AuditPro Enterprise™

Description:
Check to determine if the sa account is configured without a password. By default, the sa account is blank. If the sa account is left without password protection, anyone can act as administrator on the SQL server. Once an authorized user gains access to the sa account, it is easy to gain access to admin privileges on the Windows NT Server by using commands such as xp_cmdshell.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Blank sa Password	No violations found

Description:
DTS packages can be saved to SQL Server's Meta Data Service. This gives administrators the ability to save meta data about the package as well as data lineage. When a DTS package is saved as a Meta Data Service, the account and password used to connect to the data source is saved in the table msdb.dbo.RTblDBMProps. This table is publicly viewable on a default installation of Microsoft SQL Server 2000.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	DTS password table publicly viewable	No violations found

Description:
Guest accounts should not be created on databases at all. However, the guest account in the 'master' and 'msdb' databases cannot be removed.
It is advisable to remove this account completely if it exists.

CVE Reference No.: CVE-NO-MATCH

Severity	Name	Database access	Created On
	guest	Yes	4/8/2003 9:10:20 AM

Solution:
Delete the guest user ID from all databases. Within each database that has a guest user ID, execute the command "sp_dropuser guest."

Description:
These are the Windows logins on the local server which have access to SQL Server. Check if these are valid users for access to SQL Server, and review their roles and privileges.

CVE Reference No.: CVE-NO-MATCH

Severity	name	loginname
	BUILTIN/Administrators	BUILTIN/Administrators
	NT AUTHORITY/SYSTEM	NT AUTHORITY/SYSTEM
	SQLSERVER2005/SQLServer2005MSSQLUser$SQLSERVER2005$MSSQLSERVER	SQLSERVER2005/SQLServer2005MSSQLUser$SQLSERVER2005$MSSQLSERVER
	SQLSERVER2005/SQLServer2005SQLAgentUser$SQLSERVER2005$MSSQLSERVER	SQLSERVER2005/SQLServer2005SQLAgentUser$SQLSERVER2005$MSSQLSERVER
	SQLSERVER2005/SQLServer2005MSFTEUser$SQLSERVER2005$MSSQLSERVER	SQLSERVER2005/SQLServer2005MSFTEUser$SQLSERVER2005$MSSQLSERVER

Solution:
As needed, remove unnecessary Windows NT/2000 accounts from SQL Server by using the command "xp_revokelogin."

Description:
Check for mismatched user IDs. A mismatched user ID occurs when a user ID is mapped to a login ID of a different name. For example, user ID jdoe should map to login ID jdoe, not to johnd. Mismatching user IDs makes administration more complex and can result in inappropriate permissions being assigned. Mismatched users are often evidence that an orphaned user ID was mapped to an incorrect login.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Mismatched User IDs	No violations found

Description:
Check for the orphaned users who are not associated with any SQL Logins but exist in databases. Generally this situation does not exist because when any SQL Login is deleted then its associated user IDs are also deleted from the databases. However if the new database is added to SQL Server or while restoring databases from backups, which has existing user there will be no SQL logins associated with them and hence will have to be considered as orphaned

CVE Reference No.: CVE-NO-MATCH

Severity	name
	public
	db_owner
	db_accessadmin
	db_securityadmin
	db_ddladmin
	db_backupoperator
	db_datareader
	db_datawriter
	db_denydatareader
	db_denydatawriter

Solution:
Orphaned user IDs should be dropped and recreated to match the appropriate login ID. Login IDs and user IDs can be changed using Enterprise Manager by opening the Logins folder in a SQL Server and double-clicking the login ID in violation.You may also use the stored procedures sp_dropuser and sp_adduser to achieve the same results.

Description:
SQL Server provides an engine, called the SQL Server Agent, to perform maintenance tasks. If the agent is configured to use a login name and password, the stored procedure sp_get_sqlagent_properties can be used to discover the password. By default, all logins can execute this stored procedure.

CVE Reference No.: CVE-NO-MATCH

Severity	PROCEDURE_NAME	GRANTOR	GRANTEE
	sp_get_sqlagent_properties	dbo	SQLAgentUserRole

Solution:
Microsoft strongly recommends that you use Windows authentication rather than saving the SQL Server Agent password in the registry.

To prevent non-privileged users from executing this function and retrieve the password, it is recommended that you perform two tasks:

1) Remove the guest user from the msdb database.

