRM ON DP.principal_id = DBRM.role_principal_id WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') ORDER BY permission_name, principal_name, role_member_name If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding. Fix TextCreate a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): CREATE ROLE DATABASE_AUDIT_MAINTAINERS; GO GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; GO Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; GO Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213905 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must allow only the ISSM (or individual... | - | |||
Check TextObtain the list of approved audit maintainers from the system documentation. Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. SELECT R.name AS role_name, RM.name AS role_member_name, RM.type_desc FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' AND R.name = 'db_owner' ORDER BY role_member_name If any role memberships are not documented and authorized, this is a finding. Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. ALTER ANY DATABASE AUDIT CONTROL Use the following query to determine the roles and users that have the listed permissions: SELECT PERM.permission_name, DP.name AS principal_name, DP.type_desc AS principal_type, DBRM.role_member_name FROM sys.database_permissions PERM JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id LEFT OUTER JOIN ( SELECT R.principal_id AS role_principal_id, R.name AS role_name, RM.name AS role_member_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' ) DBRM ON DP.principal_id = DBRM.role_principal_id WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') ORDER BY permission_name, principal_name, role_member_name If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding. Fix TextCreate a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): CREATE ROLE DATABASE_AUDIT_MAINTAINERS; GO GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; GO Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; GO Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213905 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must allow only the ISSM (or individual... | - | |||
Check TextObtain the list of approved audit maintainers from the system documentation. Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. SELECT R.name AS role_name, RM.name AS role_member_name, RM.type_desc FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' AND R.name = 'db_owner' ORDER BY role_member_name If any role memberships are not documented and authorized, this is a finding. Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. ALTER ANY DATABASE AUDIT CONTROL Use the following query to determine the roles and users that have the listed permissions: SELECT PERM.permission_name, DP.name AS principal_name, DP.type_desc AS principal_type, DBRM.role_member_name FROM sys.database_permissions PERM JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id LEFT OUTER JOIN ( SELECT R.principal_id AS role_principal_id, R.name AS role_name, RM.name AS role_member_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' ) DBRM ON DP.principal_id = DBRM.role_principal_id WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') ORDER BY permission_name, principal_name, role_member_name If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding. Fix TextCreate a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): CREATE ROLE DATABASE_AUDIT_MAINTAINERS; GO GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; GO Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; GO Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213905 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must allow only the ISSM (or individual... | - | |||
Check TextObtain the list of approved audit maintainers from the system documentation. Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. SELECT R.name AS role_name, RM.name AS role_member_name, RM.type_desc FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' AND R.name = 'db_owner' ORDER BY role_member_name If any role memberships are not documented and authorized, this is a finding. Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. ALTER ANY DATABASE AUDIT CONTROL Use the following query to determine the roles and users that have the listed permissions: SELECT PERM.permission_name, DP.name AS principal_name, DP.type_desc AS principal_type, DBRM.role_member_name FROM sys.database_permissions PERM JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id LEFT OUTER JOIN ( SELECT R.principal_id AS role_principal_id, R.name AS role_name, RM.name AS role_member_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' ) DBRM ON DP.principal_id = DBRM.role_principal_id WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') ORDER BY permission_name, principal_name, role_member_name If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding. Fix TextCreate a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): CREATE ROLE DATABASE_AUDIT_MAINTAINERS; GO GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; GO Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; GO Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213905 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must allow only the ISSM (or individual... | - | |||
