��>� ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� T8�����\pBuffum, Tyler [USA] B�a�=   � ThisWorkbook���= =�L;�$8�@�"��1����Arial1���Calibri1���Calibri1���Calibri1����Arial1����Arial1����Arial1����Arial1���Arial1����Arial1����Arial1����Arial1����Arial1� ��Calibri1�4��Calibri1� ��Calibri1���Calibri1���Calibri1� ��Arial1�>��Calibri1�4��Calibri1�?��Calibri1���Calibri1� ��Calibri1���Calibri1,>��Calibri1>��Calibri1�>��Calibri1���Calibri1h>��Cambria1���Calibri1� ��Calibri1��Calibri1�4�Calibri1� �Calibri1��Calibri1��Calibri1,8�Calibri18�Calibri1�8�Calibri1� �Arial1�>�1�4�1�<�Calibri1�?�Calibri1h8�Cambria1��Calibri1� �Calibri1�<�Arial1�<�Arial1��Arial1� �Arial1��Arial1 ���Segoe UI"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)� m/d/yyyy;@,�'[<=9999999]###\-####;\(###\)\ ###\-####�0.0�"Yes";"Yes";"No"�"True";"True";"False"�"On";"On";"Off"]�,[$� -2]\ #,##0.00_);[Red]\([$� -2]\ #,##0.00\)�� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � � � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� �!� �� �� �� �"� �� � � �� �� � � �#� ff��� �� ff��� � +� �� � )� �� � +� �� � ,� �� � *� �� �$� �� �� �� �%� �� �� �� �&� �P� �� �P � �'� �P � �� �P � �(� � � �� � � �(� �� �� �� �)� �� ���� ���� �*� �� � � �� �� � � �+� �`� �� �`� �,� �� �� �� � � � � � � �� � �� � � � � � � �  � � � �  � � � �  � �-� ���� �� ���� � � �� �.� �� �� �� �/� �a>� �� �a � �0� �� �� �� � @� � � � `� �x� ��4��� �4? �� �0��� � 0��� �4��� � � � ���� � x? �7 � x@ �7 � x��7 �x? ? � �x@ ? � �x�? � � x? @ � � x� � x�@ � � x@ �� � x��� �x� � � � P� � x? ? � � x@ ? � � x�? � � x? �� �x��, �x? �, �x@ �, �x��, �x? ? , �x@ ? , �x�? , � x? �, � x@ �, � x��, �p��, � ���� �  �@ ? , � � �  �, �  �, �  �, � �? �, �  �@ �, ��? ?  ��@ ?  � �? @  �� ��? � ��@ � ��? �7 ��@ �7 ��? �� ����� �1���� �2 �� ��? �, ��@ �, �3�@ �� �3��@ �� ��@ �, � �@ �7 � ���7 � �? @ � � �� � ��@ � � �@ �� � ���� � �� � �? �7 ��? �, ��@ �, ����, � �� �2�@ ? � �2��? � �2 �� �2�� �2��@ � �4�@ �� �4���� ��? ?  ��@ ?  ���?  � �? ? � � �@ ? � � ��? � ��? � ��@ � ���� � �? �� ��? � ��@ � ���� � �? �� � �@ �� � ���� ��? @  �� ���@  �2 �� ����, �  � � ��?  � �� � �? ? , � �? @ , �3 �? @ , � 8��� � �4��� � 4? �� � 0��� ����� ����� �  x@ @ � � x@ @ � �  0@ @ � �  p@ @ � �  x@ � �  x@ @ � �  x@ @ � �  8@ @ � � 0@ @ � � p@ @ � � � �  8��� � � �  �@ ? , �  � , �  � , �  � , �  �@ �, ��@ ?  ��  ��@ � � � � ��@ �7 � �? �� � ��? �� �3�@ �� �3��@ �� �0@ @ � � @ @ � � @� �  @� � x@ @  � x@ @ , � x@, � x @, � ` � � x@ @  � x@ @  � `@ @ 7 � x@ @  � `@ @ 7 � x@ � � x@ � � x@ � � `@ @  � x�@ , � x�@ , � x? @ , � x@ �, � x��, � x? �, �  � �x@ @  �8@ @ � �8@ @ � �|@ @ � �8@ ? � �8�? � � <�? � � <? ? � � 0 � � (� � x@ @  � @ @ � � x@ , � x � 8@ @ � � x@ @ � �  |@ @ � �  x@ @  �  (@ @ � �"<@ @ � � @ � �  � �x � �  � �5�@ @  ��@ �� @ ��@ @  ��  ��@  ��  ��  � �@ @ 7 � �@ �7 ��@ @ , ��@ @ , � �@ ? � � �� � � � �� � �@ @ � �  �@ @ � �  �@� �  � @� �  �@ @ � �  �� �  � � �  �@ � �  � � �  � � ||Ms�?}A} 00_)ef[$� -}A} 00_)ef[$� -}A} 00_)ef[$� -}A} 00_)ef[$� -}A} 00_)ef[$� -}A} 00_)ef [$� -}A} 00_)L[$� -}A} 00_)L[$� -}A}  00_)L[$� -}A}" 00_)L[$� -}A}$ 00_)L[$� -}A}& 00_)L [$� -}A}( 00_)23[$� -}A}* 00_)23[$� -}A}, 00_)23[$� -}A}. 00_)23[$� -}A}0 00_)23[$� -}A}2 00_)23 [$� -}A}4 00_)[$� -}A}6 00_)[$� -}A}8 00_)[$� -}A}: 00_)[$� -}A}< 00_)[$� -}A}> 00_) [$� -}A}@ ��00_)��[$� -}�}B }�00_)�[$� -�##0.� � �}�}D 00_)�[$� -???�##0.???� ???� ???�}-}K �00_)}A}M a�00_)�[$� -}A}O 00_)[$� -}A}Q 00_)�?[$� -}A}S 00_)23[$� -}-}U 00_)}(}W  00_)}�}Z ??v�00_)�̙�[$� -�##0.� � �}A}\ }�00_)��[$� -}A}^ e�00_)��[$� -}-}c 00_)}x}e���00_)���[$��## �� ��}�}h ???�00_)�[$???�## ???�  ???� ???�}-}k 00_)}U}m 00_)[$## }-}o ��00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}� ��00_)}(}� ��00_)}(}���00_)}(}���00_)}(}� 00_)}(}� 00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}� ��00_)}(}� ��00_)}(}� ��00_)}(}� ��00_)}(}� ��00_)}(}� ��00_)}(}� ��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}� ��00_)}(}���00_)}(}� 00_)}(} 00_)}(} 00_)}(}00_)}(}��00_)}(}��00_)}(} ��00_)}(} 00_)}(} �00_)}(}�00_)}(}00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}00_)}(}'��00_)}(}(00_)}(},00_)}<}3 00_)�[$}(}4�00_)}(}5�00_)}(}6�00_)}(}7�00_)}(}8�00_)}(}9�00_)}(}:�00_)}(}=��00_)}(}>��00_)�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +���  �� !%� 20% - Accent1�M�� 20% - Accent1 ef� �%�20% - Accent1 2�4���20% - Accent1 2� 20% - Accent2�M�"� 20% - Accent2 ef� �%�20% - Accent2 2�4���20% - Accent2 2� 20% - Accent3�M�&� 20% - Accent3 ef� �%�20% - Accent3 2�4���20% - Accent3 2� 20% - Accent4�M�*� 20% - Accent4 ef� �%�20% - Accent4 2�4���20% - Accent4 2� 20% - Accent5�M�.� 20% - Accent5 ef� �%�20% - Accent5 2�4���20% - Accent5 2� 20% - Accent6�M�2� 20% - Accent6  ef� �%�20% - Accent6 2�4���20% - Accent6 2� 40% - Accent1�M�� 40% - Accent1 L� �%�40% - Accent1 2�4���40% - Accent1 2� 40% - Accent2�M�#� 40% - Accent2 L� �%�40% - Accent2 2�4���40% - Accent2 2� 40% - Accent3�M�'� 40% - Accent3 L� �%�!40% - Accent3 2�4���40% - Accent3 2�" 40% - Accent4�M�+� 40% - Accent4 L� �%�#40% - Accent4 2�4���40% - Accent4 2�$ 40% - Accent5�M�/� 40% - Accent5 L� �%�%40% - Accent5 2�4���40% - Accent5 2�& 40% - Accent6�M�3� 40% - Accent6  L� �%�'40% - Accent6 2�4���40% - Accent6 2�( 60% - Accent1�M� � 60% - Accent1 23� ����%�)60% - Accent1 2�4���60% - Accent1 2�* 60% - Accent2�M�$� 60% - Accent2 23ږ� ����%�+60% - Accent2 2�4���60% - Accent2 2�, 60% - Accent3�M�(� 60% - Accent3 23� ����%�-60% - Accent3 2�4���60% - Accent3 2�. 