USNS MONTFORD POINT - Findings

V-213900 CAT I SQL Server databases must integrate with an organization-lev...

5 assets 5 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments

Check Text

Determine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM).

Fix Text

If mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>;

V-213901 CAT I SQL Server must enforce approved authorizations for logical ...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: E72A43AA1F56BC880CAFBD122F108E27602D0980 ~~~~~ This is the 'tempdb' database so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: CD95A213FC4476 ~~~~~ Review the system Here are the row QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 391 -403485259 Roles 17 348690621 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role ------------- db_owner dbo SQLAgentUserRole SQLAgentReaderRole SQLAgentUserRole db_ssisltduser db_ssisoperator dc_operator db_ssisltduser db_ssisoperator SQLAgentUserRole db_ssisoperator dc_admin SQLAgentOperatorRole ServerGroupReaderRole PolicyAdministratorRole PolicyAdministratorRole UtilityIMRReader Details for the Privileges query: grantee_type grantee ------------ ------- SQL_USER ##MS_PolicyE SQL_USER ##MS_PolicyE SQL_USER ##MS_PolicyT DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator SQL_USER dbo DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy SQL_USER guest SQL_USER MS_DataColle DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole ---truncated results. (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: B7F4C08031802041EE9D911C58 documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': role_member ----------- SQLAgentReaderRole SQLAgentOperatorRole dc_operator dc_operator dc_operator dc_admin dc_proxy dc_proxy MS_DataCollectorInternalUser MS_DataCollectorInternalUser MS_DataCollectorInternalUser PolicyAdministratorRole ServerGroupAdministratorRole ##MS_PolicyEventProcessingLogin## ##MS_PolicyTsqlExecutionLogin## UtilityIMRWriter state_desc permission_name securable_class schema_or_owner securable ---------- --------------- --------------- --------------- --------- ventProcessingLogin## GRANT CONNECT DATABASE msdb ventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_events_reader sqlExecutionLogin## GRANT CONNECT DATABASE msdb GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_send_dbmail GRANT SELECT VIEW dbo sysmail_allitems GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_delete_mailitems_sp GRANT SELECT VIEW dbo sysmail_event_log GRANT SELECT VIEW dbo sysmail_faileditems GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_help_status_sp GRANT SELECT VIEW dbo sysmail_mailattachments GRANT SELECT VIEW dbo sysmail_sentitems GRANT SELECT VIEW dbo sysmail_unsentitems GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles GRANT DELETE USER_TABLE dbo sysssislog GRANT INSERT USER_TABLE dbo sysssislog GRANT REFERENCES USER_TABLE dbo sysssislog GRANT SELECT USER_TABLE dbo sysssislog GRANT UPDATE USER_TABLE dbo sysssislog GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles GRANT INSERT USER_TABLE dbo sysssislog GRANT SELECT USER_TABLE dbo sysssislog GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage GRANT INSERT USER_TABLE dbo sysssislog GRANT SELECT USER_TABLE dbo sysssislog GRANT CONNECT DATABASE msdb GRANT IMPERSONATE DATABASE_PRINCIPAL MS_DataCollectorInternalUser GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_cleanup_collector GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_item GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collector_type GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_item GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collector_type GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_directory GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_window GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_database_name GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_instance_name GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_find_collection_set_root GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_details GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_log_tree GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_stats GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_execution_log_tree GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_disable_collector GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_enable_collector GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_run_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_start_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_stop_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_item GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_upload_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_verify_subsystems GRANT SELECT VIEW dbo syscollector_collection_items GRANT SELECT VIEW dbo syscollector_collection_sets GRANT SELECT VIEW dbo syscollector_collector_types GRANT SELECT VIEW dbo syscollector_config_store GRANT SELECT VIEW dbo syscollector_execution_log GRANT SELECT VIEW dbo syscollector_execution_log_full GRANT SELECT VIEW dbo syscollector_execution_stats GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionbegin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionend GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onerror GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackagebegin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageend GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageupdate GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onstatsupdate GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_warehouse_connection_string GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_query_stats GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_requests GRANT SELECT VIEW dbo syscollector_collection_items GRANT SELECT VIEW dbo syscollector_collection_sets GRANT SELECT VIEW dbo syscollector_collector_types GRANT SELECT VIEW dbo syscollector_config_store GRANT CONNECT DATABASE msdb ctorInternalUser GRANT CONNECT DATABASE msdb GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_condition GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_object_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category_subscription GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set_level GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_configure GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_create_purge_job GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_condition GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_object_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category_subscription GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_dispatch_event GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_detail GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_end GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_start GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_health_state GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_history GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_condition GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy_category GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_repair_policy_automation GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_enabled GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_history_retention GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_log_on_success GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_condition GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy_category GRANT EXECUTE SQL_STORED_PROCEDURE met character limit--- Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 67138811F3D3035DB7C13B6F224A4015F4C21EB3 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 3 -2020448801 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE model SQL_USER dbo Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: A5133F4A8B2717CDEB397EC5433932ABBE14A87B ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 2260 -1243632689 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable ------------ ------- ---------- --------------- --------------- --------------- --------- CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT CONNECT DATABASE master CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT EXECUTE DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT CONNECT DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE sys sp_syspolicy_execute_policy SQL_USER dbo GRANT CONNECT DATABASE master SQL_USER guest GRANT CONNECT DATABASE master DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1005... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1030... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1042... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1046... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1059... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1063... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1069... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1078... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1090... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1104... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1163... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1182... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1189... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1337... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1361... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1369... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1425... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1465... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1529... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1786... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1792... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1814... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2059... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2063... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2144... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2271... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2318... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2397... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2462... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2520... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2610... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2978... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3055... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3144... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3160... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3226... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3319... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3462... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3508... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3624... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3825... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3984... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4083... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4095... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4129... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4159... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4167... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4258... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4317... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4438... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4633... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4642... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4714... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4730... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4810... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4828... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4975... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5004... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5043... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5200... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5221... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5233... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5261... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5313... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5378... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5381... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5462... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5576... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5683... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5846... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -590 * DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5905... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -591 * DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -592 * DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -593 * DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5963... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6084... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6219... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6234... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6259... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6366... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6383... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6385... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6495... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6584... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6724... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6980... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7167... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7264... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7310... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7327... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7362... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7494... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7578... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7644... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7786... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7850... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7909... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7947... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7989... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8028... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8167... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8186... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8248... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8268... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8300... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8481... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8483... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8604... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8752... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8824... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8834... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8962... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8986... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9111... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9139... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9273... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9343... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9442... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9679... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9764... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9798... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9861... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9886... DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_db DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_dev DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_usg DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_monitor DATABASE_ROLE public GRANT SELECT VIEW dbo spt_values DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CHECK_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_PRIVILEGES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAIN_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAINS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA KEY_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA PARAMETERS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINE_COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA SCHEMATA DATABASE_ROLE public GRANT SELECT VIEW INFORMA ---truncated results. met character limit--- Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 4E0BE29691469BB6268E1305E905DFBC61DC8366 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 59 -882091564 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatDeletionEventProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatFragmentProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatMediaProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatPieceIdTableProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo DeleteOrphandedResourcesProc SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo InsertVirtualSet SQL_USER dbo Comments

Check Text

Review the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql".