Check TextObtain the list of approved audit maintainers from the system documentation. Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. SELECT R.name AS role_name, RM.name AS role_member_name, RM.type_desc FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' AND R.name = 'db_owner' ORDER BY role_member_name If any role memberships are not documented and authorized, this is a finding. Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. ALTER ANY DATABASE AUDIT CONTROL Use the following query to determine the roles and users that have the listed permissions: SELECT PERM.permission_name, DP.name AS principal_name, DP.type_desc AS principal_type, DBRM.role_member_name FROM sys.database_permissions PERM JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id LEFT OUTER JOIN ( SELECT R.principal_id AS role_principal_id, R.name AS role_name, RM.name AS role_member_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' ) DBRM ON DP.principal_id = DBRM.role_principal_id WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') ORDER BY permission_name, principal_name, role_member_name If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding. Fix TextCreate a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): CREATE ROLE DATABASE_AUDIT_MAINTAINERS; GO GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; GO Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; GO Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213907 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must limit privileges to change softwar... | - | |||
Check TextObtain a listing of schema ownership from the server documentation. Execute the following query to obtain a current listing of schema ownership. SELECT s.name AS schema_name, p.name AS owning_principal FROM sys.schemas s JOIN sys.database_principals p ON s.principal_id = p.principal_id WHERE p.name != 'dbo' AND (s.name != p.name or p.name not in ( 'db_accessadmin' , 'db_backupoperator' , 'db_datareader' , 'db_datawriter' , 'db_ddladmin' , 'db_denydatareader' , 'db_denydatawriter' , 'db_owner' , 'db_securityadmin' , 'guest' , 'INFORMATION_SCHEMA' , 'sys' , 'TargetServersRole' , 'SQLAgentUserRole' , 'SQLAgentReaderRole' , 'SQLAgentOperatorRole' , 'DatabaseMailUserRole' , 'db_ssisadmin' , 'db_ssisltduser' , 'db_ssisoperator' , 'replmonitor' , '##MS_SSISServerCleanupJobLogin##' ) ) ORDER BY schema_name If any schema is owned by an unauthorized database principal, this is a finding. Fix TextTransfer ownership of database schemas to authorized database principals. ALTER AUTHORIZATION ON SCHEMA::[<Schema Name>] TO [<Principal Name>] Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213907 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must limit privileges to change softwar... | - | |||
Check TextObtain a listing of schema ownership from the server documentation. Execute the following query to obtain a current listing of schema ownership. SELECT s.name AS schema_name, p.name AS owning_principal FROM sys.schemas s JOIN sys.database_principals p ON s.principal_id = p.principal_id WHERE p.name != 'dbo' AND (s.name != p.name or p.name not in ( 'db_accessadmin' , 'db_backupoperator' , 'db_datareader' , 'db_datawriter' , 'db_ddladmin' , 'db_denydatareader' , 'db_denydatawriter' , 'db_owner' , 'db_securityadmin' , 'guest' , 'INFORMATION_SCHEMA' , 'sys' , 'TargetServersRole' , 'SQLAgentUserRole' , 'SQLAgentReaderRole' , 'SQLAgentOperatorRole' , 'DatabaseMailUserRole' , 'db_ssisadmin' , 'db_ssisltduser' , 'db_ssisoperator' , 'replmonitor' , '##MS_SSISServerCleanupJobLogin##' ) ) ORDER BY schema_name If any schema is owned by an unauthorized database principal, this is a finding. Fix TextTransfer ownership of database schemas to authorized database principals. ALTER AUTHORIZATION ON SCHEMA::[<Schema Name>] TO [<Principal Name>] Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213907 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must limit privileges to change softwar... | - | |||
Check TextObtain a listing of schema ownership from the server documentation. Execute the following query to obtain a current listing of schema ownership. SELECT s.name AS schema_name, p.name AS owning_principal FROM sys.schemas s JOIN sys.database_principals p ON s.principal_id = p.principal_id WHERE p.name != 'dbo' AND (s.name != p.name or p.name not in ( 'db_accessadmin' , 'db_backupoperator' , 'db_datareader' , 'db_datawriter' , 'db_ddladmin' , 'db_denydatareader' , 'db_denydatawriter' , 'db_owner' , 'db_securityadmin' , 'guest' , 'INFORMATION_SCHEMA' , 'sys' , 'TargetServersRole' , 'SQLAgentUserRole' , 'SQLAgentReaderRole' , 'SQLAgentOperatorRole' , 'DatabaseMailUserRole' , 'db_ssisadmin' , 'db_ssisltduser' , 'db_ssisoperator' , 'replmonitor' , '##MS_SSISServerCleanupJobLogin##' ) ) ORDER BY schema_name If any schema is owned by an unauthorized database principal, this is a finding. Fix TextTransfer ownership of database schemas to authorized database principals. ALTER AUTHORIZATION ON SCHEMA::[<Schema Name>] TO [<Principal Name>] Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213907 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must limit privileges to change softwar... | - | |||
