Sie sind auf Seite 1von 7

SQL Server 2012 -No SP, SP1, SP2 Workplan Page 1 of 7

Generated by Mercury on 07/19/2017

Workplan for SQL Server 2012


Releases: No SP, SP1, SP2

Generated by EY/Mercury on 07/19/2017

Workplan description:
SQL Server 2008 Technical Review

WP:

By:

Date:

WP By Date

Copyright 2017 Ernst & Young, LLP – All rights reserved.


SQL Server 2012 -No SP, SP1, SP2 Workplan Page 2 of 7
Generated by Mercury on 07/19/2017

Control Category:
[None]
Name: Test Default Accounts & Passwords - SQL Server 2008
Description:
LA-1: General system security settings are appropriate
Risk Statement:
Security and password configurations are not optimized to prevent unauthorized access.

Key financial data/programs are intentionally or unintentionally modified.

Manual Review Procedures:


PCP: Determine that the general system security settings are appropriate based on minimum
guidelines defined in our technical-specific guidance, if available.

STEP 1
Verify that the sa account has been assigned a complex password, even if Windows Authentication
mode is being used:

Query the syslogins table:

select * from sys.syslogins

All passwords in SQL Server 2008 will appear with a complex hash, even if the password is blank.
To verify that privileged accounts (including the sa account) is assigned a password, attempt to
access the privileged accounts with the Database Administrator.

STEP 2
Verify that the BUILTIN\Administrators login has been removed and replaced with a Windows
group specifically created for database administrators.

Start SQL Server Management Studio.

Expand Microsoft SQL Server, Security and then Logins.

Verify that the BUILTIN\Administrators login has been replaced with another Windows group.
Discuss the authorization process for adding users to this group with the administrator.

Client Evidence Request: Provide a report of all system users in the current database, showing
whether default accounts have been updated / deleted. This is typically obtained by executing the
following:

STEP 1: From the [START] menu open SQL Server Management Studio and click on [New Query]
and select the [Results to File] icon or from the command line (click on [START] - [RUN] - type CMD
in the ‘Open:’ text box) type sqlcmd -o 'filename' to launch the SQL Query utility outputting the
results to the filename entered.

STEP 2: Run the following query from within the SQL Query window or sqlcmd utility:

WP By Date

Copyright 2017 Ernst & Young, LLP – All rights reserved.


SQL Server 2012 -No SP, SP1, SP2 Workplan Page 3 of 7
Generated by Mercury on 07/19/2017

select * from sys.syslogins

WP By Date

Copyright 2017 Ernst & Young, LLP – All rights reserved.


SQL Server 2012 -No SP, SP1, SP2 Workplan Page 4 of 7
Generated by Mercury on 07/19/2017

Control Category:
[None]
Name: Test Logging of Unsuccessful Login Attempts - SQL Server 2008
Description:
LA-2: Password settings are appropriate
Risk Statement:
Security and password configurations are not optimized to prevent unauthorized access.

Unauthorized access attempts are not detected and resolved by management.

Key financial data/programs are intentionally or unintentionally modified.

Manual Review Procedures:


PCP: For each relevant technical component of the logical access path, obtain evidence of the
organization’s settings for the following security configurations:

• Minimum password length


• Initial log-on uses a one time password
• Password composition (e.g., alpha/numeric characters, not words in dictionary)
• Frequency of forced password changes
• The number of unsuccessful login attempts allowed before lockout
• Ability of users to assign their own passwords
• Number of passwords that must be used prior to using a password again
• Idle session time out
• Logging of unsuccessful login attempts

Determine if failed login attempts are audited by reviewing the login auditing setting using SQL
Server Management Studio:

STEP 1: <Right-click> appropriate server instance.

STEP 2: Click [Properties].

STEP 3: Click [Security] tab.

STEP 4: Under [Login auditing], verify that [Both failed and successful logins] is checked.

If failed login attempts are audited, interview the System Administrator to determine the following;

- the frequency with which failed login attempts are reviewed,

- the procedures for addressing failed login attempts of a suspicious and recurring nature and

- if failed-login attempt reports are filed or safeguarded in some other manner.

WP By Date

Copyright 2017 Ernst & Young, LLP – All rights reserved.


SQL Server 2012 -No SP, SP1, SP2 Workplan Page 5 of 7
Generated by Mercury on 07/19/2017

Review the file of failed login attempt reports. Identify any failed login attempts of a suspicious
and recurring nature. Determine what actions were taken.