Fix Text

Use GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements.

V-213926 CAT I SQL Server must implement cryptographic mechanisms to preven...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments

Check Text

Review the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding.

Fix Text

Where full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx.

V-251040 CAT I SQL Server must use NSA-approved cryptography to protect cla...

5 assets 5 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html. Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. If the system documentation does not specify the type of information hosted on SQL Server as classified, sensitive, and/or unclassified, this is a finding. If neither classified nor sensitive information exists within SQL Server databases or configuration, this is not a finding. Verify that Windows is configured to require the use of FIPS-compliant algorithms. Click "Start", enter "Local Security Policy", and then press "Enter". Expand "Local Policies", select "Security Options", and then locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". If the Security Setting for this option is "Disabled", this is a finding. Note: The list of acceptable algorithms is "AES 256" and "Triple DES". If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 or 140-3 certified by running the following SQL query: SELECT DISTINCT name, algorithm_desc FROM sys.symmetric_keys WHERE key_algorithm NOT IN ('D3','A3') ORDER BY name If any items listed show an uncertified NIST FIPS 140-2 algorithm type, this is a finding.

Fix Text

Configure cryptographic functions to use NSA-approved cryptography compliant algorithms. Use DoD code-signing certificates to create asymmetric keys stored in the database used to encrypt sensitive data stored in the database. Run the following SQL script to create a certificate: USE CREATE CERTIFICATE ENCRYPTION BY PASSWORD = <'password'> FROM FILE = <'path/file_name'> WITH SUBJECT = 'name of person creating key', EXPIRY_DATE = '<'expiration date: yyyymmdd'>' Run the following SQL script to create a symmetric key and assign an existing certificate: USE CREATE SYMMETRIC KEY <'key name'> WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE For Transparent Data Encryption (TDE): USE master; CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''; CREATE CERTIFICATE . . .; USE ; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE ; ALTER DATABASE SET ENCRYPTION ON;

V-213902 CAT II SQL Server must protect against a user falsely repudiating b...

5 assets 5 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: B63E0AD1F33856D056FB50B5C1C7A78CE1BAEA67 ~~~~~ NOT A FINDING: The check query returned no results. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: B63E0AD1F33856D056FB50B5C1C7A78CE1BAEA67 ~~~~~ NOT A FINDING: The check query returned no results. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: B63E0AD1F33856D056FB50B5C1C7A78CE1BAEA67 ~~~~~ NOT A FINDING: The check query returned no results. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: B63E0AD1F33856D056FB50B5C1C7A78CE1BAEA67 ~~~~~ NOT A FINDING: The check query returned no results. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: B63E0AD1F33856D056FB50B5C1C7A78CE1BAEA67 ~~~~~ NOT A FINDING: The check query returned no results. Comments

Check Text

Execute the following query: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' If no users are returned, this is not a finding. If users are returned, determine whether each user is a computer account. Launch PowerShell. Execute the following code: Note: <name> represents the username portion of the user. For example; if the user is "CONTOSO\user1$", the username is "user1". ([ADSISearcher]"(&(ObjectCategory=Computer)(Name=<name>))").FindAll() If no account information is returned, this is not a finding. If account information is returned, this is a finding.

Fix Text

Remove all users that were returned in the check SQL Statement: SELECT name FROM sys.database_principals WHERE type in ('U','G') AND name LIKE '%$' To remove users: Run the following command for each user: DROP USER [ IF EXISTS ] <user_name>;

V-213904 CAT II SQL Server must protect against a user falsely repudiating b...

5 assets 4 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 0ACECDF9E0767F6A2D9E77EB2554ACC2AC0ACA4B ~~~~~ DBA, Confirm that an approved server documentation documents the need for TRUSTWORTHY in the following: InstanceName Database DatabaseOwner IsOwnerPrivileged ------------ -------- ------------- ----------------- MONT-BE-002\BKUPEXEC64 BEDB sa YES Comments

Check Text

If the database being reviewed is MSDB, trustworthy is required to be enabled, and therefore this is not a finding. Execute the following query: SELECT SUSER_SNAME(d.owner_sid) AS DatabaseOwner, CASE WHEN d.is_trustworthy_on = 0 THEN 'No' WHEN d.is_trustworthy_on = 1 THEN 'Yes' END AS IsTrustworthy, CASE WHEN role.name IN ('sysadmin','securityadmin') OR permission.permission_name = 'CONTROL SERVER' THEN 'YES' ELSE 'No' END AS 'IsOwnerPrivileged' FROM sys.databases d LEFT JOIN sys.server_principals login ON d.owner_sid = login.sid LEFT JOIN sys.server_role_members rm ON login.principal_id = rm.member_principal_id LEFT JOIN sys.server_principals role ON rm.role_principal_id = role.principal_id LEFT JOIN sys.server_permissions permission ON login.principal_id = permission.grantee_principal_id WHERE d.name = DB_NAME() If trustworthy is not enabled, this is not a finding. If trustworthy is enabled and the database owner is not a privileged account, this is not a finding. If trustworthy is enabled and the database owner is a privileged account, review the system documentation to determine if the trustworthy property is required and authorized. If this is not documented, this is a finding.

Fix Text

Disable trustworthy on the database. ALTER DATABASE [<database name>] SET TRUSTWORTHY OFF

V-213905 CAT II SQL Server must allow only the ISSM (or individuals or roles...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER Comments

Check Text

Obtain the list of approved audit maintainers from the system documentation. Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. SELECT R.name AS role_name, RM.name AS role_member_name, RM.type_desc FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' AND R.name = 'db_owner' ORDER BY role_member_name If any role memberships are not documented and authorized, this is a finding. Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. ALTER ANY DATABASE AUDIT CONTROL Use the following query to determine the roles and users that have the listed permissions: SELECT PERM.permission_name, DP.name AS principal_name, DP.type_desc AS principal_type, DBRM.role_member_name FROM sys.database_permissions PERM JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id LEFT OUTER JOIN ( SELECT R.principal_id AS role_principal_id, R.name AS role_name, RM.name AS role_member_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' ) DBRM ON DP.principal_id = DBRM.role_principal_id WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') ORDER BY permission_name, principal_name, role_member_name If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding.

Fix Text

Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): CREATE ROLE DATABASE_AUDIT_MAINTAINERS; GO GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; GO Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; GO Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it.

V-213907 CAT II SQL Server must limit privileges to change software modules,...