This is accomplished by executing the following command from Query Analyzer:
use msdb
sp_dropuser 'guest'

2) Revoke public permissions from the stored procedure.

This is accomplished by executing the following command from Query Analyzer:
use msdb
revoke execute on sp_get_sqlagent_properties from public

Description:
A security issue exists that allows Agent jobs to create arbitrary file. By default, the public group is allowed to create jobs that the Agent runs. By crafting malicious job, a non-privileged login can write arbitrary files on the operating system. The stored procedures used to create Agent job are
sp_add_job
sp_add_jobstep
sp_add_jobserver
sp_start_job.
Revoke execute permissions on these stored procedures from group public and other low privilege users.

CVE Reference No.: CAN-2002-0721

Severity	PROCEDURE_NAME	GRANTOR	GRANTEE
	sp_add_jobserver	dbo	TargetServersRole
	sp_add_jobserver	dbo	SQLAgentUserRole
	sp_add_jobstep	dbo	TargetServersRole
	sp_add_jobstep	dbo	SQLAgentUserRole
	sp_add_job	dbo	TargetServersRole
	sp_add_job	dbo	SQLAgentUserRole
	sp_start_job	dbo	TargetServersRole
	sp_start_job	dbo	SQLAgentUserRole

Solution:
It is recommended to revoke execute permissions on the following

Description:
Check that the remote access option is not enabled. The remote access option determines if connections to and from other Microsoft SQL Servers are allowed. Remote connections are required for features such as replication and remote stored procedures. For servers where remote access is not required, this feature should be disabled.

CVE Reference No.: CVE-NO-MATCH

Severity	comment	value
	Allow remote access	Yes

Solution:
Use Enterprise Manager to change the Remote Access settings to conform to policy.

Description:
MS SQL Server uses system tables for its internal operations. Updates to system table is very critical as it could prevent running an instance of SQL Server or possibly a loss of data. Hence Updates to system tables should be strictly prohibited, not only for security reasons but also for performance stability.
Default settings for Allow update is 0, which prevents ad-hoc access to system tables, even if user has appropriate permissions.
If direct updates is allowed to the system tables using ad-hoc queries, Users can create stored procedures to update system tables. Once stored procedures get created while Allow Update is enabled, these stored procedures have the ability to update system tables even when Allow Update is disabled.

Its recommended to disable Allow Update to system table.

CVE Reference No.: CVE-NO-MATCH

Severity	comment	value
	Allow updates to system tables	No

Solution:

1. Change the Allow Updates to System Tables option using Enterprise Manager.
2. Click the right mouse button on the server and select Properties from the popup menu.
3. Select the Server Settings tab.
4. Change the value of the Allow modifications to the system catalogs field. When the checkbox is selected, the function is enabled.

Description:
By default the Windows group BUILTIN/Administrators is granted the sysadmin role in Microsoft SQL Server. This makes any Windows administrator a SQL Server administrator also. It is a good security practice to separate these responsibilities and remove the BUILTIN/Administrators from the sysadmin role.

CVE Reference No.: CVE-NO-MATCH

Severity	name	Is system administrator
	BUILTIN/Administrators	Yes

Solution:
WARNING!!! Removing the BUILTIN/Administrators group in a complex environment may have side effects. If you decide to remove the BUILTIN/Administrators group, you should confer with the database administrator and ensure you will not encounter any situation which may cause problems for your database server.

To safely remove the BUILTIN/Administrators group, following the directions below:

1) Create a windows group that will be used to administer SQL Server.
2) Place any DBA windows users in this group.
3) Delete the BUILTIN/Administrators login or remove it from the sysadmin server role.

Description:
The sort order on your SQL Server determines the manner in which your data will be sorted. It is specific to national languages and can be case-sensitive as well as accent-sensitive. If your sort order is not case-sensitive, a hacker attempting to brute-force a password does not have to worry about the case of the passwords being hacked (i.e. 'asi', 'ASI', 'Asi', etc. are all considered the same word). This can significantly shorten the amount of time it takes to crack a password.

CVE Reference No.: CVE-NO-MATCH

Severity	Server default collation
	Latin1-General, case-insensitive, accent-insensitive, kanatype-insensitive, width-insensitive

Solution:
For Microsoft SQL Server 2000, to modify the collation being used by a specific database, rebuild the database and choose the collation you desire. To support more collations, rebuild your Microsoft SQL Server and choose which collations to support during the installation process.
There is no way to modify the collation prior to Microsoft SQL Server 2000.

