| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-243466 | CAT I | MONT-DC-003 | Active Directory Domain Security Technic... | Membership to the Enterprise Admins group must be ... | Documented Pending Review | |||
Check TextReview the Enterprise Admins group in Active Directory Users and Computers. Any accounts that are members of the Enterprise Admins group must be documented with the IAO. Each Enterprise Administrator must have a separate unique account specifically for managing the Active Directory forest. If any account listed in the Enterprise Admins group is a member of other administrator groups including the Domain Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding. Fix TextCreate the necessary documentation that identifies the members of the Enterprise Admins group. Ensure that each member has a separate unique account that can only be used to manage the Active Directory Forest. Remove any Enterprise Admin accounts from other administrator groups. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be OPEN on 10/23/2025 ResultHash: 1852EDAFFD0549867EBD2E419B98256759732803 ~~~~~ Members of 'Enterprise Admins' ========================= Name: MONTFORD-POINT\Alexandra.M.Perl objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1160 DistinguishedName: CN=Perl\, Alexandra M.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT ALL HANDS MONTFORD-POINT RADIO MONTFORD-POINT LAN Management MONTFORD-POINT EO Name: MONTFORD-POINT\altucker.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1224 DistinguishedName: CN=Tucker\, Adam L.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Domain Admins [FINDING] Remote Desktop Users Name: MONTFORD-POINT\amperl.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1638 DistinguishedName: CN=ADMIN\, AMPerl,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Name: MONTFORD-POINT\d.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Schema Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\jrsanders.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1253 DistinguishedName: CN=Sanders\, James R.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\MONT-EM-Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1157 DistinguishedName: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Domain Admins [FINDING] Remote Desktop Users Administrators [FINDING] Name: MONTFORD-POINT\montford.exchange [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\SHB_Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Group Policy Creator Owners Domain Admins [FINDING] Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\Thomas.L.Jones objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1176 DistinguishedName: CN=Jones\, Thomas L.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT ENG MONTFORD-POINT ALL HANDS MONTFORD-POINT RADIO MONTFORD-POINT LAN Management MONTFORD-POINT EO Name: MONTFORD-POINT\TLJones.Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1250 DistinguishedName: CN=Jones\, Thomas L.\, Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl
Scan Date: 2026-01-14T12:57:36.435963
Technology Area: Domain Name System
|
||||||||
| V-243467 | CAT I | MONT-DC-003 | Active Directory Domain Security Technic... | Membership to the Domain Admins group must be rest... | Documented Pending Review | |||
Check TextReview the Domain Admins group in Active Directory Users and Computers. Any accounts that are members of the Domain Admins group must be documented with the IAO. Each Domain Administrator must have a separate unique account specifically for managing the Active Directory domain and domain controllers. If any account listed in the Domain Admins group is a member of other administrator groups including the Enterprise Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding. Fix TextCreate the necessary documentation that identifies the members of the Domain Admins group. Ensure that each member has a separate unique account that can only be used to manage the Active Directory domain and domain controllers. Remove any Domain Admin accounts from other administrator groups. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be OPEN on 10/23/2025 ResultHash: 7225AB9272CF53F1FFEA5139423A0233F41DA652 ~~~~~ Members of 'Domain Admins' ========================= Name: MONTFORD-POINT\adsmith.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1249 DistinguishedName: CN=Smith\, Alexander D.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Name: MONTFORD-POINT\altucker.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1224 DistinguishedName: CN=Tucker\, Adam L.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Enterprise Admins [FINDING] Remote Desktop Users Name: MONTFORD-POINT\amperl.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1638 DistinguishedName: CN=ADMIN\, AMPerl,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Remote Management Users Name: MONTFORD-POINT\ANOC.FIM objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1203 DistinguishedName: CN=FIM\, ANOC,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Domain Administrator Group Name: MONTFORD-POINT\d.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Schema Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\iwgonzalez.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1242 DistinguishedName: CN=Gonzalez\, Ian W.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Name: MONTFORD-POINT\jrsanders.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1253 DistinguishedName: CN=Sanders\, James R.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\jtbegarek.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1212 DistinguishedName: CN=IA ADMIN\, JTBegarek,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Member Server Administrator Group Domain Administrator Group Domain Users Name: MONTFORD-POINT\MONT-EM-Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1157 DistinguishedName: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Enterprise Admins [FINDING] Remote Desktop Users Administrators [FINDING] Name: MONTFORD-POINT\montford.exchange [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Enterprise Admins [FINDING] Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\RDRivera.IAADMIN objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1213 DistinguishedName: CN=Rivera\, RJ,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Name: MONTFORD-POINT\scan.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1192 DistinguishedName: CN=Scan Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Workstation Administrator Group Member Server Administrator Group Remote Desktop Users Name: MONTFORD-POINT\SHB_Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Group Policy Creator Owners Enterprise Admins [FINDING] Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\tagavrilovic.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1231 DistinguishedName: CN=Gavrilovic\, Tyler A.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Remote Desktop Users Administrators [FINDING] Name: MONTFORD-POINT\TLJones.Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1250 DistinguishedName: CN=Jones\, Thomas L.\, Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Remote Management Users
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl
Scan Date: 2026-01-14T12:57:36.435963
Technology Area: Domain Name System
|
||||||||
| V-243470 | CAT I | MONT-DC-003 | Active Directory Domain Security Technic... | Delegation of privileged accounts must be prohibit... | Documented Pending Review | |||
Check TextReview the properties of all privileged accounts in Active Directory Users and Computers. Under the Account tab, verify "Account is sensitive and cannot be delegated" is selected in the Account Options section. If delegation is not prohibited for any privileged account, this is a finding. Fix TextOpen Active Directory Users and Computers. View the properties of all privileged accounts. Under the Account tab, select "Account is sensitive and cannot be delegated" in the Account Options section.