5 assets 5 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas. Comments

Check Text

Obtain a listing of schema ownership from the server documentation. Execute the following query to obtain a current listing of schema ownership. SELECT s.name AS schema_name, p.name AS owning_principal FROM sys.schemas s JOIN sys.database_principals p ON s.principal_id = p.principal_id WHERE p.name != 'dbo' AND (s.name != p.name or p.name not in ( 'db_accessadmin' , 'db_backupoperator' , 'db_datareader' , 'db_datawriter' , 'db_ddladmin' , 'db_denydatareader' , 'db_denydatawriter' , 'db_owner' , 'db_securityadmin' , 'guest' , 'INFORMATION_SCHEMA' , 'sys' , 'TargetServersRole' , 'SQLAgentUserRole' , 'SQLAgentReaderRole' , 'SQLAgentOperatorRole' , 'DatabaseMailUserRole' , 'db_ssisadmin' , 'db_ssisltduser' , 'db_ssisoperator' , 'replmonitor' , '##MS_SSISServerCleanupJobLogin##' ) ) ORDER BY schema_name If any schema is owned by an unauthorized database principal, this is a finding.

Fix Text

Transfer ownership of database schemas to authorized database principals. ALTER AUTHORIZATION ON SCHEMA::[<Schema Name>] TO [<Principal Name>]

V-213908 CAT II Database objects (including but not limited to tables, index...

5 assets 5 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments

Check Text

Review system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. The following query can be of use in making this determination: ;with objects_cte as (SELECT o.name, o.type_desc, CASE WHEN o.principal_id is null then s.principal_id ELSE o.principal_id END as principal_id FROM sys.objects o INNER JOIN sys.schemas s ON o.schema_id = s.schema_id WHERE o.is_ms_shipped = 0 ) SELECT cte.name, cte.type_desc, dp.name as ObjectOwner FROM objects_cte cte INNER JOIN sys.database_principals dp ON cte.principal_id = dp.principal_id ORDER BY dp.name, cte.name If any of the listed owners is not authorized, this is a finding.

Fix Text

Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. To change the schema owning a database object in SQL Server, use this code as an example: USE AdventureWorks2012; GO ALTER SCHEMA HumanResources TRANSFER Person.Address; GO Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window.

V-213909 CAT II The role(s)/group(s) used to modify database structure (incl...

5 assets 5 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments

Check Text

Obtain a listing of users and roles who are authorized to create, alter, or replace logic modules from the server documentation. Execute the following query: SELECT P.type_desc AS principal_type, P.name AS principal_name, O.type_desc, CASE class WHEN 0 THEN DB_NAME() WHEN 1 THEN OBJECT_SCHEMA_NAME(major_id) + '.' + OBJECT_NAME(major_id) WHEN 3 THEN SCHEMA_NAME(major_id) ELSE class_desc + '(' + CAST(major_id AS nvarchar) + ')' END AS securable_name, DP.state_desc, DP.permission_name FROM sys.database_permissions DP JOIN sys.database_principals P ON DP.grantee_principal_id = P.principal_id LEFT OUTER JOIN sys.all_objects O ON O.object_id = DP.major_id AND O.type IN ('TR','TA','P','X','RF','PC','IF','FN','TF','U') WHERE DP.type IN ('AL','ALTG') AND DP.class IN (0, 1, 53) SELECT R.name AS role_name, M.type_desc AS principal_type, M.name AS principal_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals M ON DRM.member_principal_id = M.principal_id WHERE R.name IN ('db_ddladmin','db_owner') AND M.name != 'dbo' If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. If any user or role membership is not authorized, this is a finding.

Fix Text

Document and obtain approval for any nonadministrative users who require the ability to modify database structure and logic modules. REVOKE ALTER ON [<Object Name>] TO [<Principal Name>]

