Title: The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
Vulnerability ID: V-32203
IA Controls: None
Description: Strong access controls are critical to securing application data. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) must be employed by applications, when applicable, to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system.
Consideration should be given to the implementation of an audited, explicit override of automated mechanisms in the event of emergencies or other serious events.
If the DBMS does not follow applicable policy when approving access it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy.
Check Text: Check DBMS settings to determine whether users are restricted from accessing objects and data they are not authorized to access. If appropriate access controls are not implemented to restrict access to authorized users and to restrict the access of those users to objects and data they are authorized to see, this is a finding.
Fix Text: Configure the DBMS settings and access controls to restrict user access to objects and data that the user is authorized to view or interact with.[divider]
It is very simple to configure adequate security within SQL Server. The SQL Server system is very focused on securing the data and does so with roles and permissions that can be set at high levels with groups and all the way down to individual cells in tables. Even though it is simple to do, there is a lot behind SQL Server security. The basics will get you by, but more in depth knowledge is worth having to ensure that all aspects of the SQL Server are properly protected. To be compliant this is telling you to basically confirm the access everyone has in the system is correct. The general guideline is to focus on the rule of least privilege. That is, give only what is necessary to do the job or task required.