Check TextObtain a listing of schema ownership from the server documentation. Execute the following query to obtain a current listing of schema ownership. SELECT s.name AS schema_name, p.name AS owning_principal FROM sys.schemas s JOIN sys.database_principals p ON s.principal_id = p.principal_id WHERE p.name != 'dbo' AND (s.name != p.name or p.name not in ( 'db_accessadmin' , 'db_backupoperator' , 'db_datareader' , 'db_datawriter' , 'db_ddladmin' , 'db_denydatareader' , 'db_denydatawriter' , 'db_owner' , 'db_securityadmin' , 'guest' , 'INFORMATION_SCHEMA' , 'sys' , 'TargetServersRole' , 'SQLAgentUserRole' , 'SQLAgentReaderRole' , 'SQLAgentOperatorRole' , 'DatabaseMailUserRole' , 'db_ssisadmin' , 'db_ssisltduser' , 'db_ssisoperator' , 'replmonitor' , '##MS_SSISServerCleanupJobLogin##' ) ) ORDER BY schema_name If any schema is owned by an unauthorized database principal, this is a finding. Fix TextTransfer ownership of database schemas to authorized database principals. ALTER AUTHORIZATION ON SCHEMA::[<Schema Name>] TO [<Principal Name>] Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213907 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must limit privileges to change softwar... | - | |||
Check TextObtain a listing of schema ownership from the server documentation. Execute the following query to obtain a current listing of schema ownership. SELECT s.name AS schema_name, p.name AS owning_principal FROM sys.schemas s JOIN sys.database_principals p ON s.principal_id = p.principal_id WHERE p.name != 'dbo' AND (s.name != p.name or p.name not in ( 'db_accessadmin' , 'db_backupoperator' , 'db_datareader' , 'db_datawriter' , 'db_ddladmin' , 'db_denydatareader' , 'db_denydatawriter' , 'db_owner' , 'db_securityadmin' , 'guest' , 'INFORMATION_SCHEMA' , 'sys' , 'TargetServersRole' , 'SQLAgentUserRole' , 'SQLAgentReaderRole' , 'SQLAgentOperatorRole' , 'DatabaseMailUserRole' , 'db_ssisadmin' , 'db_ssisltduser' , 'db_ssisoperator' , 'replmonitor' , '##MS_SSISServerCleanupJobLogin##' ) ) ORDER BY schema_name If any schema is owned by an unauthorized database principal, this is a finding. Fix TextTransfer ownership of database schemas to authorized database principals. ALTER AUTHORIZATION ON SCHEMA::[<Schema Name>] TO [<Principal Name>] Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213908 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | Database objects (including but not limited to tab... | - | |||
Check TextReview system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. The following query can be of use in making this determination: ;with objects_cte as (SELECT o.name, o.type_desc, CASE WHEN o.principal_id is null then s.principal_id ELSE o.principal_id END as principal_id FROM sys.objects o INNER JOIN sys.schemas s ON o.schema_id = s.schema_id WHERE o.is_ms_shipped = 0 ) SELECT cte.name, cte.type_desc, dp.name as ObjectOwner FROM objects_cte cte INNER JOIN sys.database_principals dp ON cte.principal_id = dp.principal_id ORDER BY dp.name, cte.name If any of the listed owners is not authorized, this is a finding. Fix TextAdd and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. To change the schema owning a database object in SQL Server, use this code as an example: USE AdventureWorks2012; GO ALTER SCHEMA HumanResources TRANSFER Person.Address; GO Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213908 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | Database objects (including but not limited to tab... | - | |||
Check TextReview system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. The following query can be of use in making this determination: ;with objects_cte as (SELECT o.name, o.type_desc, CASE WHEN o.principal_id is null then s.principal_id ELSE o.principal_id END as principal_id FROM sys.objects o INNER JOIN sys.schemas s ON o.schema_id = s.schema_id WHERE o.is_ms_shipped = 0 ) SELECT cte.name, cte.type_desc, dp.name as ObjectOwner FROM objects_cte cte INNER JOIN sys.database_principals dp ON cte.principal_id = dp.principal_id ORDER BY dp.name, cte.name If any of the listed owners is not authorized, this is a finding. Fix TextAdd and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. To change the schema owning a database object in SQL Server, use this code as an example: USE AdventureWorks2012; GO ALTER SCHEMA HumanResources TRANSFER Person.Address; GO Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213908 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | Database objects (including but not limited to tab... | - | |||