V-213910 CAT II In the event of a system failure, hardware loss or disk fail...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 7B70FAB7C105E5A4859824ED0D47B00198F21A27 ~~~~~ DBA, Using the system documentation, confirm, the following recovery models.If the recovery model description does not match the documented recovery model, this is a finding.: name recovery_model_desc ---- ------------------- tempdb SIMPLE DBA, Review the jobs set up to implement the backup plan. If they are absent, this is a finding. No results were returned by the backup plan check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: E2C6BBDD4D4F15CF28045C75CBFABA554649BAF9 ~~~~~ DBA, Using the system documentation, confirm, the following recovery models.If the recovery model description does not match the documented recovery model, this is a finding.: name recovery_model_desc ---- ------------------- msdb SIMPLE DBA, Review the jobs set up to implement the backup plan. If they are absent, this is a finding. Jobs set up to implement the backup plan: database_name backup_type is_copy_only backup_start_date backup_finish_date ------------- ----------- ------------ ----------------- ------------------ msdb Full True 10/23/2025 12:38:24 AM 10/23/2025 12:39:14 AM msdb Full True 10/22/2025 12:39:20 AM 10/22/2025 12:40:10 AM msdb Full True 10/21/2025 12:38:45 AM 10/21/2025 12:39:34 AM msdb Full False 10/20/2025 12:45:42 AM 10/20/2025 12:46:38 AM msdb Full True 10/19/2025 12:46:11 PM 10/19/2025 12:46:59 PM msdb Full True 10/19/2025 12:44:57 PM 10/19/2025 12:45:50 PM msdb Full True 10/17/2025 1:04:24 AM 10/17/2025 1:05:09 AM msdb Full True 10/17/2025 1:03:20 AM 10/17/2025 1:04:04 AM msdb Full True 10/16/2025 1:00:27 AM 10/16/2025 1:01:14 AM msdb Full True 10/15/2025 12:58:57 AM 10/15/2025 12:59:46 AM msdb Full True 10/14/2025 12:40:16 AM 10/14/2025 12:41:04 AM msdb Full False 10/13/2025 4:36:21 AM 10/13/2025 4:37:13 AM msdb Full True 10/12/2025 12:04:08 AM 10/12/2025 12:04:57 AM msdb Full True 10/11/2025 12:46:34 AM 10/11/2025 12:47:25 AM msdb Full True 10/10/2025 12:48:52 AM 10/10/2025 12:49:42 AM msdb Full True 10/9/2025 12:51:50 AM 10/9/2025 12:52:40 AM msdb Full True 10/8/2025 12:53:24 AM 10/8/2025 12:54:14 AM msdb Full True 10/7/2025 12:54:51 AM 10/7/2025 12:55:40 AM msdb Full False 10/6/2025 4:06:38 AM 10/6/2025 4:07:33 AM msdb Full True 10/5/2025 1:06:01 AM 10/5/2025 1:06:54 AM msdb Full True 10/4/2025 12:53:15 AM 10/4/2025 12:54:05 AM msdb Full True 10/3/2025 12:49:55 AM 10/3/2025 12:50:45 AM msdb Full True 10/2/2025 12:50:57 AM 10/2/2025 12:51:47 AM msdb Full True 10/1/2025 12:45:44 AM 10/1/2025 12:46:33 AM msdb Full True 9/30/2025 12:45:19 AM 9/30/2025 12:46:09 AM msdb Full False 9/29/2025 4:10:22 AM 9/29/2025 4:11:17 AM msdb Full True 9/28/2025 12:56:54 AM 9/28/2025 12:57:49 AM msdb Full True 9/27/2025 12:47:37 AM 9/27/2025 12:48:26 AM msdb Full True 9/26/2025 12:50:32 AM 9/26/2025 12:51:21 AM msdb Full True 9/25/2025 12:32:50 PM 9/25/2025 12:33:39 PM msdb Full True 9/24/2025 1:05:20 PM 9/24/2025 1:06:09 PM msdb Full True 9/23/2025 8:35:30 PM 9/23/2025 8:36:19 PM Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: E39750E1E291B6450D7C13D7212B0D09EBBE2248 ~~~~~ DBA, Using the system documentation, confirm, the following recovery models.If the recovery model description does not match the documented recovery model, this is a finding.: name recovery_model_desc ---- ------------------- model FULL DBA, Review the jobs set up to implement the backup plan. If they are absent, this is a finding. Jobs set up to implement the backup plan: database_name backup_type is_copy_only backup_start_date backup_finish_date ------------- ----------- ------------ ----------------- ------------------ model Full True 10/23/2025 12:38:26 AM 10/23/2025 12:39:14 AM model Log False 10/22/2025 11:51:27 PM 10/22/2025 11:51:27 PM model Full True 10/22/2025 12:39:22 AM 10/22/2025 12:40:10 AM model Log False 10/21/2025 11:50:11 PM 10/21/2025 11:50:11 PM model Full True 10/21/2025 12:38:47 AM 10/21/2025 12:39:34 AM model Log False 10/20/2025 11:51:23 PM 10/20/2025 11:51:23 PM model Full False 10/20/2025 12:45:44 AM 10/20/2025 12:46:38 AM model Full True 10/19/2025 12:44:59 PM 10/19/2025 12:45:50 PM model Log False 10/19/2025 11:55:33 AM 10/19/2025 11:55:33 AM model Full True 10/17/2025 1:03:22 AM 10/17/2025 1:04:04 AM model Log False 10/17/2025 12:00:38 AM 10/17/2025 12:00:38 AM model Full True 10/16/2025 1:00:29 AM 10/16/2025 1:01:14 AM model Log False 10/16/2025 12:07:48 AM 10/16/2025 12:07:48 AM model Full True 10/15/2025 12:58:59 AM 10/15/2025 12:59:46 AM model Log False 10/15/2025 12:06:55 AM 10/15/2025 12:06:55 AM model Full True 10/14/2025 12:40:18 AM 10/14/2025 12:41:04 AM model Log False 10/13/2025 11:52:23 PM 10/13/2025 11:52:23 PM model Full False 10/13/2025 4:36:23 AM 10/13/2025 4:37:13 AM model Full True 10/12/2025 12:04:10 AM 10/12/2025 12:04:57 AM model Log False 10/11/2025 11:11:48 PM 10/11/2025 11:11:48 PM model Full True 10/11/2025 12:46:36 AM 10/11/2025 12:47:25 AM model Log False 10/10/2025 11:55:01 PM 10/10/2025 11:55:01 PM model Full True 10/10/2025 12:48:54 AM 10/10/2025 12:49:42 AM model Log False 10/9/2025 11:56:13 PM 10/9/2025 11:56:14 PM model Full True 10/9/2025 12:51:52 AM 10/9/2025 12:52:40 AM model Log False 10/8/2025 11:59:01 PM 10/8/2025 11:59:01 PM model Full True 10/8/2025 12:53:26 AM 10/8/2025 12:54:14 AM model Log False 10/8/2025 12:00:07 AM 10/8/2025 12:00:07 AM model Full True 10/7/2025 12:54:53 AM 10/7/2025 12:55:40 AM model Log False 10/7/2025 12:01:05 AM 10/7/2025 12:01:06 AM model Full False 10/6/2025 4:06:40 AM 10/6/2025 4:07:33 AM model Full True 10/5/2025 1:06:03 AM 10/5/2025 1:06:54 AM model Log False 10/5/2025 12:10:13 AM 10/5/2025 12:10:13 AM model Full True 10/4/2025 12:53:17 AM 10/4/2025 12:54:05 AM model Log False 10/3/2025 11:59:16 PM 10/3/2025 11:59:16 PM model Full True 10/3/2025 12:49:57 AM 10/3/2025 12:50:45 AM model Log False 10/2/2025 11:58:30 PM 10/2/2025 11:58:30 PM model Full True 10/2/2025 12:50:59 AM 10/2/2025 12:51:47 AM model Log False 10/1/2025 11:58:47 PM 10/1/2025 11:58:47 PM model Full True 10/1/2025 12:45:46 AM 10/1/2025 12:46:33 AM model Log False 9/30/2025 11:53:53 PM 9/30/2025 11:53:53 PM model Full True 9/30/2025 12:45:21 AM 9/30/2025 12:46:09 AM model Log False 9/29/2025 11:54:21 PM 9/29/2025 11:54:21 PM model Full False 9/29/2025 4:10:24 AM 9/29/2025 4:11:17 AM model Full True 9/28/2025 12:56:56 AM 9/28/2025 12:57:49 AM model Log False 9/27/2025 11:54:28 PM 9/27/2025 11:54:28 PM model Full True 9/27/2025 12:47:39 AM 9/27/2025 12:48:26 AM model Log False 9/26/2025 11:53:45 PM 9/26/2025 11:53:45 PM model Full True 9/26/2025 12:50:34 AM 9/26/2025 12:51:21 AM model Log False 9/25/2025 11:57:15 PM 9/25/2025 11:57:15 PM model Full True 9/25/2025 12:32:52 PM 9/25/2025 12:33:39 PM model Log False 9/25/2025 11:36:16 AM 9/25/2025 11:36:16 