Detections
Analytics

SQLI-22-009900 - SQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI).

Information

The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.

When IFI is in use, the deleted disk content is overwritten only as new data is written to the files. For this reason, the deleted content might be accessed by an unauthorized principal until some other data writes on that specific area of the data file.

Historically, transaction log files couldn't be initialized instantaneously. However, starting with SQL Server 2022 (16.x) (all editions), transaction log autogrowth events up to 64 MB can benefit from instant file initialization. The default auto growth size increment for new databases is 64 MB. Transaction log file autogrowth events larger than 64 MB can't benefit from instant file initialization.

Instant file initialization is allowed for transaction log growth on databases that have transparent data encryption (TDE) enabled, due to the nature of how the transaction log file is expanded, and the fact that the transaction log is written into in a serial fashion.

Solution

If IFI is not documented as being required, disable instant file initialization for the instance of SQL Server by removing the SQL Service SID and/or service account from the "Perform volume maintenance tasks" local rights assignment.

To grant an account the "Perform volume maintenance tasks" permission:

1. On the computer where the data file will be created, open the Local Security Policy application (secpol.msc).
2. In the left pane, expand "Local Policies" then select "User Rights Assignment".
3. In the right pane, double-click "Perform volume maintenance tasks".
4. Select "Add User or Group" and add the SQL Server service account.
5. Select "Apply", then close all Local Security Policy dialog boxes.
6. Restart the SQL Server service.
7. Check the SQL Server error log at startup.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/U_MS_SQL_Server_2022_Y25M06_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CAT|II, CCI|CCI-001090, Rule-ID|SV-271327r1109250_rule, STIG-ID|SQLI-22-009900, Vuln-ID|V-271327

Plugin: MS_SQLDB

Control ID: 726f23587e8e09449fad706999c0ea9853584bc6aff3b59d8a6568570ca9e7b2