Client Evidence Request: Provide a screenshot of the auditing of failed login attempts using SQL
Server Management Studio:

STEP 1: <Right-click> appropriate server instance.

STEP 2: Click [Properties].

STEP 3: Click [Security] tab and take a screenshot.

Provide details around the following:

- the frequency with which failed login attempts are reviewed,

- the procedures for addressing failed login attempts of a suspicious and recurring nature and

- if failed-login attempt reports are filed or safeguarded in some other manner.

Provide a file of failed login attempt reports.

WP By Date

Copyright 2017 Ernst & Young, LLP – All rights reserved.


SQL Server 2012 -No SP, SP1, SP2 Workplan Page 6 of 7
Generated by Mercury on 07/19/2017

Control Category:
[None]
Name: Test Password Composition - SQL Server 2008
Description:
LA-2: Password settings are appropriate
Risk Statement:
Security and password configurations are not optimized to prevent unauthorized access.

Unauthorized access attempts are not detected and resolved by management.

Key financial data/programs are intentionally or unintentionally modified.

Manual Review Procedures:


PCP: For each relevant technical component of the logical access path, obtain evidence of the
organization’s settings for the following security configurations:

• Minimum password length


• Initial log-on uses a one time password
• Password composition (e.g., alpha/numeric characters, not words in dictionary)
• Frequency of forced password changes
• The number of unsuccessful login attempts allowed before lockout
• Ability of users to assign their own passwords
• Number of passwords that must be used prior to using a password again
• Idle session time out
• Logging of unsuccessful login attempts

Review the default authentication mode for user logins using SQL Server Management Studio:

STEP 1: <Right-click> appropriate server instance.

STEP 2: Click [Properties].

STEP 3: Click [Security] tab.

STEP 4: Under [Authentication], verify that [Windows Authentication mode] is checked.

If [Windows Authentication mode] is checked, review the password complexity and minimum
password length policies at Windows level:

STEP 1: [Start]\[Programs]\[Administrative Tools]\[Local Security Policy].

STEP 2: [Account Policies]\[Password policy].

STEP 3: Verify that [Password must meet complexity requirements] is [Enabled].

STEP 4: Verify that [Minimum password length] is between 6 and 8 characters.

WP By Date

Copyright 2017 Ernst & Young, LLP – All rights reserved.


SQL Server 2012 -No SP, SP1, SP2 Workplan Page 7 of 7
Generated by Mercury on 07/19/2017

If [SQL Server and Windows Authentication mode] is checked and SQL Server 2008 is running on
Windows Server 2003, then SQL user accounts can adopt Windows password policy. To review:

STEP 1: select * from sys.sql_logins

STEP 2: Verify that [is_policy_checked] =1, if so Windows account lockout settings apply to the
SQL account

Client Evidence Request: There are two possible Windows authentication modes used to enforce
password complexity and a minimum password length:

. Windows Authentication Mode


. Mixed Mode

If Windows Authentication mode is in use, provide a report showing that Windows Authentication is
being used. This is typically obtained by taking a screenshot of the following:

STEP 1: Click on [START] – [PROGRAMS] – [MICROSOFT SQL SERVER], then click on [SQL
SERVER MANAGEMENT STUDIO] to launch the SQL Server Management tool.

STEP 2: In the left-hand pane, expand the server group, right-click on the server and select Properties.

STEP 3: On the Security Tab, under Authentication, the options are ‘Windows Authentication Mode’
or ‘SQL Server and Windows Authentication Mode’. Take a screenshot of this screen.

If Windows Authentication is in use, provide a report of the password policy, outlining complexity
requirements and minimum password length. This is typically obtained by taking a screenshot of the
following:

STEP 1: Click on [Start] - [Programs] - [Administrative Tools] - [Local Security Policy].

STEP 2: Click on [Account Policies] - [Password policy]. Take a screenshot of this screen.

If SQL Server and Windows Authentication mode is in use and SQL Server 2008 is being run on
Windows Server 2003, also provide a report of SQL logins which have Windows Password policy
applied. This is typically obtained by executing the following:

STEP 1: From the [START] menu open SQL Server Management Studio and click on [New Query]
and select the [Results to File] icon or from the command line (click on [START] - [RUN] - type CMD
in the ‘Open:’ text box) type sqlcmd -o 'filename' to launch the SQL Query utility outputting the
results to the filename entered.

STEP 2: Run the following query from within the SQL Query window or sqlcmd utility:

select * from sys.sql_logins

WP By Date

Copyright 2017 Ernst & Young, LLP – All rights reserved.

Das könnte Ihnen auch gefallen