AM model Full True 9/24/2025 1:05:22 PM 9/24/2025 1:06:09 PM model Log False 9/24/2025 12:13:47 PM 9/24/2025 12:13:48 PM model Full True 9/23/2025 8:35:32 PM 9/23/2025 8:36:19 PM model Log False 9/23/2025 7:42:21 PM 9/23/2025 7:42:21 PM Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 395BA62BE0A7FE22F0EA10837F6B718600499974 ~~~~~ DBA, Using the system documentation, confirm, the following recovery models.If the recovery model description does not match the documented recovery model, this is a finding.: name recovery_model_desc ---- ------------------- master SIMPLE DBA, Review the jobs set up to implement the backup plan. If they are absent, this is a finding. Jobs set up to implement the backup plan: database_name backup_type is_copy_only backup_start_date backup_finish_date ------------- ----------- ------------ ----------------- ------------------ master Full True 10/23/2025 12:38:28 AM 10/23/2025 12:39:14 AM master Full True 10/22/2025 12:39:24 AM 10/22/2025 12:40:10 AM master Full True 10/21/2025 12:38:49 AM 10/21/2025 12:39:34 AM master Full False 10/20/2025 12:45:46 AM 10/20/2025 12:46:38 AM master Full True 10/19/2025 12:45:01 PM 10/19/2025 12:45:50 PM master Full True 10/17/2025 1:03:24 AM 10/17/2025 1:04:04 AM master Full True 10/16/2025 1:00:31 AM 10/16/2025 1:01:14 AM master Full True 10/15/2025 12:59:01 AM 10/15/2025 12:59:46 AM master Full True 10/14/2025 12:40:20 AM 10/14/2025 12:41:04 AM master Full False 10/13/2025 4:36:25 AM 10/13/2025 4:37:13 AM master Full True 10/12/2025 12:04:12 AM 10/12/2025 12:04:57 AM master Full True 10/11/2025 12:46:38 AM 10/11/2025 12:47:25 AM master Full True 10/10/2025 12:48:56 AM 10/10/2025 12:49:42 AM master Full True 10/9/2025 12:51:54 AM 10/9/2025 12:52:40 AM master Full True 10/8/2025 12:53:28 AM 10/8/2025 12:54:14 AM master Full True 10/7/2025 12:54:55 AM 10/7/2025 12:55:40 AM master Full False 10/6/2025 4:06:42 AM 10/6/2025 4:07:33 AM master Full True 10/5/2025 1:06:05 AM 10/5/2025 1:06:54 AM master Full True 10/4/2025 12:53:19 AM 10/4/2025 12:54:05 AM master Full True 10/3/2025 12:49:59 AM 10/3/2025 12:50:45 AM master Full True 10/2/2025 12:51:01 AM 10/2/2025 12:51:47 AM master Full True 10/1/2025 12:45:48 AM 10/1/2025 12:46:33 AM master Full True 9/30/2025 12:45:23 AM 9/30/2025 12:46:09 AM master Full False 9/29/2025 4:10:26 AM 9/29/2025 4:11:17 AM master Full True 9/28/2025 12:56:58 AM 9/28/2025 12:57:49 AM master Full True 9/27/2025 12:47:41 AM 9/27/2025 12:48:26 AM master Full True 9/26/2025 12:50:36 AM 9/26/2025 12:51:21 AM master Full True 9/25/2025 12:32:54 PM 9/25/2025 12:33:39 PM master Full True 9/24/2025 1:05:24 PM 9/24/2025 1:06:09 PM master Full True 9/23/2025 8:35:34 PM 9/23/2025 8:36:19 PM Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 8E9EDCB5731473AF6C0985483D9DA6823A8C71C2 ~~~~~ DBA, Using the system documentation, confirm, the following recovery models.If the recovery model description does not match the documented recovery model, this is a finding.: name recovery_model_desc ---- ------------------- BEDB SIMPLE DBA, Review the jobs set up to implement the backup plan. If they are absent, this is a finding. Jobs set up to implement the backup plan: database_name backup_type is_copy_only backup_start_date backup_finish_date ------------- ----------- ------------ ----------------- ------------------ BEDB Full True 10/23/2025 4:00:00 AM 10/23/2025 4:00:02 AM BEDB Full True 10/22/2025 11:50:20 PM 10/22/2025 11:51:06 PM BEDB Full True 10/22/2025 4:00:00 AM 10/22/2025 4:00:01 AM BEDB Full True 10/21/2025 11:49:04 PM 10/21/2025 11:49:50 PM BEDB Full True 10/21/2025 4:00:00 AM 10/21/2025 4:00:01 AM BEDB Full True 10/20/2025 11:50:18 PM 10/20/2025 11:51:03 PM BEDB Full True 10/20/2025 4:00:00 AM 10/20/2025 4:00:02 AM BEDB Full False 10/20/2025 12:45:48 AM 10/20/2025 12:46:38 AM BEDB Full True 10/19/2025 11:42:52 AM 10/19/2025 11:43:41 AM BEDB Full True 10/19/2025 4:00:02 AM 10/19/2025 4:00:03 AM BEDB Full True 10/18/2025 4:00:00 AM 10/18/2025 4:00:01 AM BEDB Full True 10/17/2025 4:00:00 AM 10/17/2025 4:00:01 AM BEDB Full True 10/16/2025 11:59:28 PM 10/17/2025 12:00:12 AM BEDB Full True 10/16/2025 4:00:00 AM 10/16/2025 4:00:02 AM BEDB Full True 10/16/2025 12:06:43 AM 10/16/2025 12:07:25 AM BEDB Full True 10/15/2025 4:00:01 AM 10/15/2025 4:00:03 AM BEDB Full True 10/15/2025 12:05:53 AM 10/15/2025 12:06:33 AM BEDB Full True 10/14/2025 4:00:00 AM 10/14/2025 4:00:01 AM BEDB Full True 10/13/2025 11:51:13 PM 10/13/2025 11:51:57 PM BEDB Full False 10/13/2025 4:36:27 AM 10/13/2025 4:37:13 AM BEDB Full True 10/13/2025 4:00:00 AM 10/13/2025 4:00:03 AM BEDB Full True 10/12/2025 4:00:00 AM 10/12/2025 4:00:00 AM BEDB Full True 10/11/2025 11:10:33 PM 10/11/2025 11:11:19 PM BEDB Full True 10/11/2025 4:00:00 AM 10/11/2025 4:00:01 AM BEDB Full True 10/10/2025 11:53:50 PM 10/10/2025 11:54:36 PM BEDB Full True 10/10/2025 4:00:00 AM 10/10/2025 4:00:01 AM BEDB Full True 10/9/2025 11:55:02 PM 10/9/2025 11:55:48 PM BEDB Full True 10/9/2025 4:00:00 AM 10/9/2025 4:00:01 AM BEDB Full True 10/8/2025 11:57:52 PM 10/8/2025 11:58:38 PM BEDB Full True 10/8/2025 4:00:00 AM 10/8/2025 4:00:01 AM BEDB Full True 10/7/2025 11:58:55 PM 10/7/2025 11:59:41 PM BEDB Full True 10/7/2025 4:00:00 AM 10/7/2025 4:00:02 AM BEDB Full True 10/6/2025 11:59:54 PM 10/7/2025 12:00:39 AM BEDB Full False 10/6/2025 4:06:44 AM 10/6/2025 4:07:33 AM BEDB Full True 10/6/2025 4:00:00 AM 10/6/2025 4:00:02 AM BEDB Full True 10/5/2025 4:00:01 AM 10/5/2025 4:00:02 AM BEDB Full True 10/5/2025 12:08:59 AM 10/5/2025 12:09:45 AM BEDB Full True 10/4/2025 4:00:00 AM 10/4/2025 4:00:01 AM BEDB Full True 10/3/2025 11:58:04 PM 10/3/2025 11:58:50 PM BEDB Full True 10/3/2025 4:00:00 AM 10/3/2025 4:00:01 AM BEDB Full True 10/2/2025 11:57:21 PM 10/2/2025 11:58:06 PM BEDB Full True 10/2/2025 4:00:00 AM 10/2/2025 4:00:01 AM BEDB Full True 10/1/2025 11:57:36 PM 10/1/2025 11:58:21 PM BEDB Full True 10/1/2025 4:00:00 AM 10/1/2025 4:00:01 AM BEDB Full True 9/30/2025 11:52:43 PM 9/30/2025 11:53:28 PM BEDB Full True 9/30/2025 4:00:01 AM 9/30/2025 4:00:02 AM BEDB Full True 9/29/2025 11:53:11 PM 9/29/2025 11:53:56 PM BEDB Full False 9/29/2025 4:10:28 AM 9/29/2025 4:11:17 AM BEDB Full True 9/29/2025 4:00:00 AM 9/29/2025 4:00:01 AM BEDB Full True 9/28/2025 4:00:00 AM 9/28/2025 4:00:02 AM BEDB Full True 9/27/2025 11:51:05 PM 9/27/2025 11:51:50 PM BEDB Full True 9/27/2025 4:00:00 AM 9/27/2025 4:00:02 AM BEDB Full True 9/26/2025 11:52:32 PM 9/26/2025 11:53:17 PM BEDB Full True 9/26/2025 4:00:00 AM 9/26/2025 4:00:02 AM BEDB Full True 9/25/2025 11:56:08 PM 9/25/2025 11:56:53 PM BEDB Full True 9/25/2025 11:34:56 AM 9/25/2025 11:35:42 AM BEDB Full True 9/25/2025 4:00:01 AM 9/25/2025 4:00:01 AM BEDB Full True 9/24/2025 12:12:36 PM 9/24/2025 12:13:21 PM BEDB Full True 9/24/2025 4:00:00 AM 9/24/2025 4:00:01 AM BEDB Full True 9/23/2025 7:41:09 PM 9/23/2025 7:41:54 PM Comments