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl
Scan Date: 2026-01-14T12:57:36.435963
Technology Area: Domain Name System
|
||||||||
| V-243482 | CAT I | MONT-DC-003 | Active Directory Domain Security Technic... | Interconnections between DoD directory services of... | - | |||
Check Text1. Refer to the list of identified trusts and the trust documentation provided by the site representative. (Obtained in V-8530) 2. For each of the identified trusts between DoD organizations, compare the classification level (unclassified, confidential, secret, and top secret) of the domain being reviewed with the classification level of the other trust party as noted in the documentation. 3. If the classification level of the domain being reviewed is different than the classification level of any of the entities for which a trust relationship is defined, then this is a finding. Fix TextDelete the trust relationship that is defined between entities with resources at different DoD classification levels. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 48551156A5DDF0637531025EE03B12E7D7F6DBEE ~~~~~ No trusts are configured so this requirement is NA.
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl
Scan Date: 2026-01-14T12:57:36.435963
Technology Area: Domain Name System
|
||||||||
| V-243483 | CAT I | MONT-DC-003 | Active Directory Domain Security Technic... | A controlled interface must have interconnections ... | - | |||
Check Text1. Refer to the list of identified trusts obtained in a previous check (V8530). 2. For each of the identified trusts, determine if the other trust party is a non-DoD entity. For example, if the fully qualified domain name of the other party does not end in ".mil", the other party is probably not a DoD entity. 3. Review the local documentation approving the external network connection and documentation indicating explicit approval of the trust by the DAA. 4. The external network connection documentation is maintained by the IAO\NSO for compliance with the Network Infrastructure STIG. 5. If any trust is defined with a non-DoD system and there is no documentation indicating approval of the external network connection and explicit DAA approval of the trust, then this is a finding. Fix TextObtain DAA approval and document external, forest, or realm trust relationship. Or obtain documentation of the network connection approval and explicit trust approval by the DAA. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 48551156A5DDF0637531025EE03B12E7D7F6DBEE ~~~~~ No trusts are configured so this requirement is NA.
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl
Scan Date: 2026-01-14T12:57:36.435963
Technology Area: Domain Name System
|
||||||||
| V-243506 | CAT I | MONT-DC-003 | Active Directory Forest Security Technic... | Update access to the directory schema must be rest... | - | |||
Check TextStart a Schema management console. (See supplemental notes.) Select and then right-click on the Active Directory Schema entry in the left pane. Select Permissions. If any of the permissions for the Schema object are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired entry, and the Edit button. Authenticated Users: Read Special Permissions The Special permissions for Authenticated Users are List and Read type. If detailed permissions include any additional Permissions or Properties this is a finding. System: Full Control Enterprise Read-only Domain Controllers: Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Schema Admins: Read Write Create all child objects Change schema master Manage replication topology Monitor active directory replication Read only replication secret synchronization Reanimate tombstones Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication synchronization Update schema cache Special permissions (Special permissions = all except Full, Delete, and Delete subtree when detailed permissions viewed.) Administrators: Manage replication topology Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication Synchronization Enterprise Domain Controllers: Manage replication topology Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication Synchronization Supplemental Notes: If the Schema management console has not already been configured on the computer, create a console by using the following: The steps for adding the snap-in may vary depending on the Windows version. Register the required DLL module by typing the following at a command line "regsvr32 schmmgmt.dll". Run "mmc.exe" to start a Microsoft Management Console. Select Add/Remove Snap-in from the File menu. From the Available Standalone Snap-ins list, select Active Directory Schema Select the Add button. Select the OK button. When done using the console, select Exit from the File (or Console) menu. Select the No button to the Save console settings... prompt (unless the SA wishes to retain this console). If the console is retained, the recommended name is schmmgmt.msc and the recommended location is the [systemroot]\system32 directory. Fix TextEnsure the access control permissions for the AD Schema object conform to the required permissions as shown below. Authenticated Users: Read Special Permissions The Special permissions for Authenticated Users are List and Read type. If detailed permissions include any additional Permissions or Properties this is a finding. System: Full Control Enterprise Read-only Domain Controllers: Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Schema Admins: Read Write Create all child objects Change schema master Manage replication topology Monitor active directory replication Read only replication secret synchronization Reanimate tombstones Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication synchronization Update schema cache Special permissions (Special permissions = all except Full, Delete, and Delete subtree when detailed permissions viewed.) Administrators: Manage replication topology Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication Synchronization Enterprise Domain Controllers: Manage replication topology Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication Synchronization Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryForest_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D7B79E8932C30F595C990EF4C4AE2F8DF34DF99C ~~~~~ Schema Permissions: Permissions are set to the default for: Administrators - Replicating Directory Changes All Permissions are set to the default for: Administrators - Replicating Directory Changes In Filtered Set Permissions are set to the default for: Administrators - Manage replication topology Permissions are set to the default for: Administrators - Replicating Directory Changes Permissions are set to the default for: Administrators - Replication Synchronization Permissions are set to the default for: Enterprise Read-only Domain Controllers - Replicating Directory Changes In Filtered Set Permissions are set to the default for: Enterprise Read-only Domain Controllers - Replicating Directory Changes Permissions are set to the default for: Enterprise Read-only Domain Controllers - Replicating Directory Changes All Permissions are set to the default for: Schema Admins - Change schema master Permissions are set to the default for: Schema Admins - Special (except Full, Delete, and Delete subtree) Permissions are set to the default for: Authenticated Users - Read Permissions are set to the default for: Enterprise Domain Controllers - Manage replication topology Permissions are set to the default for: Enterprise Domain Controllers - Replicating Directory Changes All Permissions are set to the default for: Enterprise Domain Controllers - Replicating Directory Changes In Filtered Set Permissions are set to the default for: Enterprise Domain Controllers - Replicating Directory Changes Permissions are set to the default for: Enterprise Domain Controllers - Replication Synchronization Permissions are set to the default for: System - Full Control
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADForest_V3R2_20251023-171845.ckl
Scan Date: 2026-01-14T12:57:36.607366
Technology Area: Domain Name System
|
||||||||
| V-269098 | CAT I | MONT-DC-003 | Active Directory Forest Security Technic... | Windows Server hosting Active Directory Certificat... | - | |||
Check TextCertificate templates with the following extended key usages AND that allow a requestor to supply the subject name in the request require manual approval. In the AD CS web server properties, select "VulnerableCertTemplate" properties. Verify that "Subject Name" and "Supply in the request" are selected. If "Subject Name" AND "Supply in the request" are selected and if manual approval is not required, this is a finding. If the "Supply in Request" is NOT selected, and the Enroll Permissions for the template have been limited to a select group of users/administrators, this is not a finding. Fix TextIn the AD CS web server properties, select "VulnerableCertTemplate" properties and then select "Subject Name" and "Supply in the request". Certificate templates with the following extended key usages must require manual approval in all cases: i. Smart Card Logon (1.3.6.1.4.1.311.20.2.2). ii. Any Purpose EKU (2.5.29.37.0). iii. No EKU set. i.e., this is a (subordinate) CA certificate. Certificate templates with the following extended key usages AND that allow a requestor to supply the subject name in the request must require manual approval: i. Client Authentication (1.3.6.1.5.5.7.3.2). ii. PKINIT Client Authentication (1.3.6.1.5.2.3.4). iii. Supply in request" setting: VulnerableCertTemplate Properties.