Check TextReview system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. The following query can be of use in making this determination: ;with objects_cte as (SELECT o.name, o.type_desc, CASE WHEN o.principal_id is null then s.principal_id ELSE o.principal_id END as principal_id FROM sys.objects o INNER JOIN sys.schemas s ON o.schema_id = s.schema_id WHERE o.is_ms_shipped = 0 ) SELECT cte.name, cte.type_desc, dp.name as ObjectOwner FROM objects_cte cte INNER JOIN sys.database_principals dp ON cte.principal_id = dp.principal_id ORDER BY dp.name, cte.name If any of the listed owners is not authorized, this is a finding. Fix TextAdd and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. To change the schema owning a database object in SQL Server, use this code as an example: USE AdventureWorks2012; GO ALTER SCHEMA HumanResources TRANSFER Person.Address; GO Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213908 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | Database objects (including but not limited to tab... | - | |||
Check TextReview system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. The following query can be of use in making this determination: ;with objects_cte as (SELECT o.name, o.type_desc, CASE WHEN o.principal_id is null then s.principal_id ELSE o.principal_id END as principal_id FROM sys.objects o INNER JOIN sys.schemas s ON o.schema_id = s.schema_id WHERE o.is_ms_shipped = 0 ) SELECT cte.name, cte.type_desc, dp.name as ObjectOwner FROM objects_cte cte INNER JOIN sys.database_principals dp ON cte.principal_id = dp.principal_id ORDER BY dp.name, cte.name If any of the listed owners is not authorized, this is a finding. Fix TextAdd and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. To change the schema owning a database object in SQL Server, use this code as an example: USE AdventureWorks2012; GO ALTER SCHEMA HumanResources TRANSFER Person.Address; GO Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213908 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | Database objects (including but not limited to tab... | - | |||
Check TextReview system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. The following query can be of use in making this determination: ;with objects_cte as (SELECT o.name, o.type_desc, CASE WHEN o.principal_id is null then s.principal_id ELSE o.principal_id END as principal_id FROM sys.objects o INNER JOIN sys.schemas s ON o.schema_id = s.schema_id WHERE o.is_ms_shipped = 0 ) SELECT cte.name, cte.type_desc, dp.name as ObjectOwner FROM objects_cte cte INNER JOIN sys.database_principals dp ON cte.principal_id = dp.principal_id ORDER BY dp.name, cte.name If any of the listed owners is not authorized, this is a finding. Fix TextAdd and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. To change the schema owning a database object in SQL Server, use this code as an example: USE AdventureWorks2012; GO ALTER SCHEMA HumanResources TRANSFER Person.Address; GO Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213909 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | The role(s)/group(s) used to modify database struc... | - | |||
Check TextObtain a listing of users and roles who are authorized to create, alter, or replace logic modules from the server documentation. Execute the following query: SELECT P.type_desc AS principal_type, P.name AS principal_name, O.type_desc, CASE class WHEN 0 THEN DB_NAME() WHEN 1 THEN OBJECT_SCHEMA_NAME(major_id) + '.' + OBJECT_NAME(major_id) WHEN 3 THEN SCHEMA_NAME(major_id) ELSE class_desc + '(' + CAST(major_id AS nvarchar) + ')' END AS securable_name, DP.state_desc, DP.permission_name FROM sys.database_permissions DP JOIN sys.database_principals P ON DP.grantee_principal_id = P.principal_id LEFT OUTER JOIN sys.all_objects O ON O.object_id = DP.major_id AND O.type IN ('TR','TA','P','X','RF','PC','IF','FN','TF','U') WHERE DP.type IN ('AL','ALTG') AND DP.class IN (0, 1, 53) SELECT R.name AS role_name, M.type_desc AS principal_type, M.name AS principal_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals M ON DRM.member_principal_id = M.principal_id WHERE R.name IN ('db_ddladmin','db_owner') AND M.name != 'dbo' If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. If any user or role membership is not authorized, this is a finding. Fix TextDocument and obtain approval for any nonadministrative users who require the ability to modify database structure and logic modules. REVOKE ALTER ON [<Object Name>] TO [<Principal Name>] Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213909 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | The role(s)/group(s) used to modify database struc... | - | |||
Check TextObtain a listing of users and roles who are authorized to create, alter, or replace logic modules from the server documentation. Execute the following query: SELECT P.type_desc AS principal_type, P.name AS principal_name, O.type_desc, CASE class WHEN 0 THEN DB_NAME() WHEN 1 THEN OBJECT_SCHEMA_NAME(major_id) + '.' + OBJECT_NAME(major_id) WHEN 3 THEN SCHEMA_NAME(major_id) ELSE class_desc + '(' + CAST(major_id AS nvarchar) + ')' END AS securable_name, DP.state_desc, DP.permission_name FROM sys.database_permissions DP JOIN sys.database_principals P ON DP.grantee_principal_id = P.principal_id LEFT OUTER JOIN sys.all_objects O ON O.object_id = DP.major_id AND O.type IN ('TR','TA','P','X','RF','PC','IF','FN','TF','U') WHERE DP.type IN ('AL','ALTG') AND DP.class IN (0, 1, 53) SELECT R.name AS role_name, M.type_desc AS principal_type, M.name AS principal_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals M ON DRM.member_principal_id = M.principal_id WHERE R.name IN ('db_ddladmin','db_owner') AND M.name != 'dbo' If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. If any user or role membership is not authorized, this is a finding. Fix TextDocument and obtain approval for any nonadministrative users who require the ability to modify database structure and logic modules. REVOKE ALTER ON [<Object Name>] TO [<Principal Name>] Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213909 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | The role(s)/group(s) used to modify database struc... | - | |||
