V-213907
CAT IISQL Server must limit privileges to change software modules, to include stored procedures, functions, and triggers, and links to software external to SQL Server.
- Ships Affected
- 1
- Total Findings
- 5
- Open
- 0
- Closed
- 5
Check Text
Obtain a listing of schema ownership from the server documentation.
Execute the following query to obtain a current listing of schema ownership.
SELECT s.name AS schema_name, p.name AS owning_principal
FROM sys.schemas s
JOIN sys.database_principals p ON s.principal_id = p.principal_id
WHERE p.name != 'dbo'
AND (s.name != p.name
or p.name not in
( 'db_accessadmin'
, 'db_backupoperator'
, 'db_datareader'
, 'db_datawriter'
, 'db_ddladmin'
, 'db_denydatareader'
, 'db_denydatawriter'
, 'db_owner'
, 'db_securityadmin'
, 'guest'
, 'INFORMATION_SCHEMA'
, 'sys'
, 'TargetServersRole'
, 'SQLAgentUserRole'
, 'SQLAgentReaderRole'
, 'SQLAgentOperatorRole'
, 'DatabaseMailUserRole'
, 'db_ssisadmin'
, 'db_ssisltduser'
, 'db_ssisoperator'
, 'replmonitor'
, '##MS_SSISServerCleanupJobLogin##'
)
)
ORDER BY schema_name
If any schema is owned by an unauthorized database principal, this is a finding.
Fix Text
Transfer ownership of database schemas to authorized database principals.
ALTER AUTHORIZATION ON SCHEMA::[<Schema Name>] TO [<Principal Name>]
STIG Reference
- STIG
- MS SQL Server 2016 Database Security Technical Implementation Guide
- Version
- 3
- Release
- 5
- Rule ID
- SV-213907r1167464_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl | Unassigned | 2026-01-14T12:57:40.769694 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl | Unassigned | 2026-01-14T12:57:40.663257 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl | Unassigned | 2026-01-14T12:57:40.569961 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl | Unassigned | 2026-01-14T12:57:40.470811 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl | Unassigned | 2026-01-14T12:57:40.371699 | View in Context |