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADForest_V3R2_20251023-171845.ckl
Scan Date: 2026-01-14T12:57:36.607366
Technology Area: Domain Name System
|
||||||||
| V-269099 | CAT I | MONT-DC-003 | Active Directory Forest Security Technic... | Windows Server running Active Directory Certificat... | - | |||
Check TextVerify that a site has set aside one or more PAWs for remote management of AD CS. A dedicated AD CS/CA Admin account that is only usable on tier 0 PAW or the ADCS server must be used to manage the certificate authority and approve requests. Review any available site documentation. Verify that any PAW used to manage high-value IT resources of a specific tier are used exclusively for managing high-value IT resources assigned to only one tier. If the site has not set aside one or more PAWs for remote management of AD CS, this is a finding. Fix TextConfigure and set aside one or more PAWs for configuration and management of AD CS. For AD, multiple configuration items could enable anonymous access. Set aside one or more PAWs for remote management of high-value IT resources assigned to a specific tier. For example, using the Microsoft Tier 0-2 model, each PAW would be assigned to manage Tier 0, Tier 1, or Tier 2 high-value IT resources.
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADForest_V3R2_20251023-171845.ckl
Scan Date: 2026-01-14T12:57:36.607366
Technology Area: Domain Name System
|
||||||||
| V-213129 | CAT I | MONT-WS-92010 | Adobe Acrobat Professional DC Continuous... | The Adobe Acrobat Pro DC Continuous latest securit... | - | |||
Check TextOpen Adobe Acrobat Pro DC. Navigate to and click on Help >> About Adobe Acrobat Pro DC. Verify that the latest security-related software updates by Adobe are being applied. If the latest security-related software updates by Adobe are not being applied, this is a finding. Fix TextApply the latest security-related software updates to the Adobe Acrobat Pro DC application. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-AdobeAcrobatProDCContinuous_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8A5C406AE5197A673C1E9CCAF985C1CF27558D6A ~~~~~ Name: Adobe Acrobat DC Version: DC Track: Continuous DisplayVersion: 25.001.20756 Architecture: x64
Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_AdobeAcrobatProDCContinuous_V2R1_20251023-140757.ckl
Scan Date: 2026-01-14T12:57:27.516343
Technology Area: Windows Operating System
|
||||||||
| V-213192 | CAT I | MONT-WS-92040 | Adobe Acrobat Reader DC Continuous Track... | Adobe Reader DC must have the latest Security-rela... | - | |||
Check TextDetermine the method for doing this (e.g., connection to a WSUS server, local procedure, auto update, etc.). Open Adobe Acrobat Reader DC. Navigate to and click on Help >> About Adobe Acrobat Reader DC. Verify that the latest security-related software updates by Adobe are being applied. If the latest security-related software updates by Adobe are not being applied, this is a finding. Fix TextApply the latest security-related software updates to the Adobe Acrobat Reader application. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-AdobeReaderDCContinuous_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 52C747ED8AD535C8D5B3C3BFCE49764504D0FE1D ~~~~~ Name: Adobe Reader DC Version: DC Track: Continuous DisplayVersion: 25.001.20756 Architecture: x86
Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_AdobeReaderDCContinuous_V2R1_20251023-142113.ckl
Scan Date: 2026-01-14T12:57:25.224753
Technology Area: Windows Operating System
|
||||||||
| V-213192 | CAT I | MONT-SW-89108 | Adobe Acrobat Reader DC Continuous Track... | Adobe Reader DC must have the latest Security-rela... | - | |||
Check TextDetermine the method for doing this (e.g., connection to a WSUS server, local procedure, auto update, etc.). Open Adobe Acrobat Reader DC. Navigate to and click on Help >> About Adobe Acrobat Reader DC. Verify that the latest security-related software updates by Adobe are being applied. If the latest security-related software updates by Adobe are not being applied, this is a finding. Fix TextApply the latest security-related software updates to the Adobe Acrobat Reader application. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-AdobeReaderDCContinuous_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 55F395109A6C5171DE708830F5FECF87BC7FEB32 ~~~~~ Name: Adobe Reader DC Version: DC Track: Continuous DisplayVersion: 25.001.20997 Architecture: x86
Source: MONT-SW-89108_AdobeReaderDCContinuous_V2R1_20251217-202743.ckl
Scan Date: 2026-03-04T15:25:15.734702
Technology Area: Windows Operating System
|
||||||||
| V-213192 | CAT I | MONT-SW-89134 | Adobe Acrobat Reader DC Continuous Track... | Adobe Reader DC must have the latest Security-rela... | - | |||
Check TextDetermine the method for doing this (e.g., connection to a WSUS server, local procedure, auto update, etc.). Open Adobe Acrobat Reader DC. Navigate to and click on Help >> About Adobe Acrobat Reader DC. Verify that the latest security-related software updates by Adobe are being applied. If the latest security-related software updates by Adobe are not being applied, this is a finding. Fix TextApply the latest security-related software updates to the Adobe Acrobat Reader application. Finding DetailsEvaluate-STIG 1.2510.0 (Scan-AdobeReaderDCContinuous_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 55F395109A6C5171DE708830F5FECF87BC7FEB32 ~~~~~ Name: Adobe Reader DC Version: DC Track: Continuous DisplayVersion: 25.001.20997 Architecture: x86
Source: MONT-SW-89134_AdobeReaderDCContinuous_V2R1_20251217-200921.ckl
Scan Date: 2026-03-04T15:25:41.765624
Technology Area: Windows Operating System
|
