AppDetective™ Update 2.5.51 - 10 July 2002

NEW CHECKS

Microsoft SQL Server

Title: sysadmin role granted
Description: Lists the non-standard logins granted the sysadmin role. Summary: Roles are used by SQL Server to group together object and statement permissions. By grouping them together they can be granted and revoked from users and logins more efficiently. People granted the sysadmin role can perform any activity in SQL Server. You should review the logins granted this role and verify that only database administrators have been granted the role.

Title: Fixed server role granted
Description: Lists logins granted fixed server roles. Summary: Roles are used by SQL Server to group together object and statement permissions. By grouping permissions together they can be granted and revoked from users and logins more efficiently. Granting a fixed server role creates a high level of privilege. You should review the logins granted fixed server roles and verify that they have only been granted to appropriate logins.

Title: Table to store DTS passwords publicly viewable
Description: Check if the table that holds the passwords for DTS packages saved as Meta Data Services is publicly viewable. Summary: DTS packages can be saved to SQL Server's Meta Data Service. This gives administrators the ability to save meta data about the package as well as data lineage. When a DTS package is saved as a Meta Data Service, the account and password used to connect to the data source is saved in the table msdb.dbo.RTblDMBProps. This table is publicly viewable on a default installation of Microsoft SQL Server 2000.

Title: DTS passwords publicly viewable
Description: Check if a DTS package with a password has been saved in the Meta Data Services repository and can be publicly viewed. Summary: DTS packages can be saved to SQL Server's Meta Data Service. This gives administrators the ability to save meta data about the package as well as data lineage. When a DTS package is saved as a Meta Data Service, the account and password used to connect to the data source is saved in the table msdb.dbo.RTblDMBProps. This table is publicly viewable on a default installation of Microsoft SQL Server 2000.

Title: Encoded password written by installation
Description: Verify if the version of SQL Server is known to write to a log file an encoded version of the password used to perform the installation. Summary: When install Microsoft SQL Server 2000 or installing a service pack for Microsoft SQL Server 7.0 or 2000, an encoded version of the password used is written to the file setup.iss. This file's default permissions allow any user able to log on interactively to the operating system to read the file and discover the password. Note: Team HATTER Security Alert

Title: Jet running in sandbox Mode
Description: Verify that Jet has been configured to run in a restricted sandbox mode. Summary: Microsoft SQL Server provides functions that allow users to query data and execute statements on external data sources. This feature allows a user in SQL Server can execute statements through Jet 4.0. Jet 4.0 allows a user to call unsafe Visual Basic for Applications functions in query statements to Microsoft Access. This feature should be disabled by placing Jet in a restricted sandbox mode.

Title: OLEDB ad hoc queries allowed
Description: Verify that OLEDB ad hoc queries through the OPENROWSET and OPENDATASOURCE functions are disabled. Summary: Microsoft SQL Server provides functions that allow users to query data and execute statements on external data sources. This feature can be used to mount attacks and to run unsafe Visual Basic for Application functions. This feature should be disabled by disabling ad hoc OLEDB queries.

Title: Default passwords for CA Unicenter
Description: Verify that the passwords have been changed for logins created during the installation of CA Unicenter. Summary: Computer Associates' product Unicenter uses Microsoft SQL Server as a backend for storing data. During the installation of CA Unicenter, several default login and passwords are created. If these passwords are not changed an attacker can use these logins to access SQL Server.