Check Text

Review the system security plan (SSP) to determine whether the database is static, the recovery model to be used, the backup schedule, and the plan for testing database restoration. If the SSP does not state that the database is static, assume that it is not static. If any of the other information is absent, this is a finding. If the database is not static, and the documented recovery model is Bulk Logged, but the justification and authorization for this are not documented, this is a finding. Run the following to determine Recovery Model: USE [master] GO SELECT name, recovery_model_desc FROM sys.databases ORDER BY name If the recovery model description does not match the documented recovery model, this is a finding. Review the jobs set up to implement the backup plan. If they are absent, this is a finding. Check the history of the backups by running the following query. It checks the last 30 days of backups by database. USE [msdb] GO SELECT database_name, CASE type WHEN 'D' THEN 'Full' WHEN 'I' THEN 'Differential' WHEN 'L' THEN 'Log' ELSE type END AS backup_type, is_copy_only, backup_start_date, backup_finish_date FROM dbo.backupset WHERE backup_start_date >= dateadd(day, - 30, getdate()) ORDER BY database_name, backup_start_date DESC If the history indicates a pattern of job failures by missing or gaps in backups, this is a finding. Review evidence that database recovery is tested annually or more often, and that the most recent test was successful. If not, this is a finding.

Fix Text

Modify the system security plan, to include whether the database is static, the correct recovery model to be used, the backup schedule, and the plan for testing database restoration. In SQL Server Management Studio, Object Explorer, right-click on the name of the database; select Properties. Select the Options page. Set the Recovery Model field, near the top of the page, to the correct value. In Object Explorer, expand >> SQL Server Agent >> Jobs. Create, modify, and delete jobs to implement the backup schedule. (Alternatively, this may done using T-SQL code or Third-party Backup software.) Correct any issues that have been causing backups to fail. Test the restoration of the database at least once a year; correct any issues that cause it to fail. Maintain a record of these tests.

V-213911 CAT II The Database Master Key encryption password must meet DOD pa...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: DDA1FD1A0A4D393B25E5DA328D2584C79BFFCC60 ~~~~~ No database master keys exist. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: DDA1FD1A0A4D393B25E5DA328D2584C79BFFCC60 ~~~~~ No database master keys exist. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: DDA1FD1A0A4D393B25E5DA328D2584C79BFFCC60 ~~~~~ No database master keys exist. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: DDA1FD1A0A4D393B25E5DA328D2584C79BFFCC60 ~~~~~ No database master keys exist. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: DDA1FD1A0A4D393B25E5DA328D2584C79BFFCC60 ~~~~~ No database master keys exist. Comments

Check Text

From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT COUNT(name) FROM sys.symmetric_keys s, sys.key_encryptions k WHERE s.name = '##MS_DatabaseMasterKey##' AND s.symmetric_key_id = k.key_id AND k.crypt_type in ('ESKP', 'ESP2', 'ESP3') If the value returned is zero, this is not applicable. If the value returned is greater than zero, a Database Master Key exists and is encrypted with a password. Review procedures and evidence of password requirements used to encrypt Database Master Keys. If the passwords are not required to meet DoD password standards, currently a minimum of 15 characters with at least 1 upper-case character, 1 lower-case character, 1 special character, and 1 numeric character, and at least 8 characters changed from the previous password, this is a finding.

Fix Text

Assign an encryption password to the Database Master Key that is a minimum of 15 characters with at least 1 upper-case character, 1 lower-case character, 1 special character, and 1 numeric character, and at least 8 characters changed from the previous password. To change the Database Master Key encryption password: USE [database name]; ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = '[new password]'; Note: The Database Master Key encryption method should not be changed until the effects are thoroughly reviewed. Changing the master key encryption causes all encryption using the Database Master Key to be decrypted and re-encrypted. This action should not be taken during a high-demand time. Please see the MS SQL Server documentation prior to re-encrypting the Database Master Key for detailed information.

V-213912 CAT II The Database Master Key must be encrypted by the Service Mas...

5 assets 5 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments

Check Text

If no databases require encryption, this is not a finding. From the query prompt: SELECT name FROM [master].sys.databases WHERE is_master_key_encrypted_by_server = 1 AND owner_sid <> 1 AND state = 0; (Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.) If no databases are returned by the query, this is not a finding. For any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding. If approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring. If the additional requirements are not in place, this is a finding.

Fix Text

Where possible, encrypt the Database Master Key with a password known only to the application administrator. Where not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data.

V-213913 CAT II The Certificate used for encryption must be backed up and st...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments

Check Text

If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding. Review procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. If the procedures or evidence does not exist, this is a finding. If the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. If procedures do not indicate access restrictions to the Certificate backup, this is a finding.

