Threat Finder

Threat ID
2771
Threat Date
05/23/2013
Threat Name
CONTROL SERVER permission granted
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Informational
Database Type
Microsoft SQL Server
Category
Improper Access Controls
Versions
Microsoft SQL Server 2005, 2008, 2008R2 and 2012
Summary
CONTROL SERVER permission gives complete control over SQL Server. You should review the logins and roles granted this permission and verify that only database administrators have been granted CONTROL SERVER permission.
Overview
CONTROL SERVER permission gives complete control over SQL Server. This permission should be granted only to database administrators.

You should review the list of logins and roles granted this permission and revoke the permission from any logins or roles that do not require it.

In SQL Server 2005 and later versions, the visibility of the metadata in catalog views is limited to securables that the user either owns or for which the user has been granted some permissions. Only privileged users should be used to audit. Minimum permissions for a user who can perform audits: "VIEW DEFINITION" on every database OR "VIEW ANY DEFINITION" on the server, "ALTER ANY LOGIN", "ALTER ANY SERVER ROLE" and "VIEW DEFINITION ON SERVER ROLE".
References
http://msdn.microsoft.com/en-us/library/ms186308.aspx
http://msdn.microsoft.com/en-us/library/ms188659%28v=sql.105%29.aspx
http://msdn.microsoft.com/en-us/library/ms191291.aspx
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by