||||||||
| V-215823 | CAT I | MONTPOINTGTWYRTR | Cisco IOS XE Router NDM Security Technic... | The Cisco router must be configured to prohibit th... | Documented Pending Review | |||
Check TextVerify that the router does not have any unnecessary or nonsecure ports, protocols, and services enabled. For example, the following commands should not be in the configuration: boot network ip boot server ip bootp server ip dns server ip identd ip finger ip http server ip rcmd rcp-enable ip rcmd rsh-enable service config service finger service tcp-small-servers service udp-small-servers service pad service call-home Note: Certain legacy devices may require 'service call-home' be enabled to support Smart Licensing as they do not support the newer smart transport configuration. Those devices do not incur a finding for having call-home enabled for Smart Licensing. If any unnecessary or nonsecure ports, protocols, or services are enabled, this is a finding. Fix TextDisable the following services if enabled as shown in the example below. R2(config)#no boot network R2(config)#no ip boot server R2(config)#no ip bootp server R2(config)#no ip dns server R2(config)#no ip identd R2(config)#no ip finger R2(config)#no ip http server R2(config)#no ip rcmd rcp-enable R2(config)#no ip rcmd rsh-enable R2(config)#no service config R2(config)#no service finger R2(config)#no service tcp-small-servers R2(config)#no service udp-small-servers R2(config)#no service pad R2(config)#no service call-home R2(config)#end Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: DD0C8EF05E5C236F6DE0AC78EFCA66F351187ECB ~~~~~ boot network not found ip boot server not found ip bootp server not found ip dns server not found ip identd not found ip finger not found ip http server not found ip rcmd rcp-enable not found ip rcmd rsh-enable not found service config not found service finger not found service tcp-small-servers not found service udp-small-servers not found service pad not found SERVICE CALL-HOME FOUND CommentsSERVICE CALL-HOME FOUND
Source: _Reviewed/MONTPOINTGTWYRTR/Checklist/MONTPOINTGTWYRTR_CiscoXERtrNDM_V3R5_20251023-150045.ckl
Scan Date: 2026-01-14T12:57:25.013310
Technology Area: Internal Network
|
||||||||
| V-215832 | CAT I | MONTPOINTGTWYRTR | Cisco IOS XE Router NDM Security Technic... | The Cisco router must only store cryptographic rep... | - | |||
Check TextReview the router configuration to determine if passwords are encrypted as shown in the example below. service password-encryption If the router is not configured to encrypt passwords, this is a finding. Fix TextConfigure the router to encrypt all passwords. R4(config)#service password-encryption R4(config)#end Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6FFE5E388F143FAEAC142114D4F65C55EDC01323 ~~~~~ service password-encryption
Source: _Reviewed/MONTPOINTGTWYRTR/Checklist/MONTPOINTGTWYRTR_CiscoXERtrNDM_V3R5_20251023-150045.ckl
Scan Date: 2026-01-14T12:57:25.013310
Technology Area: Internal Network
|
||||||||
| V-215833 | CAT I | MONTPOINTGTWYRTR | Cisco IOS XE Router NDM Security Technic... | The Cisco router must be configured to terminate a... | - | |||
Check TextReview the Cisco router configuration to verify that all network connections associated with a device management have an idle timeout value set to five minutes or less as shown in the following example: ip http secure-server ip http timeout-policy idle 300 life nnnn requests nn … … … line con 0 exec-timeout 5 0 line vty 0 1 exec-timeout 5 0 If the Cisco router is not configured to terminate all network connections associated with a device management after five minutes of inactivity, this is a finding. Fix TextSet the idle timeout value to five minutes or less on all configured login classes as shown in the example below. R1(config)#line vty 0 1 R1(config-line)#exec-timeout 5 0 R1(config-line)#exit R1(config)#line con 0 R1(config-line)#exec-timeout 5 0 R1(config-line)#exit R2(config)#ip http timeout-policy idle 300 life nnnn requests nn Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: EC2FCBD8253B86CFC2922A92FE8E178EA3988544 ~~~~~ IP HTTP Timeout Settings no ip http server no ip http secure-server http\https servers are disabled, http\https requirements are not applicable line con 0 privilege level 15 logging synchronous login authentication USER_AUTH stopbits 1 line con 0 exec-timeout is not configured. Default value of 10 is assumed Confirm value is correctly configured by checking against 'show running-config all' configuration file Line VTY Timeout Settings line vty 0 4 session-timeout 10 access-class vty_access in session-limit 3 logging synchronous transport preferred ssh transport input ssh transport output ssh ! exec-timeout is not configured. Default value of 10 is assumed Confirm value is correctly configured by checking against 'show running-config all' configuration file
Source: _Reviewed/MONTPOINTGTWYRTR/Checklist/MONTPOINTGTWYRTR_CiscoXERtrNDM_V3R5_20251023-150045.ckl
Scan Date: 2026-01-14T12:57:25.013310
Technology Area: Internal Network
|
||||||||
| V-215844 | CAT I | MONTPOINTGTWYRTR | Cisco IOS XE Router NDM Security Technic... | The Cisco router must be configured to use FIPS-va... | - | |||
Check TextReview the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. NOTE: Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. SSH Example ip ssh version 2 ip ssh server algorithm mac hmac-sha2-256 If the Cisco router is not configured to use FIPS-validated HMAC to protect the integrity of remote maintenance sessions, this is a finding. Fix TextConfigure SSH to use FIPS-validated HMAC for remote maintenance sessions as shown in the following example: SSH Example R1(config)#ip ssh version 2 R1(config)#ip ssh server algorithm mac hmac-sha2-256 Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: FAA040DE8CA5849E5308201D0776B0A8AC84BA79 ~~~~~ SSH Server Algorithm is not configured per STIG check guidelines ip ssh source-interface BDI400 ip ssh logging events ip ssh version 2 ip ssh server algorithm mac hmac-sha1 ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