60% - Accent4�M�,� 60% - Accent4 23� ����%�/60% - Accent4 2�4���60% - Accent4 2�0 60% - Accent5�M�0� 60% - Accent5 23� ����%�160% - Accent5 2�4���60% - Accent5 2�2 60% - Accent6�M�4� 60% - Accent6  23� ����%�360% - Accent6 2�4���60% - Accent6 2� 4Accent1�A��Accent1 O� ����%�5 Accent1 2�(��� Accent1 2� 6Accent2�A�!�Accent2 PM� ����%�7 Accent2 2�(��� Accent2 2� 8Accent3�A�%�Accent3 Y� ����%�9 Accent3 2�(��� Accent3 2� :Accent4�A�)�Accent4 d� ����%�; Accent4 2�(��� Accent4 2� <Accent5�A�-�Accent5 K� ����%�= Accent5 2�(��� Accent5 2� >Accent6�A�1�Accent6  F� ����%�? Accent6 2�(��� Accent6 2�@Bad�9��Bad ��� ���%� ABad 2� ���Bad 2�B Calculation���� Calculation �� �}�%������ ���C Calculation 2�0��� Calculation 2�D Check Cell��� Check Cell �� ����%�???��???��???� �???��E Check Cell 2�.��� Check Cell 2�F�� ��Comma�G��(�� Comma [0]� HComma 2�I��&��Currency�J��.�� Currency [0]�KExplanatory Text�G�5�Explanatory Text ��%�LExplanatory Text 2�:���Explanatory Text 2� MGood�;��Good �� �a�%� NGood 2�"���Good 2�O Heading 1�G�� Heading 1 I}�%O��P Heading 1 2�,��� Heading 1 2�Q Heading 2�G�� Heading 2 I}�%�?��R Heading 2 2�,��� Heading 2 2�S Heading 3�G�� Heading 3 I}�%23��T Heading 3 2�,��� Heading 3 2�U Heading 4�9�� Heading 4 I}�%�V Heading 4 2�,��� Heading 4 2�W��4�� Hyperlink  ���X Hyperlink 2�Y Hyperlink 2 2� ZInput�u��Input ��̙� �??v�%������ ��� [Input 2�$���Input 2�\ Linked Cell�K�� Linked Cell �}�%����] Linked Cell 2�0��� Linked Cell 2� ^Neutral�A��Neutral ��� �e�%�_ Neutral 2�(��� Neutral 2���"��Normal� `Normal 2�a Normal 2 2� bNormal 3�c Normal 3 2�;��� Normal 3 2 �%� dNormal 4� eNote�b� �Note ���������� ��� fNote 2�"���Note 2� gNote 3� hOutput�w��Output �� �???�%�???��???��???� �???�� iOutput 2�&���Output 2�j��$��Percent� kTitle�1��Title I}�%� lTitle 2�$���Title 2� mTotal�M��Total �%O�O�� nTotal 2�$���Total 2�o Warning Text�?� � Warning Text ���%�pWarning Text 2�2���Warning Text 2�X��TableStyleMedium2PivotStyleLight16`�>i Dashboard�3�Results�ћ Instructions�b� Test Cases��  Change Log��Appendix������&!  ;O �_xlfn.COUNTIFS  ;   ;   ;*  ;%   ;   ;N   ;���Sfvf`@@������ �86�5b�-!ODw�30@Gbe� n�!ODw�30@Gbe�PNG  IHDR��<q�sBIT|d� IDATx^}`�`SJsH� JH��"�� btJww� `�ynw]^O�9��f�3 o�7��𿴾gN��3�R+[V]ò2 -EcYt�޸!V66�+�-{mUu?RN}>_:ϭ��՛ֳ*ի�d~=qك۽rn}L=Q")))�,g%6�$.�(~f8x|G�=1�%1� "�;KaL!w�8يZdy(%,"ZB�f鴵�(�4\JV--� 8+x9|�o�=y�w�Oևo1|WF�o�9�h4�dqp56kWP�8>�7J( })�'�$8\�t�"\&�{r9|)��4� �JSkW�MjJBve |�>xW�?�3_T;F� ߶3>�b'{�j�-&VK)X�ܒ�[wBD86Xۊ�NORK�,"�*JK�z[6,goóIF7x�,bڮ~)w�-έf0�aC[cwnݱHGbo^rΓƠw @?�"�< /7�*kTK7e+600hG�K/)Xj\�Ir�`7VFd �0�|˗0o[мl�;�޻u3~�Y�+�#�#� ݈Je�-N�J�*"ݛ֔ƕ}�&0X ��!%?��"�c6^^^jR]J�|K�8gK keeج_)eݬ�tTz�_XAz ��VWӻE-�� f|rJH�1�9&UDG�.LXDI${J�30� o"Ψ"zɪ}`2E]Wz-%��;Yj�?`}ŔwX�#Io�G�>m e�ŻO�0q{He,H}Hs$M^xa�RT�2u�YuB�:DY:i_�#?�;� �CG�-C`סO/spC�nO� �5�� ~`_o]Gɗv�"� ^żd\צҶ{>�?�Հ܉�5~vyd~D7Gt���1痲sH~uwC:K�e\x+D⁰仡]doP_Kh$Rĭ{V�;ӆu.�2%�FZV/'�% ˹γWeEnߌF� ߢ^i߶1Xg!Oi ^� ],&Z׷uW|g[��kko^3cuDBy�䎋c^򍪚�$ٓ$fljK2 {K@�=yB bSI��ݭj�4Ho �M�� �7tl�+I�]'eڢmK�:34�5P�5g 8}LEloun탽l'�01�1XO�%R`~C)T4j�6`9�kE�r$X}Pa\Zש$H(I cz�8߮إmS} zH �1yVvd[=q�3�@ӍQnT�.zL��M!L�?t�8w�9� o =n�I̝w0_�k�;#|O�:sAS{:h|ч�ZV/+-G� �dJ�2/�&>nW� Zʜ-G��,<0ƯS,9�$r%t_E zs�,�>tml�+f�|%_ D�>⵼N� �6�?O�?Q � U;PA2 R� � xH�"}ֿ8Y� **�!mGȗ)Xv�9�;[��2 �lCsӹVB�+N?�0]���.]~ÜU*�&0 JDRP|hkeܜ `Rcf�>$ɪ�7<�+A�e 0G2�$�;Ag�2HI�9)Cț~ue)ɛ~�% ϟfB� x�%> �soL�=yDAwym]��0Mo�* �;^AV}4@�y%�$_k�n�)nBa`X�*rGvLIaZ7MeΓr;ުƁew�i� G�k@�?(6lĈ>[� � �:@d�ߍ_̇J�ud�|`�2CFK~r� כ߭�C7qd7iS'iO]xG~B/-xݨ_'�tq/ �: 76wɟkk&%мO_H�_)otCw%y�rn(�3��5GA��,ÿ[.Q5Q�7 #z1oP/_ݓ^ع}{G_Wuym���fK�>oLӘs�,z`�K0St@_TGb1M)C�(� DB�? U[�+H �H)W�&��rD!w�zC'E,jQ�!|�@~X3Jj�8ove�qr-5�'k{N�;u`BD�0w|6�&�_/HLQEz6�)Vմ�ѷP�E�Gk�8:L`Xxn�7�*�-ںx�:�?`06ʖ/�]��JBݦU�:o;(c�0�25^5ߐW^H�X]o��+Z~[� L2}r ׃GO���ltc!�9�pŰ�>*@H%kPH�i�pA%�� oՓmWI~.͔ݫxm3sp2 s5=Z~m7�-'/hX �0/Э�GMv}9Đz_�H�7.�x|˄ߍPmCiiX~z~e$��5 篷�+vK �,� �8.O� @/eL�L:mkWP� )gYI4 ͰNV]J� <4(� yHcown,�Ki�KR.S�%CA|X/ʬ]�"ƮN=�e 4�Bk�ۦC�mQsos��Y rd�CgL͸�7b-\�w,1ֵ g_C�&i]cPH.s�)\�,H_� ` `d?6J0R<� `�>E Hf{p0g+x|Wl�9w&�P#0Y�):4�&�t�/ޒU�x`�p KƆH�:C�̃D�% B�6��5gn/�zbAf�> rfҤ 5�QGkeJV=y�w̍:@?Co2A0ߏzECs=5�vxz/(sL8e{N� �5lXouUy$]J�>г�m�$&��.@=>�+� e㴑pV,/Ni�4�6�!opu�1A#�6hվ�Yk!^>x+�?g찭S�g&� >k˼AV#�5\=n� �,� `jF_l^Sz4�.;ay~860K�H[��gK^�?�10zai ,X`�g+��~� !T@=%__ӄ)�0.MgJ�?{w_� md�� �%d|?Tω�4W��&fv򛡆5kWOMҼV�`|Ń94ss�1�Xbk�3Ǒ%;a�A�*A�)�>~]jJ2|5rQ NP�<s�4Dn�~�(�& s� T/n{~փLZkO� �tGY�}:hCy�>}ʲ��,尪P?$ڲT2mնĹ�;帿7ρ%綊�<\M:N��އ\�)g�� m��!M}�*ǻa^&� Cwlp h�:M&i <1T0,٥�0h%=�}jwJ-�>�܌W.�~ܨջN)�TSL_eI󷾕4T�+�(.(JVOck>[� &~}@vE�-&>�SkZU;Gk|Oy.^-_}�/�.7�{�2 \ƞ#�QJϵ�RuVzg7� �,� 'Icp\�>{3�1݇Ӂr²Ѳֽ�|5ea'�;+价�!97�WQ͚:j�9�=� �9Hh�#Eo �Q5cJ?q7�$__ >ytik>}f�vX�6�~D!�+7�P^�Mcҋڜa�""=YbHD�~:�,?wE )x"`��3QitOU|�*Za(�t(� I�يfsI[ݣ?H Caֿ>V |38c�({�7SB#˱fKZu�x�=IdkOADtuiL_M`7(� F0Q.bJM@� �8Jp�#iN5f dv_ ܼf-to![(d�%B=?~�$a�b�夡Sߕ [g EKֽkbw5oڜrq߹V@G߁;pdP'�W�3 V\֧\p� j`iûɅ[e1kUJ!|>� � =m*˟̼60oT~[`�GX#HJE�9�/,��*`Wf�$�zl(,� Ow�z<�ȑrꮭ| @/faj>p�6+`,.J z_U]j�2�!O0q1�CpVG>@o&�wpi ';b%�'Vi-� l�?