DoD STIGs – V-32203

STIGs Image


Title: The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.

Vulnerability ID: V-32203


IA Controls: None

Severity: medium

Description: Strong access controls are critical to securing application data. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) must be employed by applications, when applicable, to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system.

Consideration should be given to the implementation of an audited, explicit override of automated mechanisms in the event of emergencies or other serious events.

If the DBMS does not follow applicable policy when approving access it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy.

Check Text: Check DBMS settings to determine whether users are restricted from accessing objects and data they are not authorized to access. If appropriate access controls are not implemented to restrict access to authorized users and to restrict the access of those users to objects and data they are authorized to see, this is a finding.

Fix Text: Configure the DBMS settings and access controls to restrict user access to objects and data that the user is authorized to view or interact with.


Interpreting V-32203:

It is very simple to configure adequate security within SQL Server. The SQL Server system is very focused on securing the data and does so with roles and permissions that can be set at high levels with groups and all the way down to individual cells in tables. Even though it is simple to do, there is a lot behind SQL Server security. The basics will get you by, but more in depth knowledge is worth having to ensure that all aspects of the SQL Server are properly protected. To be compliant this is telling you to basically confirm the access everyone has in the system is correct. The general guideline is to focus on the rule of least privilege. That is, give only what is necessary to do the job or task required.

Return to the DoD STIGs – Database Security Requirements Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.