Description:
Check that the extended stored procedures are in compliance with policy. Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows NT DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows NT account used by SQL Server to log on determines the security context used by extended stored procedures.

CVE Reference No.: CVE-NO-MATCH

Severity	name
	xp_cmdshell
	xp_logevent
	xp_deletemail
	xp_makewebtask
	xp_getnetname
	xp_findnextmsg
	xp_readmail
	xp_dirtree
	xp_enumerrorlogs
	xp_msver
	xp_enumgroups
	xp_fixeddrives
	xp_readerrorlog
	xp_availablemedia
	xp_loginconfig
	xp_dropwebtask
	xp_regread

Solution:
Remove unwanted extended stored procedures mentioned in the table above using Enterprise Manager.

Description:
The system table master stores the critical data used by SQL Server for its internal operations. Tampering with this database may result in unusual behaviour of server or the server may stop working.
syslogins table is not available in evaluation version of SQL Server 2005.

CVE Reference No.: CVE-NO-MATCH

Severity	name	Default Database
	sa	master
	##MS_SQLResourceSigningCertificate##	master
	##MS_SQLReplicationSigningCertificate##	master
	##MS_SQLAuthenticatorCertificate##	master
	BUILTIN/Administrators	master
	NT AUTHORITY/SYSTEM	master
	SQLSERVER2005/SQLServer2005MSSQLUser$SQLSERVER2005$MSSQLSERVER	master
	SQLSERVER2005/SQLServer2005SQLAgentUser$SQLSERVER2005$MSSQLSERVER	master
	SQLSERVER2005/SQLServer2005MSFTEUser$SQLSERVER2005$MSSQLSERVER	master
	##MS_AgentSigningCertificate##	master

Solution:

Therefore when new logins are created ensure that their default database is not master. Given below is a list of users who has their default database as master.

It is recommended to change the default databases of the following logins to their respective database other than master, msdb and temp.

Description:
Check that OLE automation extended stored procedures are in compliance with policy. Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows NT DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows NT account used by SQL Server to log on determines the security context used by extended stored procedures

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	OLE Automation Procedure Permission	No violations found

Description:
The system stored procedure sp_readwebtask in the master database is used to read web tasks. By default, permission on this system stored procedure is granted to the group public.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Permission on sp_readwebtask	No violations found

Description:
By default, the group public in the master database has EXECUTE permissions on the system stored procedure sp_runwebtaskBy allowing the group public to modify data in the mswebtasks table, a low-privileged login can write files to the operating system. Allowing arbitrary files to be created on the operating system could allow an attacker to cause damage or gain control of the operating system.
The group public and low-privilege users should not have permission to execute the system stored procedure sp_runwebtask. You must revoke execute permissions on sp_runwebtask from group public and other users

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Permission on sp_runwebtask	No violations found

Description:

CVE Reference No.: CVE-NO-MATCH

Severity	PROCEDURE_NAME	GRANTEE	GRANTOR
	sp_add_jobserver	TargetServersRole	dbo
	sp_add_jobserver	SQLAgentUserRole	dbo
	sp_add_jobstep	TargetServersRole	dbo
	sp_add_jobstep	SQLAgentUserRole	dbo
	sp_add_job	TargetServersRole	dbo
	sp_add_job	SQLAgentUserRole	dbo
	sp_start_job	TargetServersRole	dbo
	sp_start_job	SQLAgentUserRole	dbo

Solution:

Description:
The system table syslogins contains the list of valid logins allowed in the master database. Anyone granted access to select from the table can gather a list of valid logins to attack.