{쫈<(|1Q5*�+� i|֭�Sޘ�A8�>R�Ɉ�1�R� ݧ�%H}V陫a*mհ� zIzFH�$2ZL�6~怖If{Š�Lep[I�<@gx`Mn·!ǾX�b+uCױqɺ8YFá� Kf# `yW+FGm5�d`0D?I3䑘ۿrUk|qNrg潨O1O�'e\D4VC]'ĽG��1Wb@\ ʋR &�A*]�=��!u �JcxN�6Q� �9SwT�--M�ǟB�>[ϲ�4`���ک5��3KUG^�sr� 4h�$N=-HR_W�$խ˹qS�n8BƊ]�ⅲ޲R�%֫y�c�6CJMm�-_{懳�'җz] 1~A |P ;XrZ#�?oE�``]W�4H^vN7K�.�*wFJ26~k9n ci.f�6ۼ�:ㇿ&VMP{U�-�$ރZ� n=0^׶miKfu]uٻcۢ^wm[ґ�݉.C-�:Ȓـ &A@g u9ɌS�)�:D*<��`mFzZD.Ŗr)�(Kwkr3Sj��9z�sx*�>xKL � KBwlq2s IDAT�bch͜{i}�DYr��/lf�`q1t&yU lBH͂� Cjmrŭw:]�@]V@N3�)y �xO@�8�T\2�H�4gx br=8W�/'ۏ>*� qN�oD=AD�ebk�.LOt� �,X��-%@��R�9nx�$ޑB�#I׃?@ouz5Z� �#zo.KW\rbwxS̿�e"߱W!FKcXU ��2q� Sgl`b�%�mҵ��)5�%[[9񤸜�,)�Jky�7ڋUJ<ɮ[� mfRiZI6R�)Rk Ћ{CR{]�$�%%�*Xiy_��'� ݑ̿귕:zicD{� Z�5�0y` ��zOI󄎎Oq_�O[~¯fq�2?a�܍��(=CmA�J-np6WQ�: k�/�B�ztDc Ⱦ� e&=]D� qf֑g�%,G\]�AqDL�EnBU��)|VѮކ.aY4y6|l�@ɭHjyJ �;ҥ�5U�>dycjjgeR Pf��S LBZ�('�9�1iCn u.JPa�/�;�<~� � /5�&{d�kgY)\`jlBJ�]͸ nlKd֬QVܯ.}_�G�3�X�-�+N5o_Olh b �%Pa֯Jo~6lhՁX@Y'�5lUd��2L{g)}A<~'�z�2$#�<-j*BPT�$u{\k�9~űe�iK{J�0�5ԯrq/Cc/E`鮙� k~E6�29DiE# FE�!jee#n]Urc {� �&e�>H x&p{�jy)�3褴ǪJ~ӽK�M?S�0y)��hhfCus̪YUN� lK#J.zg��,Bq}ە0��6T\�']ʑ�8Y;],'�$eYڥrj ì -Y1ݸAI^��1Rʧ앣jQ�w;W5C%61EJ#-LjRyhI�6lϰE��:�Y�3�&Bk =^߭ | H =N*r�*mՂr/aNhf�2� EsoGWe�4 s~|~ t`ːkB�62v�á���ǰ0GR�'n]!wo#�&� Ą�6^!JUF<* P�3D.+U�V&�5= �+�4h\�Mmj!�W� g�12s�*\#Ћt��";�5�S�l1֑o>~Eg�(S,reל@Rm�-`&@�uИAQ�(l�7ێp3z,eZ?*;Y��+S-��&Hj^ҿF xjY�pÙƞs�:_,}%A~ ,�'ˁ�eWW֫�/wQ:= I�=R�>g.l�:��=ͦKQdP/2kf ]U,�5><#؁J̴ͤ9OU�bKRIu6I rH<s�35`@l�Hy\[H]q?v�.7_$� M˪넒�ZKI4+�6 vRf58AO3OJW�dnVՕ�#a"L '} qr�cunצZll LO�#�n�'gZ&v�� 5`�SbxY}Rb� t^ ߇q�ZԮ)�.A�0l;N(a5w�+�-� �6[KU� PqB%�-bX��43� v�-V�>}\Sz ϗ y 8y1�;58&T� @� bL׺b3f*�?o;�.Cn,… eJBRZ)CL� Ľ�,y*�%�=H_�>J%}Pf/�"iڳ!8]�9_ݺ[ԼZ�}kXoV�T5^�=;o[[4Q� cn*ŒPuF/j=|[miQD2S�){�4y��*2�K�~eldZ�$,k $p{t̩U  y]t[iKB͊ff�!.B@�;�&6vt'Z_L_y�^�`� y��׬]ccVEUĻPS耭>s�>N`R�3}Sx+fݑH~erbKG0� *?0�.^O �[$2) ̫b\qez ki�;gzK!yGrB]�/4lu(�0UXZ�Nsv͝2BkkeəP�5AfGF� ?AءR GZ �;N+3m僣�a�0Rj�,-EY �oX�;Z'X{kI c_Δ@H=X˔@�ԉ]&�*Cn$!>b`�Ɗ@�L�S[�!Fc*m� Dnar0X P%P �[+ ˫X�?ӻ�Zˎea\n� ض�/�6u7դ�7u��?Y�>oXFy^?sdL\C1 �8Qy�4+CWbFæK=W�<�8R>ޜ2|Jڸl�,J% d,.6GScM�0� :Ex11`�\wpaH ��Ҡb)9q%H�-Kg{ �0P�pƇ#!�W}�� BNZŅ k�#_s0 k�uL76 [�Y*&�9P�( gj6�&TWSI�24ws�{�>󴥘?< ǵ€ 7a bt~X$v��b\\ ,4kEUulf5�s�`�,d%�(oY #,@.wϷjJG�'Jg �< ǰ�!8�:�+�sR@� �!@I�2cn�' �]�:,p� ��!ϵ~'^E/멐-�0X`�Lflu �M�+L֗Fe62n E�4�/<ɝx5u�du"�78jN�}��3ve&q݊u+~��NUeHrLEjtoB� JzZ�1ٔ۴�,U�" KJBB�( {!O+":IA2ֺիSF?�'x S`@'xF_sQOw�J m�lh5�Ov`" =�IW�iOJە� ;h�QFR2xQ14o˺�L2ES[#=�7rS�-`B�#^UsS�(��w �%:�8TvrILoyt0)(�ʰ�7V�5wHT��:aߴ~J� D� 5Ϭ%�ij,{q�>P5ݼ@:6v�2� 0KR^Z3�/u!Z|�'[�#�z $'m6r�p<~*Rui� �$tM�Az!tz�_{ߐ�w#bhNZq7;Yw9\~�M�6ȋ0Z�v`0[�0I�4� ["�%_}sx�;}A W�7,8�H>{9�<@:Co_gŒ�픲K�#1�P�6Wz|�__f>�?�r�:[�S� )�Oa,iH鉶6�(z SHi^w r�*UQko�!�>uYmz2RU쟐Q3�� T0B� ?�fx�yS � �,j�Q(Z$}7'�(Ld]Uw�8ixf�m4H�$Y9HYH�;Pj}:%2fDZ�-H_$K[�nq�m T� \ ~kC5v �%^7da'`Yc`/`M�1`S�Lmd2 PyO45dKuV�FQrCHJK  �;L FpA&Q&zJ%|F�r\M6�:A��7͗�*�N2}_�?JCr�=�ӡY�- -_M$[bQg5L��. �9CKPꑶʶz�)�".AU�/Etå}�, {Kr ̋Hh)\�ܧo?YR 6æ)P=�6 YVjTw�%JBe�wlTyU v0E���5=rHB|� qm�z {<�j|SQqM�?TZK�:� UPW�.K� X�"yfju��=�3� 8ːr⢭3!M�߉>8@Lƒ c�?e;_T�Cn IDAT�+ u NJq�. >HYUqxI�0\#I�!)RUe�026�s@ޫCrRYI;�W^ SR�5Tk�&� �gCvW@_]%>Y$gi`� �3�&_},GI@ dWCT�7m�)r/M@JwʞQlZ|Z*9o�M1Fʌu1Udg�ITa��5`i9NBԌ@:3dK%eFmTMȍV� QBc|_|�%PX�Rz (EkNε�'η2Ln"^s G�Hjo�:T8+�:$' !Xh�9c�2`]JWA=G `k� ~~fn p'@�6�>=Zޡ�._� �2nS�4�L̴E�?�6uT: |Q0x S39YBT ;Z�L�CL-lM'=q`2)WYl�XK#W�>d�F~J ,0LJ?N�3BI%.FbƮ� �]I�:2U)l&��3`uo�o\�3��8:�4_�o%� @*oہzHta x�]~t}<]8SV&~ژLJ���s1x{QN^*J'�2Ep:�2ZDd�2np�/$N^ZC^=U- Ju`��>dMلVˢs�bwK_8*(kȺkU uK|Z{ߑnG�qlL^�$E3H�y24EDbܛ'W:�#*hEgʬC΀ԃYvkI3I�op?zh7⣑|�=?K 6#nN۶l%}�X:% ڽ�E ]Jh|cV�zOouW I=�"�SIw*uSom-j*Ҍr&h]J>v]l~!O�;> �4�]T&U:(V:چ|Ҁ�P2>`\jx�69H~�5�).b)�PN@jP� uc�7N�8w7hW�weܤr�$�� BZ!�2@�0o@�9[%1�a� :�+Cq�hpwgXH~N.aJ�oxhwp��0�:ZM�,L, : 5�7AG'ϐ"QPEp[9 E�#eMu*\2�=rZu;� �~�,_ '?�@A� ʯv(.U�4~^ju V"_Lm�G{u� q\N�rCMesd'*R6Q� �Š)j.�,ڡ2׉E� xӋP\q�*v#ke6`UP�eTJ�#&Y�>~R -��bD@�00XU_w2��*��3��"Xq./K�_R�P�&�( W8>Of6�ZOw�/XB�;M~5rM�$g±� {T.h��@nCZ�J zJƛB\�>βb` pڌZ�<�h\u�{2K̻�k�2q2 � N<�>N>XT=Qd`t�>�$Ac'�=�ض�{�Yt(�.#�vp~^j�� Nz"Q �5!�wr^�*�_L׃uRǶzYx� Bcsh�<$ftJԌ�4�;C6ï�x48mBD@n'U{k4N&�2H HSJӿ8#�,�*�x^IzKJf[EK~�6q�bT-ފk� ‰E_�,LTqgkq�35K7aAGɯ>\dßٴ{w�`Q/GXS1[2HT�:ҰV�(�� L~�)Gpns�5C�U�H�+Y �_�;qfث!`�0A�(l��!�'+G n?� �fG(G<|*C@�'M�љ{T]y R9$i�z٬I[fFt2� 䪅��)�=?|7JYOt��%e�?!k�[\�)?D|�#KHcqNbu9 n+uIuG4KlM/�&%B@J�8go%�(7 ?P#S^o/c{��3|SIn+CIW�#Y5o�;|^N]�*G� sF=|,ҴvuOIHV8�8:Y�M6Bb��B}a���;6Ej?4�(`�*t`AUРvf|�[뇍HdBlC�q��:ӣ$� S NJϩ�2hg�?7iy}Ƴ�-x*Y)wm ?�~v�X3S[[�A BD�#�.&ݥkz<�+~sdɎF0FUL؈.� ppWn^NҸ�->P{=�JP�z{խYM򊔃d"-kx�qbL�5 (@`�*KNM7d5YVlḽ>Jx_`@C 0}��8#�?A� �+gh4OPSTAA�1/&�:WJ7�&Y˱`'_ �_� E6Sjp@KoD&ei�;PY}'8�<2]:�M|��*fp>5E{¼1k�Ǹy<�;x>��>0~15%Ė}7^��Ta�=5p�Ѱ¹7�??l1֧5ؘٿg����$gcQDp_�u7K(H|8 ~\p8�;�7ˑ0d֛Mn#zHO`eM�Y�/� ��IUFis�\U��(tQ^mZ#)�/khV�'}N'i9{ ۧ.c\�h^3ռ%+? #;6-3dN�'P�$�!u!B�ݞd;~w��-~�ls� A#~j8�)Y5vvq�TT� BL�*[HT !ʐ$�/k 'e�?�E}FDA;i|YzdߝlS&x_ s7R%}[�r�V*ѰݸkwXط�6iMN3�-ŗ� �/�9LqF*n>"?ݳ#<'e^�od�B_BiP��xH\�9��.9IBaВyhh鬹`"Пud� Tnh�9v%hP"!p L%jipX�'pCy-� �g8VY^w=tuZ~0e58Q0DN^4KotQT�'�/`]a�2}�>ˊ˾dASTFIx�>tu �.|ӜX=;߲:99�*i� ϭxy[)[QHzr�0�>`EG!9YpN#�gxXRjd+�ar�9ҫ�5IMh,S� �dzA]|n�:�Bb" e�4�3el� 8"\&�&ݥ?xXfp11�,M"Q=1@0dƁll�>�S�*ƺܱ<BXٚ�_AE}�h�1B�}4�? @�� Kӡ]CPZzu��gټԏU�<*iEbCb53Sn>NP k%�dyy)Aʅ,��,Ze~B?,�r�+6� _ij�%Ŝ׉!W��@�Bqw�')�IE.�5z�R�|`e�% 'HFk� Ye�$n1IA�kV1�%DͱI�bT#�hn0wʝvo){wK矁mT�m|� >�<> Ѯ)e�Edx�>W'�js /o8IU\ky\xvrYڲp!