ࡱ> ^] g2ɀ\p Sain, Joe Ba==-<`/8X@"1Arial1Arial1 Arial1 Arial1Arial1Arial1Arial1Arial1Arial1Arial1Calibri1Arial1*Calibri1 *Calibri1*Calibri14*Calibri1 *Calibri1*Calibri1*Arial1*Calibri1,>*Calibri1>*Calibri1>*Calibri1 *Arial1>*Calibri14*Calibri1<*Calibri1?*Calibri1h>*Cambria1*Calibri1*Calibri1*Arial"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)"Yes";"Yes";"No""True";"True";"False""On";"On";"Off"],[$ -2]\ #,##0.00_);[Red]\([$ -2]\ #,##0.00\)                                                                      ff + ) , *      P  P         `              a    8@ @ )|@ @ )|@ @   )|@ @  )|@ @  (8@ @  )|@ @   (8@ @          X  (| |@ @  P- |@ @ - (|@ @ -  x@ @ - (|@ @ -  P1 |@ @ 1 (|@ @ 1 ||X|}A} 00_)ef[$ -}A} 00_)ef[$ -}A} 00_)ef[$ -}A} 00_)ef[$ -}A} 00_)ef[$ -}A} 00_)ef [$ -}A} 00_)L[$ -}A} 00_)L[$ -}A} 00_)L[$ -}A} 00_)L[$ -}A} 00_)L[$ -}A} 00_)L [$ -}A} 00_)23[$ -}A} 00_)23[$ -}A} 00_)23[$ -}A} 00_)23[$ -}A}  00_)23[$ -}A}! 00_)23 [$ -}A}" 00_)[$ -}A}# 00_)[$ -}A}$ 00_)[$ -}A}% 00_)[$ -}A}& 00_)[$ -}A}' 00_) [$ -}A}( 00_)[$ -}}) }00_)[$ -##0.  }}* 00_)[$ -???##0.??? ??? ???}-}/ 00_)}(}0  00_)}A}1 a00_)[$ -}A}2 00_)[$ -}A}3 00_)?[$ -}A}4 00_)23[$ -}-}5 00_)}(}6  00_)}}7 ??v00_)̙[$ -##0.  }A}8 }00_)[$ -}A}9 e00_)[$ -}x};00_)[$##  }}< ???00_)[$???## ???  ??? ???}-}> 00_)}U}? 00_)[$## }-}@ 00_)}(}E00_)}(}F00_)}(}H 00_)}(}I 00_)}d}N00_)[$ ## ??? }(}P|00_)}(}Q|00_)}(}R|00_)}(}S|00_)}(}T|00_)}(}U00_)}(}V00_)}(}W00_) 20% - Accent1M 20% - Accent1 ef % 20% - Accent2M" 20% - Accent2 ef % 20% - Accent3M& 20% - Accent3 ef % 20% - Accent4M* 20% - Accent4 ef % 20% - Accent5M. 20% - Accent5 ef % 20% - Accent6M2 20% - Accent6  ef % 40% - Accent1M 40% - Accent1 L % 40% - Accent2M# 40% - Accent2 L渷 % 40% - Accent3M' 40% - Accent3 L % 40% - Accent4M+ 40% - Accent4 L % 40% - Accent5M/ 40% - Accent5 L % 40% - Accent6M3 40% - Accent6  Lմ % 60% - Accent1M 60% - Accent1 23 % 60% - Accent2M$ 60% - Accent2 23ږ % 60% - Accent3M( 60% - Accent3 23כ % 60% - Accent4M, 60% - Accent4 23 % 60% - Accent5M0 60% - Accent5 23 %! 60% - Accent6M4 60% - Accent6  23 % "Accent1AAccent1 O % #Accent2A!Accent2 PM % $Accent3A%Accent3 Y % %Accent4A)Accent4 d % &Accent5A-Accent5 K % 'Accent6A1Accent6  F %(Bad9Bad  %) Calculation Calculation  }% * Check Cell Check Cell  %????????? ???+ Comma,( Comma [0]-&Currency.. Currency [0]/Explanatory TextG5Explanatory Text %0 F Followed Hyperlink   1Good;Good  a%2 Heading 1G Heading 1 I}%O3 Heading 2G Heading 2 I}%?4 Heading 3G Heading 3 I}%235 Heading 49 Heading 4 I}%64 Hyperlink   7InputuInput ̙ ??v% 8 Linked CellK Linked Cell }% 9NeutralANeutral  e%"Normal: Normal 10 2 ;Noteb Note   <OutputwOutput  ???%????????? ???=$Percent >Title1Title I}% ?TotalMTotal %OO@ Warning Text? Warning Text %XTableStyleMedium2PivotStyleLight168"""T3ffff̙̙3f3fff3f3f33333f33333\`i MS SQL 2000 Rule ID: V0002458 Rule Title: Permissions on system tables should be restricted to authorized accounts. STIG ID: DM1749 Severity: CAT II Class: UnclassRule ID: V0015651 Rule Title: Remote DBMS administration should be documented and authorized or disabled. STIG ID: DG0157 Severity: CAT II Class: Unclass%(1) EXEC SP_CONFIGURE (2) RECONFIGURERule ID: V0003823 Rule Title: Custom and GOTS application source code stored in the database should be protected with encryption or encoding. STIG ID: DG0091 Severity: CAT III Class: Unclass(1) ALTER LOGIN Rule ID: V0003835 Rule Title: The SQL Server service should use a least-privileged local or domain user account STIG ID: DM0924 Severity: CAT II Class: UnclassCCE IDCCE Technical MechanismRule ID: V0015170 Rule Title: SQL Server services should be assigned least privileges on the SQL Server Windows host. STIG ID: DM0919 Severity: CAT II Class: UnclassRule ID: V0015608 Rule Title: Access to DBMS software files and directories should not be granted to unauthorized users. STIG ID: DG0009 Severity: CAT II Class: Unclass(1) ALTER PROCEDURERule ID: V0015137 Rule Title: Error log retention shoud be set to meet log retention policy. STIG ID: DM3930 Severity: CAT II Class: Unclass?Passwords for DBMS default accounts should be set appropriatelyRule ID: V0002463 Rule Title: DDL permissions should be granted only to authorized accounts. STIG ID: DM1760 Severity: CAT II Class: UnclassCCE Parameters(1) EXEC SP_CONFIGURE ORequired auditing parameters for database auditing should be set appropriately Rule ID: V0002426 Rule Title: C2 Audit mode should be enabled or custom audit traces defined. STIG ID: DG0510 Severity: CAT II Class: UnclassRule ID: V0015124 Rule Title: The Named Pipes network protocol should be documented and approved if enabled. STIG ID: DM6015 Severity: CAT II Class: UnclassRule ID: V0002488 Rule Title: SQL Server Agent CmdExec or ActiveScripting jobs should be restricted to sysadmins. STIG ID: DM3763 Severity: CAT II Class: Unclass (1) EXEC SP_CONFIGURE(1) ALTER LOGINRule ID: V0003335 Rule Title: SQL Mail, SQL Mail Extended Stored Procedures (XPs) and Database Mail XPs are required and enabled. STIG ID DM0900 Severity: CAT II Class: Unclass"(1) defined by the object's DACL -(1) database_name (2) database_snapshot_nameRule ID: V0015609 Rule Title: Default demonstration and sample database objects and applications should be removed. STIG ID: DG0014 Severity: CAT II Class: UnclassPAccess to registry exended stored procedures should be configured appropriately.Rule ID: V0002500 Rule Title: Trace Rollover should be enabled for audit traces that have a maximum trace file size. STIG ID: DM5267 Severity: CAT II Class: Unclass=SQL Server authentication should be configured appropriately.(1) EXEC XP_LOGINCONFIG Rule ID: V0015152 Rule Title: DBMS login accounts require passwords to meet complexity requirements. STIG ID: DG0079 Severity: CAT II Class: UnclassRule ID: V0015176 Rule Title: SQL Server event forwarding, if enabled, should be operational. STIG ID: DM6030 Severity: CAT II Class: UnclassqDefault demonstration and sample database objects and applications should be available or removed as appropriate.Rule ID: V0015635 Rule Title: DBMS default accounts should be assigned custom passwords. STIG ID: DG0128 Severity: CAT I Class: Unclass(1) REVOKE / GRANTRule ID: V0015607 Rule Title: Application objects should be owned by accounts authorized for ownership. STIG ID: DG0008 Severity: CAT II Class: Unclass(1) DROP DATABASERule ID: V0002473 Rule Title: Registry extended stored procedures should be restricted to sysadmin access. STIG ID: DM2119 Severity: CAT II Class: Unclass(1) EXEC SP_TRACE_SETSTATUSRule ID: V0015107 Rule Title: DBMS privileges to restore database data or other DBMS configurations, features or objects should be restricted to authorized DBMS accounts. STIG ID: DG0063 Severity: CAT II Class: Unclass (1) ALTER LOGIN (2) CHECK_POLICYkRule ID: V0015172 Rule Title: Object permissions should not be assigned to PUBLIC or GUEST. STIG ID: DM6196/(1) username (2) WITH PASSWORD [ new password ] (1) TraceIDRule ID: V0005683 Rule Title: Application object owner accounts should be disabled when not performing installation or maintenance actions. STIG ID: DG0004 Severity: CAT II Class: UnclassRule ID: V0002487 Rule Title: SQL Server authentication mode should be set to Windows authentication mode or Mixed mode. STIG ID: DM3566 Severity: CAT II Class: UnclassRule ID: V0002461 Rule Title: Extended stored procedure xp_cmdshell should