CVE Reference No.: CVE-NO-MATCH

Severity	Table	Privilege	Grantor	Grantee	Is Grantable
	syslogins	SELECT	dbo	public	NO

Solution:
Only members of the sysadmin role should have permissions to perform any action on the syslogins table. You can revoke access from the syslogins table using the following command:

REVOKE SELECT ON master.dbo.syslogins FROM [username or group]

Description:
Default login is used when SQL Server is configured for Windows NT Authentication. When the authorized windows user does not have any entry in syslogins table, SQL Server allows him to enter with the default login's credentials.
Ensure that the default login is not "sa" or a user with administrative privileges, otherwise any windows login will have administrative pivileges on the Databases.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Permissions given to each Role	No violations found

Description:
Security best practices dictate that permissions should be granted to groups rather than to users. By using groups to manage permissions, revoking and granting permissions is less error-prone and more manageable.
Revoke all permissions granted directly to a user. Then create a group, grant all the privileges required to the group, and then grant the group to the users that require the permissions

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Permissions granted directly to user	No violations found

Description:
DTS packages in SQL Server allow database administrators to create scripts that will perform a set of database actions at regular intervals. As part of the creation of a DTS package, the administrator provides the login name and password under which the action should be taken.By default, permissions are given to public to execute the stored procedures msdb.dbo.sp_enum_dtspackages and msdb.dbo.sp_get_dtspackage. This grants a non-privileged user the ability to discover the password used in the DTS package.
sp_enum_dtspackages
sp_get_dtspackage
It is recommended that you revoke permissions from the group public on these stored procedures

CVE Reference No.: CVE-NO-MATCH

Severity	PROCEDURE_NAME	GRANTOR	GRANTEE
	sp_get_dtspackage	dbo	public
	sp_enum_dtspackages	dbo	public

Solution:
Microsoft strongly recommends that you use Windows authentication rather than using a login and password for DTS packages.
To prevent this attack, it is recommended that you revoke permissions from the group public on the following stored procedures:

Description:
system stored procedure called sp_MSsetalertinfo in the master database. This stored procedure is used to configure how SQL Server forwards alerts. While the ability to change one of these settings does not by itself result in a vulnerability, it can be used by an attacker to mask attacks. For instance, alert forwarding can be redirected or disabled.
The group public should not have permission to execute sp_MSsetalertinfo. Revoke public execute permission on this stored procedure immediately

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Permissions on sp_MSsetalertinfo	No violations found

Description:
system stored procedure called sp_MSSetServerProperties in the master database. This stored procedure is used to set SQL Server to automatically start on reboot of the Windows server. Anyone with access to execute this stored procedure can change SQL Server to not restart on reboot. While changing this setting does not by itself result in a vulnerability, it can be used as a form of a denial of service attack. It can also be used in sophisticated attacks that may want to take over the port owned by SQL Server after rebooting the system.
By default, the public group in the master database has EXECUTE permissions on the system stored procedure sp_MSSetServerProperties.
It is strongly recommended to revoke execute permission on this stored procedure from public

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Permissions on sp_MSSetServerProperties	No violations found

Description:
Check for permissions granted on system tables to public. Microsoft SQL Server defaults to allow all users to view the majority of the system tables. The system tables contain information such as login IDs, permissions, objects, and even the text of all stored procedures. In a secure environment, all access to these tables by users should be through system stored procedures or the INFORMATION_SCHEMA views. The system procedures and views contain checks to ensure that users can only access data that they should be allowed to see

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Permissions on system tables	No violations found

Description:
The system table syslogins in the master database contains critical data like name, password and status of the SQL Server Logins. This table should not have even the SELECT permission to low-privileged users.

If any low-privileged user has any permission on this table, it is strongly recommended to revoke that permission immediately

CVE Reference No.: CVE-NO-MATCH

Severity	Table	Privilege	Grantor	Grantee	Is Grantable
	syslogins	SELECT	dbo	public	NO

Solution:
Change the default login to either blank or to a non-existent login to completely deny access through the default login. To allow access through the default, change the login to an existing account.

Description:
Xp_cmdshell is an extended stored procedure which executes a command as an operating-system command shell and returns the output.By default, only the dbo and members of sysamdin role can execute this extended stored procedure. Other users can be granted access to execute this procedure. It is recommended that you grant access to execute this function only when absolutely necessary.
It is strongly recommended to revoke execute permissions on xp_cmdshell from users other than members of sysadmin role

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Permissions on xp_cmdshell	No violations found

Description:
Checks that execute permissions have not been granted to public on the extended stored procedure xp_sprintf. Prior to service pack 5 of SQL Server 6.5, the procedure was vulnerable to a buffer overflow. The buffer overflow results in the server crashing and could result in malicious code being executed by the server. Permissions for this procedure are granted to public by default when installing SQL Server.