^e~s\�>�3|h��7w�mܟpTl�7^ \-O$[�8;�,t�r�5�%M�*S˜?�:E{cR#wǍPJz��9-ţf��Bs,lj!}{bL�:1c'RV2x]�� Q9� L�8 ĘZMLM�$�L*K`nd7YeU)Y}=F� %7�-H_-wVQlgkɛ%x7��!�n�)@#�Q�_FmuRN�% Ut3߉3y�(`PgDf�rHB] �!!�&8^~� pW%�2P�8A�:܏ xTE�N�qy�H� �(�0�:��:ā~u w�mWVݳA�SRx!iz;m�\a*�8vZvCf yYE՞�.{g��?�-i6zXyØ\7؍OBhei�6M��2r08yh; k'{Iw8Jm4 4dyZr|VP8LAţ�3,tjA_�4 f}]-,SJ)�, _�.c RajAvX ˦�T-�:\߶|Ы� �kfFJU8tA_.ޮa6\Jkz�2\l\�JmHس}8o�9�2�2 "R�fISG�4{�S�\�2&��3y2kdqZWܡ%HVN:B_HJy�l)NJ��%aFBEeߢ�Ri+ĬG�F�'*�>R0PrMN+[V�(�i_�&.6IX[Sn]o�ڔ6ڛ5fzF[|C�زb�6LIV�;qp)C2?Q q{:���2�zJӺ6Bk r�爄\>�ڔ1oW>��1J_A�8O:cu\~W;s@M|:6W$2)LHvxS�jJ~󅲦{rfWbu([Q�1,Wd]nVA Ѹ�2mLA�́y,/ۼC�ʛU��);Zc�7rWhQ3}VRTO�/ej`֍@PEB�#0 oܞz~ d:0�n~ce1�.1T� �J0l�"�"EiOZYN"�v56a%�2d�QN � =VtZBO*�,�;�33g3q\�ηZ]Pz�"R Nϗ4W h(S}�(\“�ɧswt�9> p(1nbMBg\�DU%,st_{\p;U5�&�$2C>Xt6q�ܕP*.Ji�yW>d�X�7C�:�#x�9� s;Sz<�-M BN~yy�:_T[-#V�zBDnʛX_4FmH6D>Jf.�;f�0 ˍFz:ߤgYi�9ԞHV_XD̑꬙]4yΛiYU@jO�#x�$PӳlGϐ�$f}Խf%�?(cLB۞�ȓc5!`~SbH�?jryUU16O29p?�$7J=>t$s᭒�>zٖː�x٬�>&}�Ϸ[F,zΌiVJ>],�a_ӉK:Dמ�#�Ĥ}~S g&ӋlQS+,Zf;jF�+ FL� a}}⇥zy1E3Iq�9/oQ䘟H�'1S7%uHZoƢϒE-!F1�2*�7U8u�@�/�\X)�ή3]cBYR�;y 2TTog,T4�ר�[ǭ[b\V?� /N~E:ݘɗ6Ϻ�?aav`�� Hs� X �'�c� 4�64|X$�ё&S�6sR蓉o]ÓUxJ��J�4&kzLߖD�*CVS|KۇT�laJ0p�fA�36cf =Jqd_OSg�3 >4ȗa@*n v׿M;v\�4�.Y?){S>�a6~�I�x�H� 8ӈmmfpoi3ԛ�,�dPF.�M7| x)}?o׸kn'^�=v�4Da�"6Qu�09XLZ �FZR���3U'YyכCfJr�a!_t�G� �=||5+��mkrw�-RH})Lŏ;b3k6R~ѱ I&ARSޭ�;Pք@RG� ~uo{"jCڒ^�7�,ڸ۬"tdH$S�g�gEDG�65oSw��;ogxZ��QV93� |Z~tweBA�=�0~ q0vu^6QqL¤4D˵[kz_(,Qӳ�=�2OuE'�*�$�[AR�;w:hw�:X0M68D+wL l W܁͵^=Iý?MiM]b�+:G"�8� �JbXڞLVUw{w��uVQGT'rśwt��<�>E�)[� �?GST�0\oTu0sa)�?R�-Ǭa=īE�%2L�&m�6\#Ysl35w~S|HZr u�&��ƾ�)Z~ZLM�fhi�ۀq؊� zHnԇT́Bs{@�qn�[Z˼`$;pSV�-:u{�g p�+��q`+�>\]o�Z_}|;lP;uy�)� )rKLlzB^��Lv:R:�(i�1NGjSwl� Z6i@]1NrX0֯*>�,E*H%�,<&R�/ .򩛅Mp�+YV|5ެI\�#�#z<�2e*5B �/s/bfV�*]O�|�)3�!s@[�x �"w.�ђBWE0)c !S/T�=ze�$᣹f0Z!&gͶ!͂T/i{�-wɘV� U"��7 ~StO54d C7}#�#-H[�<$KB|ROۦkD�/� g(9l� O��$¨�V%Zc_P Yyy&~cA.%k~ӕU UD}W�?sAH� èlI?NDH>B'vDFYW KkH) UIwn#*iW�/�>9�!U�'�/\ʰ|�8�P�)e�;>Ypʏ@3@_E�T]6)h�#&8؇0�('F#�T:Q_�8A#~UJA~a�ifu8C� ~[KÍhj�*k�'�8W!|XBlFf$2cꂆ*{�Cjbi/İʁUL@fG6P�;eU#P�-n&)Gi@,Iv)I?�6#'dǤ:�4��UU~SAv �)GHGy-4�-|�.�3�@U0Elv|gLj_5+ddF݅ � +oq=@k#!%B�[Z�1yIgrŔu�hl�:ѻͤ�(�&j�0pK[Y.5&[|Crf_P0�8m%/Q;�?|cNk[Ӗ]/DXY�"Y(cP(E|�&SKd� o]R� 6�4S]ܧl1sU[8.mx^z:'�}�N t󙀼�XLg�-|�:όMp`vC�HlQv>!�7�<�0L1=u $�R%�GxA\s�2C�6sS&kc�)8c bWOz Mti� 9 �(*O�5 �@TnOeEWxƔ%YP �#q� ƣF�3fHz�-�vu_�CZc6ij?Ԫ�;S�5w^�!Y�9S�/�6UnФa;kh5Xl,+{�;X`N6v�]Ù J�?Hx~�6=*N>#g�5�:�YWCl�+׌@�0ݤl4`"�/�>txWa�3c{ 4խ9G�/I�=�-0P[ꅭY�OmfJ��!QKL(ؖmc\0ERM"?;XٓckS�)?v/%Kw)JpL4tT+{�?xʘG�)c�|seհ�07!GB�V�-Z�6U9$ "�4˱v4˄GD _(]H.3i) (| @Q%QgK_@C)y(2 !�>�$ٶ�<� !j ;#歱;W|y4Gk�rH >kO*OBs3c�GE�+*1rz߷ [no� ?h|O8h(?Q}ɼ=�k�%_N�XK}K @i�:z԰i^� �BS�1g}TBR$( njcQ`<.e>֥`b�$&Cה5f|�)-b�5Z3l|� [$D�2�=a8O�= ug" NjVޠtsM�'�,�85⊊e tɼ~@J0�v07dx@mwbYV�&)f� Y�7(B CJ΄/<�i)@yk�h>�u\ꩽ�J}p QvRl{kwh2�"P M%�!\bx2@z� � `xH"5Z|<�Σnm�j VY`':���1�%P,߰\BϔJ}tW�-_�)3mznUbfr�&J�bj�5ݔc~'9arx/�6 Q�8[udU96� K:/ITH?c۾́Yl�&Wv}��.,ujj@R.W5"급L`Slb^c�/OD`R��(ՑUk-[$oyg}t-G�3N�"g� � �11r[JRLD|QG~EKa�iqf �N蔶N~DiҲMstpI~uuWg+T`�_��16Xג" @vdtyp ,9kAȥipߣ#ְݕմө<ң=bbwV�&r_;I2JCy�*YՃ�Ƅ�,r.�.&`VRuQ�3BBЊ�-^�9ζXr.畕x"x$ψߙR� @n~};�/�.,-N$9yڛO�ʘ9آe�?2�;;\ݯo}�4G1�{;�*QyxDHr;2* 'ͥ X_qDT"suC2ezSG}\IUBG#�IQ9�A *U�MI:Ʒ])@rr"8?]bSOf�4 c�:m�?lױ ��픱�>DҜ?�7uf�=)ҥϣ;�(UWKS� yKzJ�d� �/i6�3OdfZe{R�-YS-� �$߻sC\6��Zrjr6�1_AC�>�'*�4�ѥ߶mNxS[�5!~U m{ti)aڷI)� vFyٔ{6R(�)?~ܵ}\m�>m�z}�)=t^}_-̧pD'nRUh�}d܇.·��!�:"=>j\HY��'{!b6ᇂ`T�6)3�tlGd�4s/ϔɗՄʼ@3xc՛|ʷ/B�#�Bk�#ys�Uev� JwXM��-&#vp|He�`N\"D9If7�,_G4IOrub ~mES^k׮١U;J�t �����*�4i�0oE@r�8KQoPf*]"ʳ-O贵T,KG̽u)4G=c!ȕ9 /%x8� ޻_I=�☓4Edy4S�G�)pxYi] represents the subdirectory of the Program obs directory named Microsoft SQL Server. Review the security settings for each directory/file specified below. The permission to check is specified first followed by a list of dirctories/files and the account/group that should have the permission. Verify that the permission assignments are not less restrictive than listed. Verify that no permission assignments are granted the the builtin USERS group. For any or directories or files, the following groups may have Full Control assigned: Administrators (builtin group), DBAs (custom group), CREATOR OWNER (builtin), SYSTEM (builtin). Read, Execute, List folder contents 1. \90\Notification services | Notification services Full Control 2. \90\shared\msmdlocal.ini | MSSQLServerOLAPservice Read 3. \90\shared\msmdlocal.ini | SQL Server Browser 4. \90\dts\binn\MsDtsSrvr.ini.xml | MSDTSServer 5. \90\sdk | SQL Services Users Read, Execute 6. \90\tools | SQL Services Users 7. \90\Setup Bootstrap | SQL Services Users 8. \80\to< ols | SQL Services Users 9. \90\com | MSSQLServer,SQLServerAgent 10. \90\dts | SQL Services Users 11. \90\dts\binn | MSDTSServer 12. \90\shared | MSSQLServer,SQLServerAgent,FTS,MSSQLServerOLAPservice,SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,Notification services,MSDTSServer,SQL Server Browser Read, Write 13. \90\shared\Errordumps | MSSQLServer,SQLServerAgent,FTS MSSQLServerOLAPservice,SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,Notification services,MSDTSServer,SQL Server Browser Read, Execute, List folder contents 1. \90\Notification services | Notification services Full Control 2. \90\shared\msmdlocal.ini | MSSQLServerOLAPservice Read 3. \90\shared\msmdlocal.ini | SQL Server Browser 4. \90\dts\binn\MsDtsSrvr.ini.xml | MSDTSServer 5. \90\sdk | SQL Services Users Read, Execute 6. \90\tools | SQL Services Users 7. \90\Setup Bootstrap | SQL Services Users 8. \80\tools | SQL Services Users 9. \90\com | MSSQLServer,SQLServerAgent 10. \90\dts | SQL Services Users 11. \90\dts\binn | MSDTSServer 12. \90\shared | MSSQLServer,SQLServerAgent,FTS,MSSQLServerOLAPservice,SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,Notification services,MSDTSServer,SQL Server Browser Read, Write 13. \90\shared\Errordumps | MSSQLServer,SQLServerAgent,FTS MSSQLServerOLAPservice,SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,Notification services,MSDTSServer,SQL Server Browser O represents the directory created for the specific SQL Server instance. This directory is specified in the registry under HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL. Review the security settings for each directory/file specified below. The permission to check is specified first followed by a list of dirctories/files and the account/group that should have the permission. Verify that the permission assignments are not less restrictive than listed. Verify that no permission assignments are granted the the builtin USERS group. For any or directories or files, the following groups may have Full Control assigned: Administrators (builtin group), DBAs (custom group), CREATOR OWNER (builtin), SYSTEM (builtin). Full Control 1. \MSSQL\backup | MSSQLServer, SQLServerAgent 2. \MSSQL\data | MSSQLServer 3. \MSSQL\FTData | MSSQLServer, FTS 4. \MSSQL\jobs | SQLServerAgent 5. \MSSQL\Log (all files) | MSSQLServer, SQLServerAgent 6. \MSSQL\Log\(all files except .trc files) | FTS 7. \MSSQL\Repldata | MSSQLServer 8. \Olap\Backup | MSSQLServerOLAPservice 9. \Olap\Config | MSSQLServerOLAPservice 10. \Olap\Data | MSSQLServerOLAPservice 11. \Reporting Services\reportservice.asmx | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users 12. \Reportingservices\Reportserver\global.asax | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser Read 13. \MSSQL\Template Data (SQL Server Express Only) | MSSQLServer 14. \Reporting Services\reportManager\pages | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users 15. \Reporting Services\reportManager\Styles | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users 16. \Reporting Services\reportManager\webctrl_client\1_0 | SQLServer2005ReportingServicesWebServiceUser 17. \Reportingservices\Reportserver\global.asax | SQL Services Users Read, Execute 18. \MSSQL\binn | SQL Services Users 19. \MSSQL\FTRef | FTS 20. \MSSQL\Install | MSSQLServer, FTS 21. \OLAP | MSSQLServerOLAPservice 22. \Reporting Services\ReportServer | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,SQL Services Users 23. \Reporting Services\reportManager | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,SQL Services Users 24. \MSSQL\binn\sqlctr90.dll | Perfomance Log Users,Performance Monitor Users Read, Write 25. \Olap\Log | MSSQLServerOLAPservice 26. \Reporting Services\RSTempfiles | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser 27. \Reportingservices\Reportserver\Reportserver.config | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser Read, Write, Delete 28. \Reporting Services\Log obs | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser List folder contents 29. \MSSQL\binn | Perfomance Log Users,Performance Monitor UsersT Full Control 1. \MSSQL\backup | MSSQLServer, SQLServerAgent 2. \MSSQL\data | MSSQLServer 3. \MSSQL\FTData | MSSQLServer, FTS 4. \MSSQL\jobs | SQLServerAgent 5. \MSSQL\Log (all files) | MSSQLServer, SQLServerAgent 6. \MSSQL\Log\(all files except .trc files) | FTS 7. \MSSQL\Repldata | MSSQLServer 8. \Olap\Backup | MSSQLServerOLAPservice 9. \Olap\Config | MSSQLServerOLAPservice 10. \Olap\Data | MSSQLServerOLAPservice 11. \Reporting Services\reportservice.asmx | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users 12. \Reportingservices\Reportserver\global.asax | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser Read 13. \MSSQL\Template Data (SQL Server Express Only) | MSSQLServer 14. \Reporting Services\reportManager\pages | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users 15. \Reporting Services\reportManager\Styles | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users 16. \Reporting Services\reportManager\webctrl_client\1_0 | SQLServer2005ReportingServicesWebServiceUser 17. \Reportingservices\Reportserver\global.asax | SQL Services Users Read, Execute 18. \MSSQL\binn | SQL Services Users 19. \MSSQL\FTRef | FTS 20. \MSSQL\Install | MSSQLServer, FTS 21. \OLAP | MSSQLServerOLAPservice 22. \Reporting Services\ReportServer | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,SQL Services Users 23. \Reporting Services\reportManager | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,SQL Services Users 24. \MSSQL\binn\sqlctr90.dll | Perfomance Log Users,Performance Monitor Users Read, Write 25. \Olap\Log | MSSQLServerOLAPservice 26. \Reporting Services\RSTempfiles | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser 27. \Reportingservices\Reportserver\Reportserver.config | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser Read, Write, Delete 28. \Reporting Services\Log obs | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser List folder contents 29. \MSSQL\binn | Perfomance Log Users,Performance Monitor UsersVerify that file permissions are set properly for database files. The SA/DBA shall restrict access to all directories created by the installation of SQL Server to full control permissions granted to the SQL Server service account, the DBA OS group, the Administrators group, and the local SYSTEM accounts. The SA/DBA shall restrict access to all files created by the installation of SQL Server to full control permissions granted to the SQL Server service account, the DBA OS group, the Administrators group, and the local SYSTEM accounts.sT-SQL: Repeat the following for each database. -Get the list of files associated with the database by entering the following statement: select filename from sysfiles -For each file, do the following: a. Navigate to the file using Windows Explorer. b. Right-click on the file and click Properties. c. Select the Security tab. 1. Verify that the only permissions are the following or less: - full control - Administrators - full control - SYSTEM - full control - SQL Server service accou< nt (custom) - full control - DBA group (custom) - full control - CREATOR OWNER Management Studio: N/A$T-SQL: 1. The only permissions are the following or less: - full control - Administrators - full control - SYSTEM - full control - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNER Enterprise Manager: 1. N/A�Verify that all database files exist on a volume separate from the SQL Server executable volume. The DBA shall have the data files on a separate volume from the executable and parameter files.eT-SQL: Repeat the following for each database. -Get the list of files associated with the database by entering the following statement: use select filename from sysfiles 1. Verify that each filename exists on a volume separate from the SQL Server executable volume. Management Studio: Repeat the following for each database. -Expand the server group. -Expand Databases. -Right-click the database and click Properties. -Select the obs page. 1. Under "Database files:", check each path in the "Path" column. Verify that each path exists on a volume separate from the SQL Server executable volume.�T-SQL: 1. Each filename exists on a volume separate from the SQL Server executable volume. Enterprise Manager: 1. Each path exists on a volume separate from the SQL Server executable volume.#Verify that registry permissions are set properly for the SQL Server registry values. NOTE! The information given here is not currently present in the IRM. The IRM does not currently contain SQL Server 2005 specific information. This information is provided here for guidance purposes only.|Use regedit.exe (Windows 2003) or regedt32.exe (Windows XP, Windows 2000) to review registry permissions. To review registry permissions using regedit, navigate to the registry key indicated, right-click on the key, and select Permissions. Select the users and groups permissions and view the assigned Permissions in the Permissions box. -Expand Microsoft. -Right click Microsoft SQL Server and click Permissions. 1. Verify that the only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - SQL Server service account (custom) d. full control - DBA group (custom) e. full control - CREATOR OWNER 2. Verify that permissions for subkeys match the criteria specified above. a. SQLServer2005ReportServerUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\RS" and its sub-keys. b. SQLServer2005MSFTEUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\MSSearch" and its sub-keys. c.SQLServer2005SQLAgentUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\SQLServerAgent" and its sub-keys. d. SQLServer2005SQLServerADHelperUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\SQLServerSCP" and its sub-keys. e. Remote Desktop Users can have Read access to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\RS" and its sub-keys. f. If permissions other than Read are granted to the custom SQL Server Users group or the same members, then this test fails.�1. The only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - SQL Server service account (custom) d. full control - DBA group (custom) e. full control - CREATOR OWNER 2. Permissions for subkeys match the criteria specified above. In addition, a. SQLServer2005ReportServerUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\RS" and its sub-keys. b. SQLServer2005MSFTEUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\MSSearch" and its sub-keys. c.SQLServer2005SQLAgentUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\SQLServerAgent" and its sub-keys. d. SQLServer2005SQLServerADHelperUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\SQLServerSCP" and its sub-keys. e. Remote Desktop Users can have Read access to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\RS" and its sub-keys. f. If permissions other than Read are granted to the custom SQL Server Users group or the same members, then this test fails.