be restricted to authorized accounts. STIG ID: DM1758 Severity: CAT I Class: Unclass(1) enable/disableRule ID; V0002472 Rule Title: OLE Automation extended stored procedures should be restricted to sysadmin access STIG ID: DM2095 Severity: CAT II Class: UnclassRule ID: V0003838 Rule Title: SQL Server registry keys should be properly secured. STIG ID: DM0927 Severity: CAT II Class: UnclassQAccess to DBMS software files and directories should be configured appropriately.Rule ID: V0005685 Rule Title: Required auditing parameters for database auditing should be set. STIG ID: DG0029 Severity: CAT II Class: UnclassRule ID: V0002485 Rule Title: Remote access should be disabled if not authorized. STIG ID: DM2142 Severity: CAT II Class: UnclassHRemote DBMS administration should be enabled or disabled as appropriate.%(1) set of accounts (2) database name6(1) CREATE (2) ALTER (3) DROP (1) REVOKE/GRANT CONTROL QAccess extended stored procedure xp_cmdshell should be configured appropriately =The xp_cmdshell should be enabled or disabled as appropriate.%(1) enabled/disabled (2) xp_cmdshellFrom the SQL Server Management Studio GUI: 1. Connect/expand SQL Server 2. Expand Databases 3. Expand System databases 4. Expand Master 5. Expand Programmability 6. Expand Extended Stored Procedures 7. Expand System Extended Stored Procedures 8. Locate and select each of the Registry extended stored procedures listed in the Check section 9. Right click on the extended stored procedure 10. Select Properties 11. Click on the Permissions page 12. Select each user or role and select or deselect the Grant (and With Grant if checked) permissions from all users, database roles and public except from SYSADMINs and authorized roles when permitted 13. Click OK7Error log retention should be configured appropriately.(1) database name @SQL Server event forwarding should be configured appropriately ANamed Pipes network protocol should be configured appropriately. 4Trace rollover should be configured appropriately. 2Remote access should be configured appropriately 5C2 Audit records should be configured appropriately (1) enable/disable ~(1) enable/disable (2) trace_id (3) trace_file (4) max_file_size (5) stop_time (6) max_rollover_files (2) value query (remove)ePermissions using the WITH GRANT OPTION for a specified database should be configured appropriately lObject permissions assigned to PUBLIC or GUEST for a specified database should be configured appropriately. DBMS privileges to restore database data or other DBMS configurations, features or objects in a specified database should be configured appropriately./(1) remote admin connections (2) enable/disable$(1) enable/disable (2) c2 audit mode (1) local account-(1) set of accounts (2) list of permissions Rule ID: V0003727 Rule Title: Database applications should be restricted from using static DDL statements to modify the application schema for a specified database. STIG ID: DG0015 Severity: CAT II Class: UnclassK(1) list of permissons (2) [object] (3) [public or guest] (4) dtaabase nameDatabase application permissions allowing DDL statements to modify the application schema for a specified database should be configured appropriately.x Custom and GOTS application source code for a specified databased should be encrypted or not encrypted as appropriate. YPermissions on system tables for a specified database should be configured appropriately cDDL permissions for a specified <database and specified account should be configured appropriately S The SQL Server Service for a specified instance should be configure appropriately.'(1) net user /add@(1) HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.