Source: _Reviewed/MONTPOINTGTWYRTR/Checklist/MONTPOINTGTWYRTR_CiscoXERtrNDM_V3R5_20251023-150045.ckl
Scan Date: 2026-01-14T12:57:25.013310
Technology Area: Internal Network
|
||||||||
| V-215845 | CAT I | MONTPOINTGTWYRTR | Cisco IOS XE Router NDM Security Technic... | The Cisco router must be configured to implement c... | - | |||
Check TextReview the Cisco router configuration to verify that it is compliant with this requirement. SSH Example ip ssh version 2 ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr If the router is not configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm, this is a finding. Fix TextConfigure the Cisco router to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm as shown in the examples below. SSH Example R1(config)#ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 93C96089FB06A0232EAFE70A05C0C894B0598049 ~~~~~ ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
Source: _Reviewed/MONTPOINTGTWYRTR/Checklist/MONTPOINTGTWYRTR_CiscoXERtrNDM_V3R5_20251023-150045.ckl
Scan Date: 2026-01-14T12:57:25.013310
Technology Area: Internal Network
|
||||||||
| V-215854 | CAT I | MONTPOINTGTWYRTR | Cisco IOS XE Router NDM Security Technic... | The Cisco router must be configured to use at leas... | - | |||
Check TextReview the Cisco router configuration to verify the device is configured to use at least two authentication servers as primary source for authentication as shown in the following example: aaa new-model ! aaa authentication CONSOLE group radius local aaa authentication login LOGIN_AUTHENTICATION group radius local … … … ip http authentication aaa login-authentication LOGIN_AUTHENTICATION ip http secure-server … … … radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxxx radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxxx … … … line con 0 exec-timeout 5 0 login authentication CONSOLE line vty 0 1 exec-timeout 5 0 login authentication LOGIN_AUTHENTICATION If the Cisco router is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding. Fix TextStep 1: Configure the Cisco router to use at least two authentication servers as shown in the following example: R4(config)#radius host 10.1.48.2 key xxxxxx R4(config)#radius host 10.1.48.3 key xxxxxx Step 2: Configure the authentication order to use the authentication servers as primary source for authentication as shown in the following example: R4(config)#aaa authentication CONSOLE group radius local R4(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication. R4(config)#line vty 0 1 R4(config-line)#login authentication LOGIN_AUTHENTICATION R4(config-line)#exit R4(config)#line con 0 R4(config-line)#login authentication CONSOLE R4(config-line)#exit R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION Finding Detailsaaa new-model ! ! aaa group server radius AR21-Radius server name AR21-DC003 server name AR21-DC004 ip radius source-interface BDI400 load-balance method least-outstanding ! aaa group server tacacs+ ISE server-private 164.231.72.99 key 7 060B1C22424F1F0044 server-private 164.231.111.4 key 7 060B1C22424F1F0044 ip tacacs source-interface BDI400 ! aaa authentication login default group ISE group AR21-Radius local aaa authentication enable default group ISE group AR21-Radius enable aaa authorization config-commands aaa authorization exec default group ISE group AR21-Radius local if-authenticated aaa authorization network ISE group AR21-Radius local if-authenticated aaa accounting exec default start-stop group ISE group AR21-Radius ! aaa common-criteria policy PASSWORD_POLICY min-length 15 max-length 127 numeric-count 1 upper-case 1 lower-case 1 special-case 1 char-changes 8 ! ! ! ! ! ! aaa session-id common call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr sch-smart-licensing@cisco.com profile "CiscoTAC-1" active destination transport-method http no destination transport-method email no ip source-route ! ! ! ! ! ! ! no ip domain lookup ip domain name MONTPOINTGTWRTR.navy.mil ! ! ! login block-for 900 attempts 3 within 120 login on-failure log login on-success log ipv6 hop-limit 32 Commentsradius server AR21-DC003 address ipv4 164.231.187.34 auth-port 1812 acct-port 1813 retransmit 0 key 7 15222B59513D24362C7205024652010C135218 ! radius server AR21-DC004 address ipv4 164.231.187.35 auth-port 1812 acct-port 1813 retransmit 0 key 7 046B2B535A36435C0D583537475E1B0B382F65
Source: _Reviewed/MONTPOINTGTWYRTR/Checklist/MONTPOINTGTWYRTR_CiscoXERtrNDM_V3R5_20251023-150045.ckl
Scan Date: 2026-01-14T12:57:25.013310
Technology Area: Internal Network
|
||||||||
| V-220139 | CAT I | MONTPOINTGTWYRTR | Cisco IOS XE Router NDM Security Technic... | The Cisco router must be configured to send log da... | Documented Pending Review | |||
Check TextVerify that the router is configured to send logs to at least two syslog servers. The configuration should look similar to the example below: logging x.x.x.x logging x.x.x.x If the router is not configured to send log data to the syslog servers, this is a finding. Fix TextConfigure the router to send log messages to the syslog servers as shown in the example below. R4(config)#logging host x.x.x.x R4(config)#logging host x.x.x.x Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA349E0F1566CFDFB09D8F996B3AD3B036574454 ~~~~~ The router is not configured to send log data to the syslog server, this is a finding.