CVE Reference No.: CVE-NO-MATCH

Severity	PROCEDURE_NAME	GRANTOR	GRANTEE
	xp_sprintf	dbo	public

Solution:
Remove permissions to the extended stored procedure by executing the following statement from any standard query tool: revoke execute on xp_sprintf from public

Description:
A security issue exists that allows Agent jobs to create arbitrary file. By default, the public group is allowed to create jobs that the Agent runs. By crafting malicious job, a non-privileged login can write arbitrary files on the operating system.

CVE Reference No.: CVE-NO-MATCH

Severity	PROCEDURE_NAME	GRANTOR	GRANTEE
	sp_add_jobserver	dbo	TargetServersRole
	sp_add_jobserver	dbo	SQLAgentUserRole
	sp_add_jobstep	dbo	TargetServersRole
	sp_add_jobstep	dbo	SQLAgentUserRole
	sp_add_job	dbo	TargetServersRole
	sp_add_job	dbo	SQLAgentUserRole
	sp_start_job	dbo	TargetServersRole
	sp_start_job	dbo	SQLAgentUserRole

Solution:
To prevent this attack, it is recommended that you revoke permissions from public on the following procedures:

sp_add_job
sp_add_jobstep
sp_add_jobserver
sp_start_job

These procedures are used to create Agent jobs.

Description:
Microsoft SQL Server has several sample databases which are used to demonstrate functionality and to test the server. It is recommended on a production system that you remove these databases.

CVE Reference No.: CVE-NO-MATCH

Severity	name	created on
	model	4/8/2003 9:13:36 AM

Solution:
Drop any sample databases from any production system. To drop these databases, run the following commands:

drop database pubs
go
drop database Northwind
go
drop database AdventureWorks
go
drop database AdventureWorksDW
go

Description:
After SQL Server service is started, it checks if the option scan for startup stored procedures is enabled or not. If its enabled, SQL Server scans and executes the stored procedures which are configured to be executed at startup.

If this option is enabled it is recommended to review the all startup stored procedures for trojans or any malicious code.

CVE Reference No.: CVE-NO-MATCH

Severity	comment	value
	scan for startup stored procedures	No

Solution:
Please review the startup procedures to avoid any problems

Description:
Default login is used when SQL Server is configured for Windows NT Authentication. When the authorized windows user does not have any entry in syslogins table, SQL Server allows him to enter with the default login's credentials.
Ensure that the default login is not "sa" or a user with administrative privileges, otherwise any windows login will have administrative pivileges on the Databases.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Scheduled jobs	No violations found

Description:
SQL Server provides an engine, called the SQL Server Agent, to perform maintenance tasks. If the agent is configured to use a login name and password, the stored procedure sp_get_sqlagent_properties can be used to discover the password. By default, all logins can execute this stored procedure.

CVE Reference No.: CVE-NO-MATCH

Severity	PROCEDURE_NAME	GRANTOR	GRANTEE
	sp_get_sqlagent_properties	dbo	SQLAgentUserRole

Solution:
Microsoft strongly recommends that you use Windows authentication rather than saving the SQL Server Agent password in the registry.

To prevent non-privileged users from executing this function and retrieving the password, it is recommended that you perform two tasks:

1) Remove the guest user from the msdb database.

This is accomplished by executing the following command from Query Analyzer:
use msdb
sp_dropuser 'guest'

2) Revoke public permissions from the stored procedure.

This is accomplished by executing the following command from Query Analyzer:
use msdb
revoke execute on sp_get_sqlagent_properties from public

Also note that installing Service Pack 3 (8.00.760) or greater causes these permissions to be automatically revoked.

Description:
MS SQL Server has in-built mailing facility. But this facility can be used for abuse if not adminstired properly. Therefore if not required explicitly, it is recommended to drop these exteded stored procedures.
xp_readmail
xp_sendmail
xp_deletemail
xp_startmail
xp_stopmail
xp_processmail
xp_findnextmsg
Atleast the group Public should not have access to these stored procedures.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	SQL Mail procedure permissions	No violations found

Description:
Check startup stored procedures. SQL Server can be configured to execute stored procedures at startup. Startup stored procedures execute using sa permissions and can be used as Trojan horses. The use of startup stored procedures should be limited because they increase the security risk associated with SQL Server

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Startup Stored Procedures	No violations found

Description:
Check for statement permissions granted to security accounts. Granting statement permissions gives users the authorization to create database objects and perform backups. Database administration activities should only be performed by the database owner. In addition, SQL Server 7.0 introduces fixed database roles which facilitate the delegating of database administration functions to users other than the database owner. The statement permissions that can be explicitly granted are:

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Statement Permissions	No violations found

Description:
Check whether execute permissions are being bypassed from within temporary stored procedures. Permission checking in temporary stored procedures may be bypassed, allowing any user to execute a stored procedure from within a temporary stored procedure. When a temporary stored procedure calls another stored procedure in a database whose owner is sa, normal permission checking is bypassed. Since any user can create a temporary stored procedure and the master database is owned by sa, this vulnerablity allows any user to execute most system stored procedures, including extended procedures such as xp_cmdshell. Depending on the context under which xp_cmdshell run, this could allow any user to gain administrative access to the server.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Temporary Stored Procedures	No violations found

Description:
Check for objects not owned by the database owner. SQL Server objects include tables, views, stored procedures, triggers, defaults, and rules. The user that creates an object becomes the object owner. For security and performance reasons, only the database owner should be allowed to create and own objects. Checking for objects that were not created by the database owner helps ensure that Trojan horses and other unauthorized changes have not been made to the server. Having multiple object owners also degrades performance. SQL Server performs optimally when using ownership chains. An ownership chain exists when objects reference other objects that have the same owner. SQL Server bypasses the work of performing security checks on other objects in the chain

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Unauthorised Object Owners	No violations found

Description:
Creates and alters databases

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	User present in Database creator Role	No violations found

Description:
These above mentioned roles have been created by the DBA.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	User-defined Roles and Users	No violations found

Description:
The following table lists the users and the roles assigned to them. Review each user and its Role. Use the principle of assigning minimum permissions and ensure that each user has limited permissions to enable him to do his job.

CVE Reference No.: CVE-NO-MATCH

Severity	User	Role	loginname	dbname
	guest	public	N/A	N/A
	##MS_AgentSigningCertificate##	public	##MS_AgentSigningCertificate##	master

Solution:

Description:
Manages disk files.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Users present in Diskadmin Role	No violations found

Description:
Manages processes running in an instance of SQL Server.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Users present in Processadmin Role	No violations found

Description:
Manages server wide Security. Adds logins,users , can change passwords, grant and revoke privileges and roles.Only one user should be present in this role. If there are more than one user check the credentiality of those users and then revoke if needed.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Users present in securityadmin Role	No violations found

Description:
Configures server-wide settings. Only one user should be present in this role. If there are more than one user check the credentiality of those users and then revoke if needed.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Users present in Serveradmin Role	No violations found

Description:
Adds and removes linked servers, and executes some system stored procedures

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Users present in Setupadmin Role	No violations found

Description:
Member of sysadmin role can perform any task on SQL Server. Only one user should be present in this role. If there are more than one user check the credentiality of those users and then revoke if needed.

CVE Reference No.: CVE-NO-MATCH

Severity	Name	Role
	sa	Sysadmin
	BUILTIN/Administrators	Sysadmin
	NT AUTHORITY/SYSTEM	Sysadmin
	SQLSERVER2005/SQLServer2005MSSQLUser$SQLSERVER2005$MSSQLSERVER	Sysadmin
	SQLSERVER2005/SQLServer2005SQLAgentUser$SQLSERVER2005$MSSQLSERVER	Sysadmin

Solution:
Monitor the users within this role and restrict to a minimum possible set

Description:
Users with WITH GRANT privilege can grant their own privilege to other users. If the privilege is revoked for this user, the effect is not commulative. This breaks down the privilege links and results in a loss of accountability. Therefore it is strongly recommended not to grant WITH GRANT privilege to any user and if it is granted it should be reviewed and then revoked.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	WITH GRANT Options	No violations found

Description:
Check the audit trail destination. SQL Server auditing can be set to log audit data to the database or operating system files. Logging events to the database prevents operating system users from viewing the data, while logging events to operating system files prevents malicious database users from accessing the data.

CVE Reference No.: CVE-NO-MATCH

Severity	traceid	parameter	value
	1	Trace file name	C:/Program Files/Microsoft SQL Server/MSSQL.1/MSSQL/LOG/log_20.trc

Solution:

Description:
Check that security events are being audited in compliance with policy. SQL Server Trace provides the ability to audit security related activities as they occur within the server. A secure system requires auditing of events in order to detect possible attacks on the server and to reconstruct events in cases where security violations have been found. For auditing to work effectively, it must be properly configured to audit the appropriate events and return the necessary data about those events. SQL Server Trace Events are organized into category classes. Events that pertain to security are in the Security Audit class. At a minimum, you should consider auditing some or all of these events in order to maintain a secure system

CVE Reference No.: CVE-NO-MATCH

Severity	security events	audit
	N/A	true
	Audit Add DB User	true
	Audit Add Login to Server Role	true
	Audit Add Member to DB	true
	Audit Add/Drop Login	true
	Audit Add/Drop Role	true
	Audit Backup/Restore	true
	Audit DBCC	true
	Audit Login Change Property	true
	Audit Login GDR	true
	Audit Object GDR	true
	Audit Statement GDR	true
	ErrorLog	true
	Login Failed	true
	App Role Pass Change	false
	Audit Change Audit	false
	Audit Login Change Password	false
	Audit Object Derived Permission	false
	Audit Object Permission	false
	Audit Statement Permission	false
	EventLog	false
	Login	false
	Logout	false

Solution:
To configure a trace and add Security Audit events to it, you must use either SQL Profiler or the system stored procedures sp_trace_create, sp_trace_setevent, and sp_trace_setstatus. Traces started from SQL Profiler ends when you terminate the program. Traces also terminate when the server is stopped. In order to ensure that events are always being audited, you should configure the server to start traces whenever the server is started

Description:
Check to make sure a blackbox trace is running. SQL Server 2000 has a trace option that will allow you to start a trace that continuously audits server events and ensures that the last 5 MB of trace data is always available even in the event of a system failure. This blackbox trace can provide information about the last series of events that occurred on a server when diagnosing system crashes or suspected security violations. Blackbox traces record up to 5 MB of data in the output files blackbox.trc and blackbox_01.trc. When one file is full the other is overwritten, ensuring that at least 5 MB of trace data will be available for inspection

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	BlackBox Trace	No violations found

Description:
Check that C2 Audit Mode is enabled for the server. SQL Server 2000 has a configuration option which, when enabled, will turn on auditing of all security events to operating system files. Audit events continue to be written until the server is shutdown. Once the file reaches a 200 MB limit, the file is closed and another is opened for writing. If the file cannot be written to because of insufficient disk space or file I/O error, the server will shutdown. Enabling C2 Audit mode is required if you want to run SQL Server in the evaluated C2 configuration.

CVE Reference No.: CVE-NO-MATCH

Severity	comment	value
	c2 audit mode	Yes

Solution:
To set C2 audit mode on use the sp_configure system stored procedure:exec sp_configure 'C2 audit mode',1

Description:
Check to ensure that database backup settings are in compliance with policy. Backups are crucial to data integrity. Backups should be performed at regular intervals and stored in off-site, secured locations. A compromised server may need to be restored from a backup. A device failure could require a database to be loaded from a backup. Failing to perform backups within the given time frame exposes the server to the risk of data loss.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Database Backup Files	No violations found

Description:
Check to ensure that database backup settings are in compliance with policy. Backups are crucial to data integrity. Backups should be performed at regular intervals and stored in off-site, secured locations. A compromised server may need to be restored from a backup. A device failure could require a database to be loaded from a backup. Failing to perform backups within the given time frame exposes the server to the risk of data loss.

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	Database Backups	No violations found

Description:
Check to ensure that SQL Server is running with the latest service pack. Microsoft SQL Server provides updates that address bugs (including security issues) that are discovered after a version release. These updates are distributed as service packs. The server should be kept up to date with the latest service pack

CVE Reference No.: CVE-NO-MATCH

Severity	Product	Version	Service Pack	Platform
	Microsoft SQL Server 2005	.00.2047.	Unknown	Windows NT 5.2 (Build 3790: Service Pack 1)

Solution:
Apply the latest Microsoft SQL Server Service Pack, available from the Microsoft Support Web site. See References

Description:
Check that the registry extended stored procedures are in compliance with policy. Extended stored procedures allow SQL Server users to execute functions external to SQL Server. An extended stored procedure is a function within a Windows NT DLL that can be referenced as a stored procedure. While this feature is a powerful extension of SQL Server, it also increases the risk of SQL Server users gaining unauthorized access to the operating system. The Windows NT account used by SQL Server to log on determines the security context used by extended stored procedures.

CVE Reference No.: CVE-NO-MATCH

Severity	PROCEDURE_NAME	GRANTOR	GRANTEE
	xp_instance_regread	dbo	public
	xp_regread	dbo	public

Solution:
Remove unwanted extended stored procedures using Enterprise Manager

Description:
By default MS SQL Server runs as LocalSystem account. This account enjoys the administrative privileges on the windows platform. If the SQL Server gets compromised then the hacker will get full privileges on the windows server. This can be prevented by creating a special account and giving full control to all the SQL Server files, executables, and the registry keys. This account should be able to run as service. The account can be a domain user account or local account.

CVE Reference No.: CVE-NO-MATCH

Severity	Value	Data
	ObjectName	LocalSystem

Solution:
Therefore it is recommended to create such account

Description:
Check that SQL Mail is not enabled. Microsoft SQL Server provides the ability for login IDs to send email using the extended stored procedures. Several vulnerabilities on web sites that use SQL Server as the back end allow web users to submit queries to execute on SQL Server. SQL Mail is a method attackers use to retrieve the results of these queries. This feature should be disabled if it is not being used

CVE Reference No.: CVE-NO-MATCH

Severity	Parameter	Value
	SQL Mail	No violations found

Description:
Shows whether SQL Server is running in cluster or non-cluster mode.

CVE Reference No.: CVE-NO-MATCH

Severity
	0

Solution:

Description:
Check to ensure that the rollover option is set for traces which have a maximum trace file size set. The majority of Microsoft SQL Server security auditing is provided by the trace facility. Traces may be created using system stored procedures or with Microsoft SQL Profiler. The trace must be running in order for security event data to be collected for analysis. When a trace is created you can specify a maximum size for the trace file. In addition, you can specify the action that occurs when the maximum file size is reached. Specifying the file rollover option for the trace will cause the current trace file to close and a new one to open with no loss of data. If a maximum file size has been set and the rollover option is not set, the trace stops writing when the maximum file size is reached. This will result in a loss of data

CVE Reference No.: CVE-NO-MATCH

Severity	traceid	parameter	value
	1	Trace file rollover	true

Solution:
When creating a trace, if you are using the max file size parameter, ensure that the rollover option is enabled.

Description:
Check to ensure that the trace facility is running. The majority of Microsoft SQL Server 8.0 security auditing is provided by the trace facility. The trace must be running for security violations to be recorded for analysis. Each of the traces is checked to ensure that it is running

CVE Reference No.: CVE-NO-MATCH

Severity	traceid	parameter	value
	1	status	running

Solution:
To start a trace, in SQL Query Analyzer specify: sp_trace_setstatus , 1 where is the trace id number.

Description:
Check that the trace facility setting is in compliance with policy. Microsoft SQL Server can be configured to provide an audit trail of successful or failed logins. The majority of SQL Server security auditing is provided by the trace facility. Traces may be created using system stored procedures or with SQL Profiler. The trace must be running in order for security event data to be collected for analysis. When a trace is created, you can specify a trace stop time. The trace stop time option stops the trace from running on the specified date. In a secure environment, auditing of security events should be turned on at all times. Each of the traces is checked to ensure that the stop time value is not enabled

CVE Reference No.: CVE-NO-MATCH

Severity	traceid	parameter	value
	1	Trace stop time	N/A

Solution:
When creating a trace, do not enable the Stop Time parameter. See Microsoft SQL Server help for further details

Description:

CVE Reference No.:

Severity	Vulnerabilities	CVE Reference
	No vulnerabilities found for version: .00.2047.	N/A

Description:
Check to ensure that the latest Windows NT service pack has been installed. Windows NT provide updates that address bugs (including security issues) discovered after a version release. These updates are distributed as service packs. The server should be kept up to date with the latest service pack

CVE Reference No.: CVE-NO-MATCH

Severity
	Microsoft SQL Server 2005 - 9.00.2047.00 (Intel X86) Apr 14 2006 01:12:25 Copyright (c) 1988-2005 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 1)

Solution:
Apply the latest Windows NT Service Pack