Security Configuration Checklists Program for IT Products

Home | Browse Checklists Repository | Glossary | Subscribe to Mailing List | Contact Us

Browse Repository by

		Product Category
		Vendor
		Submitting Organization

Our Sponsor

Database Security Technical Implementation Guide

Name	Database Security Technical Implementation Guide, Version 7 Release 2
Version	Version 7 Release 2
Status	Final
Creation Date	Not Available.
Revision Date	2005-11-30
Product Category	Database Management System (DBMS)
Vendor	Oracle Corporation Microsoft Corporation IBM Corporation
Product	Oracle Database MS SQL Server IBM DB2 UDB
Product Version	Oracle Database 8i, 9i, 10g MS SQL Server 7.0 and 2000 IBM DB2 8.1 Generic Database
Product Role	Database Server
Checklist Summary	The Database Security Technical Implementation Guide (STIG) is published as a tool to assist in the improvement of the security of Department of Defense (DOD) information systems, specifically database servers. This STIG targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. The document is meant for use in conjunction with the appropriate Operating System (OS) STIG as well as other STIGs related to the requirements of any applications accessing the database. As such, it provides the technical security policies, requirements, and implementation details for applying security concepts to database servers. It covers generally all database servers and specifically Oracle, Microsoft SQL Server, and DB2 database servers supporting storage and retrieval of data from local, intranet, or Internet clients. Initially, this document provides security implementation recommendations for any database server. Requirements range from integrity, access controls, auditing, network access and underlying operating system security. After general security controls are put in place, this document focuses on additional security policies that should be implemented, specifically for three database servers: Oracle v8i / 9i, Microsoft SQL Database Server v7.0 and IBM DB2 v8.0. Once these policies are applied, the Database STIG document guides the user on the implementation of specific STIG policies in order for these different database environments to achieve DOD STIG compliancy.
Known Issues	This Database STIG presents the known security configuration items, vulnerabilities, and issues required to be addressed by DoD policy. In addition to this STIG, compliance validation tools and checklists are available to .mil and .gov customers to assist in the efforts to implement the required configuration. It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.
Target Audience	Developped for the DOD. The most effective way to improve security in DOD database systems is to build it into the applications supported by the organization. To that end, the document is also intended to be useful to application program managers/developers in the design phase of DOD applications.
Target Operational Environment	Enterprise and Specialized Security-Limited Functionality.
Checklist Installation Tools	Not Available.
Rollback Capability	None.
Testing Information	Not Available.
NIAP/CMVP Status	Not Available.
Regulatory Compliance	DOD Directive 8500.
Comments, Warnings, Disclaimer, Miscellaneous	Refer to Known Issues.
Disclaimer	Not Available.
Product Support	It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.
Submitting Organization/Authors	Defense Information Systems Agency
Point of Contact	Not Available.
Sponsor	Not Available.
Licensing	Not Available.
Checklist Homepage	http://iase.disa.mil/stigs/stig/index.html
Download Package	http://iase.disa.mil/stigs/checklist/ database-stig-v7r2.pdf
Integrity	SHA1 (database-stig-v7r2.pdf) = 6985d606b74a0cf3ad5823c09babf522e646360a SHA256 (database-stig-v7r2.pdf) = fd3a0d65e95f89812956dd0d2989a14970f148ef 53e396c2f9c75b4393fa0e12
Change History	Version 7 Release 2 - 2005-11-30 Version 7 Release 1 - 2004-10-29 Version 7 Release 0 - 2004-07-26
Dependency/Requirement	Database Security Checklist, v7 Release 1.2
References	The following table enumerates the documents and resources consulted: Government Publications: Department of Defense Directive 8500.1, "Information Assurance", 24 October 2002. Department of Defense Instruction 8500.2, "Information Assurance (IA) Implementation", 6 February 2003. Defense Information Systems Agency Instruction (DISAI) 630-230-19, "Automated Data Processing Information Systems Security Program," 9 July 1996. Department of Defense Directive 5200.40, "DOD Information Technology Security and Accreditation Process (DITSCAP)," 30 December 1997. Chairman of the Joint Chiefs of Staff (CJCS) Manual 6510.01, "Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND)," 15 March 2002. Defense Information Systems Agency (DISA) Security Handbook, Version 3, 1 December 2000. Defense Information Systems Agency (DISA) Naming Convention Standards, February 1996. DoD Instruction 8520.2, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling," April 1, 2004. Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) on Enclave Security, Version 1, Release 1, 30 March 2001. Defense Information Systems Agency (DISA) Network Infrastructure Security Technical Implementation Guide, Version 5, Release 2, 29 October 2003. Defense Information Systems Agency (DISA) Addendum to the NSA Guide to Securing Microsoft Windows NT Networks and NSA Guides to Securing Windows 2000, Version 3, Release 1, 26 November 2002. Defense Information Systems Agency (DISA) Secure Configuration of Windows XP Professional Security Technical Implementation Guide, Version 1, Release 8, 3 December 2002. Defense Information Systems Agency (DISA) UNIX Security Technical Implementation Guide, Version 4, Release 4, 15 September 2003. Defense Information Systems Agency (DISA) OS/390 Security Technical Implementation Guide, Version 4, Release 1, 4 August 2003. DBMS Vendor Publications: Oracle 9i, Installation Guide, Release 2 (9.2.0.1.0) for UNIX Systems: AIX-Based Systems, Compaq Tru64 UNIX, HP9000 Series HP-UX, Linux Intel, and Sun Solaris, May 2002, Part No. A96167-01. Oracle 9i, Database Installation Guide Release 2 (9.2.0.1.0) for Windows, May 2002, Part No. A95493-01. Oracle 9i Enterprise Edition, Installation Guide, Release 1 (9.0.1) for OS/390, May 2001, Part No. A89900-01. Oracle 9i Net Services, Reference Guide, Release 2 (9.2), October 2002, Part No. A96581-02. Oracle 9i, Database Administrator's Guide Release 1 (9.0.1) for Windows, June 2001, Part No. A90164-01. Oracle 9i, Administrator's Reference, Release 2 (9.2.0.1.0) for UNIX Systems: AIX-Based Systems, Compaq Tru64 UNIX, HP 9000 Series HP-UX, Linux Intel, and Sun Solaris, May 2002, A97297-01. Oracle 9i Enterprise Edition, System Administration Guide Release 2 (9.2.0.1.0) for OS/390, May 2002, Part No. A97313-01. Oracle 9i, Security Overview, Release 1 (9.0.1), June 2001, Part No. A90148-01. Hack Proofing Oracle, Howard Smith, Oracle Corporation UK Limited, Paper presented at the Oracle Open World Conference, San Francisco, CA, October 2000. A Security Checklist for Oracle 9i, An Oracle White Paper, March 2001, Author: Rajiv Sinha. Microsoft SQL Server 2000, SQL Server Books Online, Version 8.00.00. IBM DB2 Universal Database, Administration Guide: Performance, Version 8. IBM DB2 Universal Database, Administration Guide: Implementation, Version 8. IBM DB2 Universal Database, Installation and Configuration Supplement, Version 8. IBM DB2 Universal Database, Federated Systems Guide, Version 8. IBM DB2 Connect, Connect User's Guide, Version 8.
NIST Identifier	1005