Fix Text

Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate. BACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' WITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); As this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text.

V-213915 CAT II Database contents must be protected from unauthorized and un...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments

Check Text

Review the procedures for the refreshing of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose. Verify that copies of production data are not left in unprotected locations. If the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.

Fix Text

Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations.

V-213916 CAT II SQL Server must check the validity of all data inputs except...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments

Check Text

Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input. If code exists that allows invalid data to be acted upon or input into the database, this is a finding. If column/field definitions are not reflective of the data, this is a finding. If columns/fields do not contain constraints and validity checking where required, this is a finding. Where a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding. Where a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.

Fix Text

Use parameterized queries, constraints, foreign keys, etc. to validate data input. Modify SQL Server to properly use the correct column data types as required in the database.

V-213917 CAT II SQL Server must provide non-privileged users with error mess...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments

Check Text

Review application behavior and custom database code (stored procedures, triggers), to determine whether error messages contain information beyond what is needed for explaining the issue to general users. If database error messages contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.

Fix Text

Adjust database code to remove any information not required for explaining the error to an end user. Consider enabling trace flag 3625 to mask certain system-level error information returned to non-administrative users. Launch SQL Server Configuration Manager >> Click SQL Services >> Open the instance properties >> Click the Service Parameters tab >> Enter "-T3625" >> Click Add >> Click OK >> Restart SQL instance.

V-213919 CAT II SQL Server must associate organization-defined types of secu...

5 assets 4 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: C713830C8E84EDA173245BE4E133CC773081ABA6 ~~~~~ This is the 'tempdb' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AEB16496DFD41E78595FE7F47C4E9143CDC122AD ~~~~~ This is the 'msdb' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 749808BA4F38BC428FC117B83333AA3707EE2CCA ~~~~~ This is the 'model' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: C778770EE78E28AE01A967688E2230BFD7CDA322 ~~~~~ This is the 'master' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments

Check Text

If security labeling is not required, this is not a finding. If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information, this is a finding.

Fix Text

Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in process. https://msdn.microsoft.com/en-us/library/dn765131.aspx

V-213922 CAT II Execution of stored procedures and functions that utilize ex...

5 assets 5 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments

Check Text

Review the system documentation to obtain a listing of stored procedures and functions that utilize impersonation. Execute the following query: SELECT S.name AS schema_name, O.name AS module_name, USER_NAME( CASE M.execute_as_principal_id WHEN -2 THEN COALESCE(O.principal_id, S.principal_id) ELSE M.execute_as_principal_id END ) AS execute_as FROM sys.sql_modules M JOIN sys.objects O ON M.object_id = O.object_id JOIN sys.schemas S ON O.schema_id = S.schema_id WHERE execute_as_principal_id IS NOT NULL and O.name not in ( 'fn_sysdac_get_username', 'fn_sysutility_ucp_get_instance_is_mi', 'sp_send_dbmail', 'sp_SendMailMessage', 'sp_syscollector_create_collection_set', 'sp_syscollector_delete_collection_set', 'sp_syscollector_disable_collector', 'sp_syscollector_enable_collector', 'sp_syscollector_get_collection_set_execution_status', 'sp_syscollector_run_collection_set', 'sp_syscollector_start_collection_set', 'sp_syscollector_update_collection_set', 'sp_syscollector_upload_collection_set', 'sp_syscollector_verify_collector_state', 'sp_syspolicy_add_policy', 'sp_syspolicy_add_policy_category_subscription', 'sp_syspolicy_delete_policy', 'sp_syspolicy_delete_policy_category_subscription', 'sp_syspolicy_update_policy', 'sp_sysutility_mi_add_ucp_registration', 'sp_sysutility_mi_disable_collection', 'sp_sysutility_mi_enroll', 'sp_sysutility_mi_initialize_collection', 'sp_sysutility_mi_remove', 'sp_sysutility_mi_remove_ucp_registration', 'sp_sysutility_mi_upload', 'sp_sysutility_mi_validate_enrollment_preconditions', 'sp_sysutility_ucp_add_mi', 'sp_sysutility_ucp_add_policy', 'sp_sysutility_ucp_calculate_aggregated_dac_health', 'sp_sysutility_ucp_calculate_aggregated_mi_health', 'sp_sysutility_ucp_calculate_computer_health', 'sp_sysutility_ucp_calculate_dac_file_space_health', 'sp_sysutility_ucp_calculate_dac_health', 'sp_sysutility_ucp_calculate_filegroups_with_policy_violations', 'sp_sysutility_ucp_calculate_health', 'sp_sysutility_ucp_calculate_mi_file_space_health', 'sp_sysutility_ucp_calculate_mi_health', 'sp_sysutility_ucp_configure_policies', 'sp_sysutility_ucp_create', 'sp_sysutility_ucp_delete_policy', 'sp_sysutility_ucp_delete_policy_history', 'sp_sysutility_ucp_get_policy_violations', 'sp_sysutility_ucp_initialize', 'sp_sysutility_ucp_initialize_mdw', 'sp_sysutility_ucp_remove_mi', 'sp_sysutility_ucp_update_policy', 'sp_sysutility_ucp_update_utility_configuration', 'sp_sysutility_ucp_validate_prerequisites', 'sp_validate_user', 'syscollector_collection_set_is_running_update_trigger', 'sysmail_help_status_sp' ) ORDER BY schema_name, module_name If any procedures or functions are returned that are not documented, this is a finding.

Fix Text

Alter stored procedures and functions to remove the "EXECUTE AS" statement.

V-213924 CAT II SQL Server must enforce access restrictions associated with ...

5 assets 4 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: F3ECBD3C11F8BAF819620F5F091A10379266B2E4 ~~~~~ DBA, Remove unauthorized users from roles database_name owner_name is_fixed_role_member ------------- ---------- -------------------- BEDB sa 1 Comments

Check Text

Execute the following query to obtain a listing of user databases whose owner is a member of a fixed server role: SELECT D.name AS database_name, SUSER_SNAME(D.owner_sid) AS owner_name, FRM.is_fixed_role_member FROM sys.databases D OUTER APPLY ( SELECT MAX(fixed_role_member) AS is_fixed_role_member FROM ( SELECT IS_SRVROLEMEMBER(R.name, SUSER_SNAME(D.owner_sid)) AS fixed_role_member FROM sys.server_principals R WHERE is_fixed_role = 1 ) A ) FRM WHERE D.database_id > 4 AND (FRM.is_fixed_role_member = 1 OR FRM.is_fixed_role_member IS NULL) ORDER BY database_name If no databases are returned, this is not a finding. For each database/login returned, review the Server Role memberships 1. In SQL Server Management Studio, Expand “Logins” 2. Double-click the name of the Login 3. Click the “Server Roles” tab If any server roles are selected, but not documented and authorized, this is a finding.

