Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Database Bad Practices: Use of Restricted Accounts

PLSQL/TSQL

Abstract

An attempt was made to use one of the following accounts to connect to the database: admin, administrator, guest, root, or sa.

Explanation

Windows Azure SQL Database supports only SQL Server Authentication. Windows Authentication (integrated security) is not supported. Users must provide credentials (login and password) every time they connect to Windows Azure SQL Database. Per Microsoft Windows Azure SQL Database General Guidelines and Limitations, the following account names are not available: admin, administrator, guest, root, sa.

References

[1] Security Guidelines and Limitations (Windows Azure SQL Database)

[2] Windows Azure SQL Database Concepts

[3] Transact-SQL Support (Windows Azure SQL Database)

[4] Development Considerations in Windows Azure SQL Database

[5] Managing Databases and Logins in Windows Azure SQL Database

[6] Configure and manage Azure AD authentication with Azure SQL

[7] How to: Connect to Windows Azure SQL Database Using sqlcmd

[8] Copying Databases in Windows Azure SQL Database

[9] Data Types (Windows Azure SQL Database)

[10] Deprecated Database Engine Features in SQL Server 2012

[11] EXECUTE AS (Transact-SQL)

[12] Security Statements

[13] System Stored Procedures (Windows Azure SQL Database)

[14] Guidelines and Limitations (Windows Azure SQL Database)

[15] General Guidelines and Limitations (Windows Azure SQL Database)

[16] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[17] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1

[18] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[19] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[20] Standards Mapping - CIS Kubernetes Benchmark partial

[21] Standards Mapping - Common Weakness Enumeration CWE ID 272

[22] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269

[23] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235

[24] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[25] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[26] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[28] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.3 Access Control Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)

[29] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2

[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.sql.code_quality_database_authentication_use_of_restricted_accounts