�Verify that user-defined stored procedures are stored in an encrypted format. Custom application and GOTS application software source code objects shall be encrypted within the database, where available as a DBMS feature, in accordance with industry (cissecurity.org) and government (csrc.nist.gov/pcig) best practice recommendations. The DBA shall ensure that custom application and GOTS source code objects are encrypted within the database when possible.xT-SQL: Repeat the following for each database. -Enter the following statement: use select schema_name(o.schema_id) as 'Schema', o.name from sys.objects o, sys.sql_modules s where o.object_id=s.object_id and s.definition is not null 1. If any results are listed that are not installed as part of a COTS application, then this test fails. Management Studio: N/A�T-SQL: 1. If any results are listed that are not installed as part of a COTS application, then this test fails. Management Studio: N/A�Verify that system-defined extended stored procedures are restricted from user access. The DBA shall restrict use of system-defined extended stored procedures to authorized DBAs only unless fully justified and documented with the IT Security Specialist.� T-SQL: Repeat the following for each server. -Enter the following statement: use master select sysobjects.name, sysusers.name, sysprotects.action from sysprotects inner join sysobjects on sysobjects.id = sysprotects.id inner join sysusers on sysusers.uid = sysprotects.uid where (sysobjects.type = 'X') and (sysobjects.uid < 5) and (sysprotects.protecttype <> 206) 1. For each row returned, verify that the value for name is not "public". Management Studio: Repeat the following for each server. -Expand the server. -Expand Databases. -Expand the master database. -Expand Programmability. -Expand Extended Stored Procedures. -Expand System Extended Stored Procedures. -For each procedure, verify the following: -Right-click on the procedure name and click Properties. -Select the Permissions page. -Under "Users or roles:", see if "public" exists. If it does, verify that Deny is checked.�T-SQL: 1. For each row returned, the value for name is not "public". Enterprise Manager: 1. If "public" exists. Deny is checked.�Verify that user-defined extended procedures do not exist. The DBA shall prevent creation and use of user-defined extended stored procedures. The DBA shall remove all extended stored procedures that are not required from the database and host system.�T-SQL: Repeat the following for each server. -Enter the following statement select name from sys.system_objects where type='X' and is_ms_shipped=0 order by name 1. Verify that no records are returned. -Enter the following statement select name from sys.system_objects where type='X' and is_ms_shipped=1 order by name 2. Verify that all of the extended stored procedures returned are required. Management Studio: N/A|T-SQL: 1. No records are returned. 2. All of the extended stored procedures returned are required. Management Studio: N/A�Verify that system-defined extended stored procedures are restricted from use. The DBA shall restrict use of system-defined extended stored procedures to authorized DBAs only unless fully justified and documented with the IT Security Specialist.DT-SQL: Repeat the following for each server. -Enter the following statement: exec sp_configure 'show advanced options', 1 reconfigure exec sp_configure 'OLE Automation Procedures' 1. Verify that config_value is "0". If config_value is not "0", then verify that OLE Automation Procedur< es are required. Management Studio: N/AT-SQL: 1. config_value is "0". If config_value is not "0", then OLE Automation Procedures are required. Management Studio: N/AMT-SQL: Repeat the following for each server. -Enter the following statement: use master select o.name, user_name(p.grantee_principal_id) from sys.system_objects o, sys.database_permissions p where o.object_id = p.major_id and o.name like 'xp_reg%' and p.type='EX' 1. Verify that only DBA accounts are listed in the return results. Verify that any references to PUBLIC are not returned. NOTE: By default, the public role is granted execute access to xp_regread. If this access is required, transfer the privilege assignment to the authorized custom database role. Management Studio: N/A}T-SQL: 1. Only DBA accounts are listed in the return results. No references to PUBLIC are returned. Enterprise Manager: N/A�Verify that the XP_CMDSHELL extended stored procedure is not present on the system. NOTE! The IRM states that the XP_CMDSHELL extended stored procedure must be removed from the system. This is unsafe for SQL Server 2005. Since the IRM was written for SQL Server 2000, we will deviate here and suggest that XP_CMDSHELL simply be disabled instead of deleted. Since this test deviates from the IRM, it is provided here just to help increase the security of the system being tested. From the IRM: The DBA shall remove the XP_CMDSHELL extended stored procedure from the system unless fully justified and documented in appropriate ELC documentation.