Source: _Reviewed/MONTPOINTGTWYRTR/Checklist/MONTPOINTGTWYRTR_CiscoXERtrNDM_V3R5_20251023-150045.ckl
Scan Date: 2026-01-14T12:57:25.013310
Technology Area: Internal Network
|
||||||||
| V-220140 | CAT I | MONTPOINTGTWYRTR | Cisco IOS XE Router NDM Security Technic... | The Cisco router must be running an IOS release th... | Documented Pending Review | |||
Check TextVerify that the router is in compliance with this requirement by having the router administrator enter the following command: show version Verify that the release is still supported by Cisco. All releases supported by Cisco can be found on the following URL: www.cisco.com/c/en/us/support/ios-nx-os-software If the router is not running a supported release, this is a finding. Fix TextUpgrade the router to a supported release. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F616F024AD309ED67328DF3127A0A41B41DA2441 ~~~~~ Check with vendor for support status of the device Device Info: Hostname : MONTPOINTGTWYRTR DomainName : MACAddress : DeviceInfo : {Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.4, RELEASE SOFTWARE (fc5)} CiscoOS : IOS-XE CiscoOSVer : 16.12.4 CiscoSoftware : ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M) SerialNumber : FLM2122V0D9 Model : ISR4351/K9 DeviceType : Router CommentsCiscoOSVer : 16.12.4
Source: _Reviewed/MONTPOINTGTWYRTR/Checklist/MONTPOINTGTWYRTR_CiscoXERtrNDM_V3R5_20251023-150045.ckl
Scan Date: 2026-01-14T12:57:25.013310
Technology Area: Internal Network
|
||||||||
| V-206520 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must integrate with an organization-level... | - | |||
Check TextIf all accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding. If there are any accounts managed by the DBMS, review the system documentation for justification and approval of these accounts. If any DBMS-managed accounts exist that are not documented and approved, this is a finding. Fix TextIntegrate DBMS security with an organization-level authentication/access mechanism providing account management for all users, groups, roles, and any other principals. For each DBMS-managed account that is not documented and approved, either transfer it to management by the external mechanism, or document the need for it and obtain approval, as appropriate. CommentsThe database server can only be accessed by a privileged user, who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. Installer accounts are created and sent from shore and are authenticated using user id/password. The naming convention for the domain admin account is not consistent across various platforms and installers may not have access to a CAC reader. Application accounts are authenticated using either user id/password or a CAC. This allows flexibility to allow a mariner to access the ShipCLIP application when CAC card issues occur during ship deployments and a mariner is unable to correct until in port.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206521 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must enforce approved authorizations for ... | - | |||
Check TextCheck DBMS settings to determine whether users are restricted from accessing objects and data they are not authorized to access. If appropriate access controls are not implemented to restrict access to authorized users and to restrict the access of those users to objects and data they are authorized to see, this is a finding. Fix TextConfigure the DBMS settings and access controls to permit user access only to objects and data that the user is authorized to view or interact with, and to prevent access to all other objects and data. CommentsMSC Afloat Applications utilize access controls and access authentication to the database server and the DBMS enforces roles at the database level in accordance with MSC IBS Access Control Policy 2.2.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206545 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS software installation account must be res... | - | |||
Check TextReview procedures for controlling, granting access to, and tracking use of the DBMS software installation account. If access or use of this account is not restricted to the minimum number of personnel required or if unauthorized access to the account has been granted, this is a finding. Fix TextDevelop, document, and implement procedures to restrict and track use of the DBMS software installation account. CommentsSoftware installations can only be performed by a privileged user. The database server can only be accessed by a privileged user who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. A request to relax the HBSS policy is also submitted to Afloat Operations Service Desk who approves and implements the request.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206555 | CAT I | MONT-DB-002 | Database Security Requirements Guide | If DBMS authentication, using passwords, is employ... | - | |||
Check TextIf DBMS authentication, using passwords, is not employed, this is not a finding. If the DBMS is configured to inherit password complexity and lifetime rules from the operating system or access control program, this is not a finding. Review the DBMS settings relating to password complexity. Determine whether the following rules are enforced. If any are not, this is a finding. a. minimum of 15 characters, including at least one of each of the following character sets: - Uppercase. - Lowercase. - Numerics. - Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <). b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight. Review the DBMS settings relating to password lifetime. Determine whether the following rules are enforced. If any are not, this is a finding. a. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days. b. Password lifetime limits for noninteractive accounts: Minimum 24 hours, maximum 365 days. c. Number of password changes before an old one may be reused: Minimum of five. Fix TextIf the use of passwords is not needed, configure the DBMS to prevent their use if it is capable of this; if it is not, institute policies and procedures to prohibit their use. If the DBMS can inherit password complexity rules from the operating system or access control program, configure it to do so. Otherwise, use DBMS configuration parameters and/or custom code to enforce the following rules for passwords: a. Minimum of 15 characters, including at least one of each of the following character sets: - Uppercase. - Lowercase. - Numerics. - Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <). b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight. c. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days. d. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days. e. Number of password changes before an old one may be reused: Minimum of five. CommentsDatabase contains an obfuscated procedure, f_verify_pwd, that enforces password complexity. Login Policies enforce password lifetime.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206556 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must for password-based authentication, s... | - | |||
Check TextReview the list of DBMS database objects, database configuration files, associated scripts, and applications defined within and external to the DBMS that access the database. The list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Determine whether any DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are hashed using FIPS-approved cryptographic algorithms and include a salt. If any passwords are stored in clear text, this is a finding. If any passwords are stored with reversible encryption, this is a finding. If any passwords are stored using unsalted hashes, this is a finding. Fix TextDevelop, document, and maintain a list of DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings in the System Security Plan. Record whether they do or do not contain DBMS passwords. If passwords are present, ensure they are correctly hashed using one-way, salted hashing functions, and that the hashes are protected by host system security. CommentsDatabase passwords are stored as hashed, salted representations.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206557 | CAT I | MONT-DB-002 | Database Security Requirements Guide | If passwords are used for authentication, the DBMS... | - | |||
Check TextReview configuration settings for encrypting passwords in transit across the network. If passwords are not encrypted, this is a finding. If it is determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a finding. Fix TextConfigure encryption for transmission of passwords across the network. If the database does not provide encryption for logon events natively, employ encryption at the OS or network level. Ensure passwords remain encrypted from source to destination. CommentsDatabase or application connections transmit data using TLS in-transit encryption which includes the encrypted representations of passwords. In-transit encryption is configured in the smisdbs17-E.cfg file using the -ec option and specifying the identity path+filename of the obfuscated TLS configuration file.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206559 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must enforce authorized access to all PKI... | - | |||
Check TextReview DBMS configuration to determine whether appropriate access controls exist to protect the DBMS's private key(s). If the DMBS’s private key(s) are not stored in a FIPS 140-2 or 140-3 validated cryptographic module, this is a finding. If access to the DBMS’s private key(s) is not restricted to authenticated and authorized users, this is a finding. Fix TextStore all DBMS PKI private keys in a FIPS 140-2 or 140-3 validated cryptographic module. Ensure access to the DBMS PKI private keys is restricted to only authenticated and authorized users. CommentsThe database server can only be accessed by a privileged user, who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. Access to PKI private keys is restricted to privileged users having direct access to the server. Files containing In-transit and at-rest encryption keys are obfuscated. If the keys are modified, the database will not start or be accessible.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206561 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must obscure feedback of authentication i... | - | |||
Check TextIf all interaction with the user for purposes of authentication is handled by a software component separate from the DBMS, this is not a finding. If any application, tool or feature associated with the DBMS/database displays any authentication secrets (to include PINs and passwords) during - or after - the authentication process, this is a finding. Fix TextModify and configure each non-compliant application, tool, or feature associated with the DBMS/database so that it does not display authentication secrets. CommentsThe DBMS is configured to obfuscate passwords during the authentication process.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206562 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must use NIST FIPS 140-2 or 140-3 validat... | - | |||
Check TextReview DBMS configuration to verify it is using NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations. If NIST FIPS 140-2 or 140-3 validated modules are not being used for all cryptographic operations, this is a finding. Fix TextUtilize NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations. CommentsThe DBMS is configured to start in FIPS mode using the -fips database server option (SQL Anywhere 17 - -fips Database Option.pdf). This option enables the DBMS to use the FIPS 140-2 cryptographic modules (SQL Anywhere 17 - FIPS-certified Encryption Technology.pdf).
