V-213924
CAT IISQL Server must enforce access restrictions associated with changes to the configuration of the database(s).
- Ships Affected
- 1
- Total Findings
- 5
- Open
- 0
- Closed
- 4
Check Text
Execute the following query to obtain a listing of user databases whose owner is a member of a fixed server role:
SELECT
D.name AS database_name, SUSER_SNAME(D.owner_sid) AS owner_name,
FRM.is_fixed_role_member
FROM sys.databases D
OUTER APPLY (
SELECT MAX(fixed_role_member) AS is_fixed_role_member
FROM (
SELECT IS_SRVROLEMEMBER(R.name, SUSER_SNAME(D.owner_sid)) AS fixed_role_member
FROM sys.server_principals R
WHERE is_fixed_role = 1
) A
) FRM
WHERE D.database_id > 4
AND (FRM.is_fixed_role_member = 1
OR FRM.is_fixed_role_member IS NULL)
ORDER BY database_name
If no databases are returned, this is not a finding.
For each database/login returned, review the Server Role memberships
1. In SQL Server Management Studio, Expand “Logins”
2. Double-click the name of the Login
3. Click the “Server Roles” tab
If any server roles are selected, but not documented and authorized, this is a finding.
Fix Text
Remove unauthorized users from roles:
ALTER ROLE DROP MEMBER user;
https://msdn.microsoft.com/en-us/library/ms189775.aspx
Set the owner of the database to an authorized login:
ALTER AUTHORIZATION ON database::DatabaseName TO login;
https://msdn.microsoft.com/en-us/library/ms187359.aspx
STIG Reference
- STIG
- MS SQL Server 2016 Database Security Technical Implementation Guide
- Version
- 3
- Release
- 5
- Rule ID
- SV-213924r961461_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl | Unassigned | 2026-01-14T12:57:40.769694 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl | Unassigned | 2026-01-14T12:57:40.663257 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl | Unassigned | 2026-01-14T12:57:40.569961 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl | Unassigned | 2026-01-14T12:57:40.470811 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl | Unassigned | 2026-01-14T12:57:40.371699 | View in Context |