Check TextObtain a listing of users and roles who are authorized to create, alter, or replace logic modules from the server documentation. Execute the following query: SELECT P.type_desc AS principal_type, P.name AS principal_name, O.type_desc, CASE class WHEN 0 THEN DB_NAME() WHEN 1 THEN OBJECT_SCHEMA_NAME(major_id) + '.' + OBJECT_NAME(major_id) WHEN 3 THEN SCHEMA_NAME(major_id) ELSE class_desc + '(' + CAST(major_id AS nvarchar) + ')' END AS securable_name, DP.state_desc, DP.permission_name FROM sys.database_permissions DP JOIN sys.database_principals P ON DP.grantee_principal_id = P.principal_id LEFT OUTER JOIN sys.all_objects O ON O.object_id = DP.major_id AND O.type IN ('TR','TA','P','X','RF','PC','IF','FN','TF','U') WHERE DP.type IN ('AL','ALTG') AND DP.class IN (0, 1, 53) SELECT R.name AS role_name, M.type_desc AS principal_type, M.name AS principal_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals M ON DRM.member_principal_id = M.principal_id WHERE R.name IN ('db_ddladmin','db_owner') AND M.name != 'dbo' If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. If any user or role membership is not authorized, this is a finding. Fix TextDocument and obtain approval for any nonadministrative users who require the ability to modify database structure and logic modules. REVOKE ALTER ON [<Object Name>] TO [<Principal Name>] Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213909 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | The role(s)/group(s) used to modify database struc... | - | |||
Check TextObtain a listing of users and roles who are authorized to create, alter, or replace logic modules from the server documentation. Execute the following query: SELECT P.type_desc AS principal_type, P.name AS principal_name, O.type_desc, CASE class WHEN 0 THEN DB_NAME() WHEN 1 THEN OBJECT_SCHEMA_NAME(major_id) + '.' + OBJECT_NAME(major_id) WHEN 3 THEN SCHEMA_NAME(major_id) ELSE class_desc + '(' + CAST(major_id AS nvarchar) + ')' END AS securable_name, DP.state_desc, DP.permission_name FROM sys.database_permissions DP JOIN sys.database_principals P ON DP.grantee_principal_id = P.principal_id LEFT OUTER JOIN sys.all_objects O ON O.object_id = DP.major_id AND O.type IN ('TR','TA','P','X','RF','PC','IF','FN','TF','U') WHERE DP.type IN ('AL','ALTG') AND DP.class IN (0, 1, 53) SELECT R.name AS role_name, M.type_desc AS principal_type, M.name AS principal_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals M ON DRM.member_principal_id = M.principal_id WHERE R.name IN ('db_ddladmin','db_owner') AND M.name != 'dbo' If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. If any user or role membership is not authorized, this is a finding. Fix TextDocument and obtain approval for any nonadministrative users who require the ability to modify database structure and logic modules. REVOKE ALTER ON [<Object Name>] TO [<Principal Name>] Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213909 | CAT II | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | The role(s)/group(s) used to modify database struc... | - | |||
Check TextObtain a listing of users and roles who are authorized to create, alter, or replace logic modules from the server documentation. Execute the following query: SELECT P.type_desc AS principal_type, P.name AS principal_name, O.type_desc, CASE class WHEN 0 THEN DB_NAME() WHEN 1 THEN OBJECT_SCHEMA_NAME(major_id) + '.' + OBJECT_NAME(major_id) WHEN 3 THEN SCHEMA_NAME(major_id) ELSE class_desc + '(' + CAST(major_id AS nvarchar) + ')' END AS securable_name, DP.state_desc, DP.permission_name FROM sys.database_permissions DP JOIN sys.database_principals P ON DP.grantee_principal_id = P.principal_id LEFT OUTER JOIN sys.all_objects O ON O.object_id = DP.major_id AND O.type IN ('TR','TA','P','X','RF','PC','IF','FN','TF','U') WHERE DP.type IN ('AL','ALTG') AND DP.class IN (0, 1, 53) SELECT R.name AS role_name, M.type_desc AS principal_type, M.name AS principal_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals M ON DRM.member_principal_id = M.principal_id WHERE R.name IN ('db_ddladmin','db_owner') AND M.name != 'dbo' If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. If any user or role membership is not authorized, this is a finding. Fix TextDocument and obtain approval for any nonadministrative users who require the ability to modify database structure and logic modules. REVOKE ALTER ON [<Object Name>] TO [<Principal Name>] Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||