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206570 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must protect the confidentiality and inte... | - | |||
Check TextIf the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding. Review DBMS settings to determine whether controls exist to protect the confidentiality and integrity of data at rest in the database. If controls do not exist or are not enabled, this is a finding. Fix TextApply appropriate controls to protect the confidentiality and integrity of data at rest in the database. CommentsData encryption is configured to protect the confidentiality and integrity of data at rest.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206604 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must implement cryptographic mechanisms t... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of the DBMS, operating system/file system, and additional software as relevant. If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding. Fix TextConfigure the DBMS, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection. CommentsData encryption is configured to protect the confidentiality and integrity of data at rest using the -ek (strong database encryption) option in the database configuration file.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206605 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must implement cryptographic mechanisms p... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure, which must include, at a minimum, PII and classified information. If the documentation indicates no information requires such protections, this is not a finding. Review the configuration of the DBMS, operating system/file system, and additional software as relevant. If any of the information defined as requiring protection is not encrypted in a manner that provides the required level of protection and is not physically secured to the required level, this is a finding. Fix TextConfigure the DBMS, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection for information requiring cryptographic protection against disclosure. Secure the premises, equipment, and media to provide the required level of physical protection. CommentsData encryption is configured to protect the confidentiality and integrity of data at rest using the -ek (strong database encryption) option in the database configuration file.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-233495 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must use NSA-approved cryptography to pro... | - | |||
Check TextIf the DBMS is deployed in an unclassified environment, this is not applicable (NA). If the DBMS is not configured to use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards, this is a finding. Fix TextDeploy a DBMS compatible with the use of NSA-approved cryptography. Configure the DBMS and related system components to use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. CommentsMSC IBS Afloat applications do not handle classified information.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-278969 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must be a version supported by the vendor... | - | |||
Check TextVerify the DBMS is a version supported by the vendor. If the DBMS is not a version supported by the vendor, this is a finding. Fix TextUpgrade or install a version of the DBMS supported by the vendor. CommentsMSC Business System Afloat applications use SQL Anywhere 17 database software. On page 16 of SAP SQL Anywhere Supported Platforms.pdf, this database version is currently active and supported by SAP.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-213900 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server databases must integrate with an organi... | - | |||
Check TextDetermine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM). Fix TextIf mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213900 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server databases must integrate with an organi... | - | |||
Check TextDetermine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM). Fix TextIf mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213900 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server databases must integrate with an organi... | - | |||
Check TextDetermine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM). Fix TextIf mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213900 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server databases must integrate with an organi... | - | |||
Check TextDetermine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM). Fix TextIf mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213900 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server databases must integrate with an organi... | - | |||
Check TextDetermine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM). Fix TextIf mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>; Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 4E0BE29691469BB6268E1305E905DFBC61DC8366 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 59 -882091564 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatDeletionEventProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatFragmentProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatMediaProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatPieceIdTableProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo DeleteOrphandedResourcesProc SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo InsertVirtualSet SQL_USER dbo
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: A5133F4A8B2717CDEB397EC5433932ABBE14A87B ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 2260 -1243632689 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable ------------ ------- ---------- --------------- --------------- --------------- --------- CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT CONNECT DATABASE master CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT EXECUTE DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT CONNECT DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE sys sp_syspolicy_execute_policy SQL_USER dbo GRANT CONNECT DATABASE master SQL_USER guest GRANT CONNECT DATABASE master DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1005... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1030... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1042... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1046... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1059... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1063... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1069... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1078... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1090... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1104... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1163... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1182... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1189... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1337... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1361... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1369... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1425... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1465... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1529... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1786... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1792... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1814... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2059... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2063... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2144... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2271... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2318... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2397... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2520... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2610... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2978... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3055... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3144... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3160... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3226... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3319... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3508... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3624... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3825... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3984... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4083... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4095... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4129... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4159... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4258... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4317... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4438... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4633... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4642... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4714... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4730... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4810... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4828... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4975... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5004... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5043... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5200... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5221... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5233... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5261... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5313... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5378... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5381... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5576... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5683... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5846... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -590 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5905... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -591 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -592 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -593 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5963... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6084... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6219... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6234... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6259... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6366... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6383... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6385... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6495... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6584... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6724... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6980... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7264... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7310... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7327... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7362... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7494... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7578... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7644... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7786... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7850... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7909... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7947... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7989... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8028... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8186... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8248... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8268... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8300... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8481... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8483... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8604... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8752... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8824... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8834... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8962... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8986... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9111... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9139... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9273... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9343... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9442... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9679... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9764... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9798... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9861... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9886... DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_db DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_dev DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_usg DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_monitor DATABASE_ROLE public GRANT SELECT VIEW dbo spt_values DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CHECK_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_PRIVILEGES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAIN_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAINS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA KEY_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA PARAMETERS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINE_COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA SCHEMATA DATABASE_ROLE public GRANT SELECT VIEW INFORMA ---truncated results. met character limit---
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 67138811F3D3035DB7C13B6F224A4015F4C21EB3 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 3 -2020448801 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE model SQL_USER dbo
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: CD95A213FC4476B7F4C08031802041EE9D911C58 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 391 -403485259 Roles 17 348690621 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo SQLAgentUserRole SQLAgentReaderRole SQLAgentReaderRole SQLAgentOperatorRole SQLAgentUserRole dc_operator db_ssisltduser dc_operator db_ssisoperator dc_operator dc_operator dc_admin db_ssisltduser dc_proxy db_ssisoperator dc_proxy SQLAgentUserRole MS_DataCollectorInternalUser db_ssisoperator MS_DataCollectorInternalUser dc_admin MS_DataCollectorInternalUser SQLAgentOperatorRole PolicyAdministratorRole ServerGroupReaderRole ServerGroupAdministratorRole PolicyAdministratorRole ##MS_PolicyEventProcessingLogin## PolicyAdministratorRole ##MS_PolicyTsqlExecutionLogin## UtilityIMRReader UtilityIMRWriter Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable ------------ ------- ---------- --------------- --------------- --------------- --------- SQL_USER ##MS_PolicyEventProcessingLogin## GRANT CONNECT DATABASE msdb SQL_USER ##MS_PolicyEventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_events_reader SQL_USER ##MS_PolicyTsqlExecutionLogin## GRANT CONNECT DATABASE msdb DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_send_dbmail DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_allitems DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_delete_mailitems_sp DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_event_log DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_faileditems DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_help_status_sp DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_mailattachments DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_sentitems DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_unsentitems DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles DATABASE_ROLE db_ssisadmin GRANT DELETE USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT REFERENCES USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT SELECT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT UPDATE USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles DATABASE_ROLE db_ssisltduser GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisltduser GRANT SELECT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisoperator GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisoperator GRANT SELECT USER_TABLE dbo sysssislog SQL_USER dbo GRANT CONNECT DATABASE msdb DATABASE_ROLE dc_admin GRANT IMPERSONATE DATABASE_PRINCIPAL MS_DataCollectorInternalUser DATABASE_ROLE dc_admin GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_cleanup_collector DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_item DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_set DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collector_type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_item DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_set DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collector_type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_directory DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_window DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_database_name DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_instance_name DATABASE_ROLE dc_operator GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_find_collection_set_root DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_details DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_log_tree DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_stats DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_execution_log_tree DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_disable_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_enable_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_run_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_start_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_stop_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_item DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_upload_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_verify_subsystems DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collection_items DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collection_sets DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collector_types DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_config_store DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_log DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_log_full DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_stats DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionbegin DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionend DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onerror DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackagebegin DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageend DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageupdate DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onstatsupdate DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_warehouse_connection_string DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_query_stats DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_requests DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collection_items DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collection_sets DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collector_types DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_config_store SQL_USER guest GRANT CONNECT DATABASE msdb SQL_USER MS_DataCollectorInternalUser GRANT CONNECT DATABASE msdb DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_object_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category_subscription DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set_level DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_configure DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_create_purge_job DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_object_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category_subscription DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_dispatch_event DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_detail DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_end DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_start DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_health_state DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_history DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_repair_policy_automation DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_enabled DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_history_retention DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_log_on_success DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE ---truncated results. met character limit---
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213901 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must enforce approved authorizations fo... | - | |||
Check TextReview the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql". Fix TextUse GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: E72A43AA1F56BC880CAFBD122F108E27602D0980 ~~~~~ This is the 'tempdb' database so this requirement is NA.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213926 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||
| V-213926 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl
Scan Date: 2026-01-14T12:57:40.470811
Technology Area: Database Review
|
||||||||
| V-213926 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl
Scan Date: 2026-01-14T12:57:40.569961
Technology Area: Database Review
|
||||||||
| V-213926 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl
Scan Date: 2026-01-14T12:57:40.663257
Technology Area: Database Review
|
||||||||
| V-213926 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl
Scan Date: 2026-01-14T12:57:40.769694
Technology Area: Database Review
|
||||||||
| V-213927 | CAT I | MONT-BE-002 | MS SQL Server 2016 Database Security Tec... | SQL Server must implement cryptographic mechanisms... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, check whether it is enabled: SELECT DB_NAME(database_id) AS [Database Name], CASE encryption_state WHEN 0 THEN 'No database encryption key present, no encryption' WHEN 1 THEN 'Unencrypted' WHEN 2 THEN 'Encryption in progress' WHEN 3 THEN 'Encrypted' WHEN 4 THEN 'Key change in progress' WHEN 5 THEN 'Decryption in progress' WHEN 6 THEN 'Protection change in progress' END AS [Encryption State] FROM sys.dm_database_encryption_keys For each user database for which encryption is called for and it is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encryption settings, if any of the information defined as requiring cryptographic protection is not encrypted this is a finding. Fix TextWhere full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the table/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl
Scan Date: 2026-01-14T12:57:40.371699
Technology Area: Database Review
|
||||||||