# \MSSQLServer \ NumErrorLogs (2) HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ Instance Names \ SQL\[instance name] or From the SQL Server Management Studio GUI: 1. Connect to and expand the SQL Server instance 2. Expand Management 3. Right-click on SQL Server Logs 4. Select Configure 5. Under the General Page, select or deselect Limit the number of error logs before they are recycled 6. Enter the number of error log files determined for the SQL Server instance 7. Click OK(1)From the query prompt: USE [database name] SELECT DISTINCT u.name FROM sysusers u, sysobjects o WHERE u.uid = o.uid AND u.uid NOT IN ('1', '3', '4')x(1) USE [database name] SELECT USER_NAME(uid), name, crdate FROM sysobjects WHERE uid NOT IN (1, 3, 4)(1) member/not member(1) granted/revoked(1) HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Sever \ MSSQL.[#] \SQLServerAgent \ AlertForwardingServer or From the SQL Server Management Studio GUI: 1. Expand instance 2. Right-click on SQL Server Agent 3. Select Properties 4. Select the Advanced page 5. Click or do not click on Forward events to a different server check box 6. Click the OK button to save and close(1) list of permissons (2) set of accounts (3) database nameZ DBMS login account password complexity requirements should be configured appropriately (1) EXEC SP_TRACE_CREATE [ @traceid = ] trace_id OUTPUT , [ @options = ] option_value , [ @tracefile = ] 'trace_file' [ , [ @maxfilesize = ] max_file_size ] [ , [ @stoptime = ] 'stop_time' ] [ , [ @filecount = ] 'max_rollover_files' ]F(1) Use the SQL command to assign permissions to the appropriate rolesKDISA STIG SQL 2000 DB Version 8, Release 1.7 Benchmark Date: 27 August 2010LDISA STIG SQL 2000 INS Version 8, Release 1.7 Benchmark Date: 27 August 2010>The SQL Mail XPs should be enabled or disabled as appropriate.KThe SQL Server Database Service account should be configured appropriately.@The SQL Server Agent account should be configured appropriately.X (1) Configure the SQL Server Database Service account via the Computer Management Tool.L(1) Configure the SQL Server Agent account via the Computer Management Tool.From SQL Server Network Utility: Under Enabled protocols: 1. Select Named Pipes 2. Click on the appropriate option (enable or disable) 3. Click OK ( to save) 4. Click OK (to exit)enable/disableNOLE Automation extended stored procedures should be configured appropriately. 7HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ MSSQLServerCCE Description (1) user/role(1) HKEY_LOCAL_MACHINE / SOFTWARE / MICROSOFT / MSSQLServer / SQLSERVERAGENT / (Click on the SYSAdminOnly value) or From the SQL Server Enterprise Manager GUI: 1. Connect/expand SQL Server 2. Expand Management 3. Right-click on SQL Server Agent 4. Select Properties 5. Select Job System tab 6. Select or do not select the checkbox for  Only users with SysAdmin privileges can execute CmdExec and ActiveScripting job steps 7. Click Ok. CCE-20013-9 CCE-19816-8 CCE-19517-2 CCE-19448-0 CCE-19649-3 CCE-19926-5 CCE-19822-6 CCE-19220-3 CCE-19886-1 CCE-19147-8 CCE-19909-1 CCE-19687-3 CCE-19392-0 CCE-19857-2 CCE-19749-1 CCE-19781-4 CCE-19784-8 CCE-19831-7 CCE-19935-6 CCE-19971-1 CCE-19277-3 CCE-19361-5 CCE-19930-7 CCE-19289-8 CCE-19735-0 CCE-19835-8 CCE-19989-3 CCE-19398-7 CCE-19498-5 CCE-19734-3 CCE-19855-6 CCE-19788-9VSQL Server registry keys and sub-keys permissions should be configured appropriately. (1) GRANT OR REVOKE Command,(1) permission (2) object name (3) user nameNAccess to CmdExec and ActiveScripting jobs should be configured appropriately.6(1) login_name (2) enable/disable (3) default_database"U(1) [procedure name] (2) WITH ENCRYPTION (3) Custom/GOTS procedures (4) Database Name)G(1) list of permissons (2) [object] (3) [user name] (4) [database name]4>(1) set of accounts (2) list of permissions (3) database name-Rule ID: V0002498 Rule Title : Permissions using the WITH GRANT OPTION should be granted only to DBA or application administrator accounts. STIG ID: DM5144 Severity: CAT II Class: Unclass (1) login name (2) on/off (1) user (2) xp_cmdshell  ((1) remote access', (2) enabled/disabled (1) 'login mode' (2) number (1) number of error logs (1) enable/disable hApplication object owner accounts for a specified database should be enabled or disabled as appropriate.^Application object owner accounts for a specified database should be configured appropriately.Last modified: 2013-02-11Version: 5.20130214Y2 P5C8k; >p BEDH+LN4wQ*V4ZJM] aaobbnc[gfccB g2ɀ $W  dMbP?_*+%&?'?(?)?M\\MBPS3\3M305A-HPS od,,LetterPRIV0''''X, \KhC%MSCXSMTJHHP Universal Printing PS (v5.2)HPDocUISUITrueESPRITSupportedTrueHPOrientationHPOrientationPortraitHPSmartDuplexSinglePageJobTrueHPSmartDuplexOddPageJobTrueHPOrientRotate180FalsePostScriptCustomPageSizeFalseDuplexNoneHPReverseOrderForFold_StitchTrueHPBestGlossDefaultInputSlot*UseFormTrayTableHPDuplicateJobNameOverrideSWFWPageSizeLETTERPageRegionLeadingEdgeMediaTypeAUTOHPMediaTypeTreeviewPopupTrueCollateFalseJCLHPPrintOnBothSidesManuallyFalseJCLEconomodeFalseOutputBinAutoStapleLocationNonePunchingNoneTextAsBlackFalseAlternateLetterHeadFalseJCLResolution600dpiJCLPrintQualityNoneJCLFastRes1bppHPConsumerCustomPaperTruePrintQualityGroupPQGroup_2JRHDInstalledJRHDOffHPNUseDiffFirstPageChoiceTrueHPPageExceptionsFileHPCPE112HPPageExceptionsInterfaceShowPageExceptionsHPPageExceptionsLowEndHPPageExceptionsLowEndVerHPPageExceptionsCoverInsertionHPEnableRAWSpoolingTrueHPDocPropResourceDataHPCabFileNameRGBColorDefault-sRGBCMYKInksDefaultCMYK+JRConstraintsJRCHDFullHPColorSmartAutomaticHPColorSmart_ColorOptions_EdgeControlNormalHPColorSmart_ColorOptions_HalftoneNoCmdHPColorModeCOLOR_MODEHPColorSmart_Text_NeutralGraysBlackOnlyHPColorSmart_Text_HalftoneDetailHPColorSmart_Text_RGBColorNoCmdHPColorSmart_Graphics_NeutralGraysBlackOnlyHPColorSmart_Graphics_HalftoneDetailHPColorSmart_Graphics_RGBColorNoCmdHPColorSmart_Photo_NeutralGrays4-ColorHPColorSmart_Photo_HalftoneDetailHPColorSmart_Photo_RGBColorNoCmdHPPJLEncodingUTF8HPJobAccountingHPJOBACCT_JOBACNT_GROUPNAMEHPBornOnDateHPBODHPJobByJobOverrideJBJOHPJobAccWoPinTruePSAlignmentFileHPCLS112HPSmartHubInet_SID_263_BID_514_HID_265HPColorAsGrayFalseCNOutputNoneCNStapleNoneCNOffsetFalseCNPunchingNoneCNFoldingNoneIUPHxkAǿ"%{  Xdb `@=f#@B{K`^r*x-=Hշ]l!~̾7`&ofޒ,R"iSt*# 5K*S h! /IIA[|DS?,8Ӎ+~j +h{ d,8"^n;ڨPj,a}(jpϊ)AjSNTMo~Abbg|*m{D9BHY'ΰ!dy [ĪU Q&m{d/gKL[.$#zKt>g\q&a^egđ_b!rz3?ӥPB/~Џ)cg^dA<{Cf-KIFK >hTe-'k޲2XF)Xҧ蹹|Msw9zŻ =w?}\G?{'yϖ\].hB!B7w3" d,,??&U} m L} 'K} )K} IK} U} 0P} I4P} $K$``MDDDDDD D D D D DDDDDDDDDDDDDDDDDDD N N O Oj O OV Q_ Q` Am B C CW R,S An B CV C6W R#S Ao BO CW C[W TMS Ap BP C CW RS Aq BQ C" CW RS Ar BR C7 CW R S As BF C" C W R S At BG C" BN W R) S Au C2 C CL WS R Av C C$ C WS R Aw C C& C+ WS R3 Ax BH E^ C> WS R' Ay C\ C( C WS R Az C C C* WS R! A{ C5 C BI WS R A| CC C BJ WS R A} Ba B B/ WS R A~ Fb Gd CX WS R A Fc Ge CX WS R A BS CT BK WS R A F Ci CY WS R1 A C9 C C WS R. A B: B B; WS R. A Ch H H WS R0 A C G< Gk WS R% A CB C C WS R4 A C C C WS R- A C Hl Hg WS R A C= BU C WS R D l^ZZZZZZZZTTTTTTTTTTTTTTTTTTTT D!D" D#@ A CA B] BE WS R !A !C@ !If !C !WS !R "A "C? "BZ "CD "WS "R #J8 Z<TTT>@<Z A $ggD Oh+'0@H\p  Jeff Ito Sain, JoeMicrosoft Excel@C3Y@Y՜.+,0HP X`hp x   MS SQL 2000  Worksheets  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLNOPQRSTVWXYZ[\Root Entry FrWorkbookSummaryInformation(MDocumentSummaryInformation8U