Fix Text

Remove unauthorized users from roles: ALTER ROLE DROP MEMBER user; https://msdn.microsoft.com/en-us/library/ms189775.aspx Set the owner of the database to an authorized login: ALTER AUTHORIZATION ON database::DatabaseName TO login; https://msdn.microsoft.com/en-us/library/ms187359.aspx

V-213903 CAT III SQL Server must protect against a user falsely repudiating b...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 382E8443E6E7F9FACA088987985F92066F8CD83D ~~~~~ DBA, Using the system documentation, determine which tables in this database are required to be temporal tables. If the documentation lists any tables at all, mark this vulnerability as a finding because no such tables exist. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 382E8443E6E7F9FACA088987985F92066F8CD83D ~~~~~ DBA, Using the system documentation, determine which tables in this database are required to be temporal tables. If the documentation lists any tables at all, mark this vulnerability as a finding because no such tables exist. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 382E8443E6E7F9FACA088987985F92066F8CD83D ~~~~~ DBA, Using the system documentation, determine which tables in this database are required to be temporal tables. If the documentation lists any tables at all, mark this vulnerability as a finding because no such tables exist. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 382E8443E6E7F9FACA088987985F92066F8CD83D ~~~~~ DBA, Using the system documentation, determine which tables in this database are required to be temporal tables. If the documentation lists any tables at all, mark this vulnerability as a finding because no such tables exist. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 382E8443E6E7F9FACA088987985F92066F8CD83D ~~~~~ DBA, Using the system documentation, determine which tables in this database are required to be temporal tables. If the documentation lists any tables at all, mark this vulnerability as a finding because no such tables exist. Comments

Check Text

Check the server documentation to determine if collecting and keeping historical versions of a table is required. If collecting and keeping historical versions of a table is NOT required, this is not a finding. Find all of the temporal tables in the database using the following query: SELECT SCHEMA_NAME(T.schema_id) AS schema_name, T.name AS table_name, T.temporal_type_desc, SCHEMA_NAME(H.schema_id) + '.' + H.name AS history_table FROM sys.tables T JOIN sys.tables H ON T.history_table_id = H.object_id WHERE T.temporal_type != 0 ORDER BY schema_name, table_name Using the system documentation, determine which tables are required to be temporal tables. If any tables listed in the documentation are not in the list created by running the above statement, this is a finding. Ensure a field exists documenting the login and/or user who last modified the record. If this does not exist, this is a finding.

Fix Text

Alter sensitive tables to utilize system versioning. Alter non-temporal table to define periods for system versioning . ALTER TABLE InsurancePolicy ADD PERIOD FOR SYSTEM_TIME (SysStartTime, SysEndTime), SysStartTime datetime2 GENERATED ALWAYS AS ROW START HIDDEN NOT NULL DEFAULT GETUTCDATE(), SysEndTime datetime2 GENERATED ALWAYS AS ROW END HIDDEN NOT NULL DEFAULT CONVERT(DATETIME2, '9999-12-31 23:59:59.99999999'); ALTER TABLE InsurancePolicy SET (SYSTEM_VERSIONING = ON (HISTORY_TABLE=dbo.InsurancePolicyHistory)); https://docs.microsoft.com/sql/t-sql/statements/alter-table-transact-sql?view=sql-server-2016#system_versionin

V-213914 CAT III SQL Server must isolate security functions from non-security...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: E72A43AA1F56BC880CAFBD122F108E27602D0980 ~~~~~ This is the 'tempdb' database so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 3406777B844458113130EE297FDBBCA208836E7C ~~~~~ This is the 'msdb' database so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 0C37E2D31736DC7FA21808E49F68A9407D675C75 ~~~~~ This is the 'model' database so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: EF787DBB5C776F2359DFBEEBF14C0D6F928F1B0E ~~~~~ This is the 'master' database so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: DD3B0DF50BA0D49C44E09088B157BC178BD023F1 ~~~~~ DBA, Review the database structure to determine where security related functionality is stored. If security-related database objects or code are not kept separate, this is a finding: Name ---- BEDB Comments

Check Text

Determine elements of security functionality (lists of permissions, additional authentication information, stored procedures, application specific auditing, etc.) that are being housed inside SQL server. For any elements found, check SQL Server to determine if these objects or code implementing security functionality are located in a separate security domain, such as a separate database, schema, or table created specifically for security functionality. If the database is a SQL Server default database (master, msdb, model, tempdb), this is NA. Run the following query to list all the user-defined databases: SELECT Name FROM sys.databases WHERE database_id > 4 ORDER BY 1; Review the database structure to determine where security related functionality is stored. If security-related database objects or code are not kept separate, this is a finding.

Fix Text

Check the server documentation, locate security-related database objects and code in a separate database, schema, table, or other separate security domain from database objects and code implementing application logic. Microsoft SQL Server 2005 introduced the concept of database object schemas. Schemas are analogous to separate namespaces or containers used to store database objects. Security permissions apply to schemas, making them an important tool for separating and protecting database objects based on access rights. Schemas reduce the work required, and improve the flexibility, for security-related administration of a database. User-schema separation allows for more flexibility in managing database object permissions. A schema is a named container for database objects, which allows the user to group objects into separate namespaces. Where possible, locate security-related database objects and code in a separate database, schema, or other separate security domain from database objects and code implementing application logic. In all cases, use GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on server-level and database-level security-related objects to provide effective isolation.

V-213921 CAT III SQL Server must enforce discretionary access control policie...

5 assets 5 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments

Check Text

Review system documentation to determine requirements for object ownership and authorization delegation. Use the following query to discover database object ownership: Schemas not owned by the schema or dbo: SELECT name AS schema_name, USER_NAME(principal_id) AS schema_owner FROM sys.schemas WHERE schema_id != principal_id AND principal_id != 1 Objects owned by an individual principal: SELECT object_id, name AS securable, USER_NAME(principal_id) AS object_owner, type_desc FROM sys.objects WHERE is_ms_shipped = 0 AND principal_id IS NOT NULL ORDER BY type_desc, securable, object_owner Use the following query to discover database users who have been delegated the right to assign additional permissions: SELECT U.type_desc, U.name AS grantee, DP.class_desc AS securable_type, CASE DP.class WHEN 0 THEN DB_NAME() WHEN 1 THEN OBJECT_NAME(DP.major_id) WHEN 3 THEN SCHEMA_NAME(DP.major_id) ELSE CAST(DP.major_id AS nvarchar) END AS securable, permission_name, state_desc FROM sys.database_permissions DP JOIN sys.database_principals U ON DP.grantee_principal_id = U.principal_id WHERE DP.state = 'W' ORDER BY grantee, securable_type, securable If any of these rights are not documented and authorized, this is a finding.

Fix Text

To correct object ownership: ALTER AUTHORIZATION ON <Securable> TO <Principal> To revoke any unauthorized permissions: REVOKE [Permission] ON <Securable> TO <Principal>

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments