Rule ID
SV-213977r1137658_rule
Version
V3R6
CCIs
SQL Server must prevent unauthorized and unintended information transfer via shared system resources. Permitting only SQL Server processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.
Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files. To obtain the location of SQL Server data, transaction log, and backup files, open and execute the supplemental file "Get SQL Data and Backup Directories.sql". For each of the directories returned by the above script, verify whether the correct permissions have been applied. 1) Launch Windows Explorer. 2) Navigate to the folder. 3) Right-click the folder and click "Properties". 4) Navigate to the "Security" tab. 5) Review the listing of principals and permissions. Account Type Directory Type Permission ----------------------------------------------------------------------------------------------- Database Administrators ALL Full Control SQL Server Service SID Data; Log; Backup; Full Control SQL Server Agent Service SID Backup Full Control SYSTEM ALL Full Control CREATOR OWNER ALL Full Control For information on how to determine a "Service SID", go to: https://aka.ms/sql-service-sids Additional permission requirements, including full directory permissions and operating system rights for SQL Server, are documented at: https://aka.ms/sqlservicepermissions If any additional permissions are granted but not documented as authorized, this is a finding.
Remove any unauthorized permission grants from SQL Server data, log, and backup directories. 1) On the "Security" tab, highlight the user entry. 2) Click "Remove".