�T-SQL: Repeat the following for each server. -Enter the following statement: exec sp_configure 'show advanced options', 1 reconfigure exec sp_configure 'xp_cmdshell' 1. Verify that config_value is "0". Management Studio: N/A<T-SQL: 1. The config_value is "0". Enterprise Manager: N/A&Verify that the Guest account does not exist in all databases except master and tempdb. NOTE! SQL Server 2005 cannot comform to the IRM because the guest account cannot be dropped. It can be disabled however. This differs from the IRM which states that the guest account must be dropped from all databases except for the master and tempdb databases. This check tests to see if the guest account has been disabled for each database except for the master and tempdb databases. This deviates from the IRM but is provided here to help enhance security.nFor each database except master and tempdb, do the following. T-SQL: 1. Enter the following statement. Replace with the name of the database being tested. use select state_desc from sys.database_permissions where permission_name = 'CONNECT' and grantee_principal_id = 2 2. Verify that "GRANT" is not returned. Management Studio: N/A:T-SQL: 1. "GRANT" is not returned. Management Studio: N/A�Verify that object permissions have not been granted to the public database role or to the guest account. The DBA shall ensure that object privileges are not granted to PUBLIC or GUEST.�T-SQL: Repeat the following for each database. -Enter the following statement. Replace with the name of the database being tested. use select user_name(p.grantee_principal_id) 'User', o.name 'Object', p.permission_name from sys.objects o, sys.database_permissions p where o.object_id = p.major_id and p.grantee_principal_id in (0,2) 1. Verify that no rows are returned. Management Studio: N/A8T-SQL: 1. No rows are returned. Management Studio: N/ASC-9�Verify that user access to DBA views and tables is denied. The DBA shall ensure that access to DBA views and tables is restricted to DBAs and batch processing accounts.T-SQL: Repeat the following for each database. -Enter the following statement: select SystemTableOrViewName = sysobjects.name, UserOrGroupName = sysusers.name from sysobjects inner join sysprotects on sysobjects.id = sysprotects.id inner join sysusers on sysprotects.uid = sysusers.uid where (sysobjects.type = 'S' or sysobjects.type = 'V') and (sysprotects.uid > 4) and (sysprotects.protecttype <> 206) 1. If results are returned, then verify that each UserOrGroupName is a DBA or a batch processing account. Management Studio: N/A}T-SQL: 1. If results are returned, then each UserOrGroupName is a DBA or a batch processing account. Management Studio: N/A�Verify that the use of CmdExec and ActiveScripting job steps are restricted to DBAs. Jobs can be used to automate administrative procedures as well as T-SQL procedures. CmdExec and ActiveScripting job steps issue or can issue operating system commands and shall be restricted to use by DBAs. Access to the host operating system poses a security risk. The DBA shall restrict use of CmdExec and ActiveScripting job steps to DBAs.�T-SQL: Repeat the following for each server. -Enter the following statement: use msdb exec sp_enum_proxy_for_subsystem @subsystem_name='ActiveScripting' exec sp_enum_proxy_for_subsystem @subsystem_name='CmdExec' 1. If no records are returned, then this check passes. If records are returned, then proceed to the next step. -For each proxy listed, do the following. -Enter the following statement replacing with the proxy name returned above: exec sp_enum_login_for_proxy @proxy_name='' 2. Review the names listed in the return set. Verify that names returned include only sysadmins. If groups are returned, then verify that only sysadmins exist in those groups. Management Studio: N/A�T-SQL: 1. If no records are returned, then this check passes. If records are returned, proceed to the next step. 2. Names returned include only sysadmins. If groups are returned, then only sysadmins exist in those groups. Enterprise Manager: N/A�Verify that backup files for databases are secure. To ensure backup file protection, access permissions to backup files shall be restricted to SAs. Restore permissions on databases shall be restricted to DBAs and database owners.�T-SQL: Repeat the following for each server. -Enter the following statement: use msdb select physical_drive, physical_name from backupfile -For each file listed in the query results, do the following: a. Open Windows Explorer and browse to the file. b. Right click on the file's container directory. c. Select Properties. d. Select Security tab. 1. Verify that the only permissions are the following or less: - full control - SYSTEM - full control - Administrators - full control - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNER Management Studio: N/A#T-SQL: 1. The only permissions are the following or less: - full control - SYSTEM - full control - Administrators - full control - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNER Enterprise Manager: N/A4Verify that objects are owned only by authorized accounts. The DBA shall ensure that all database objects are owned by the database system, DBAs, or by a separate account created especially for application object ownership. The DBA shall ensure that application user database accounts do not own any database objects. The SecSpec shall ensure that DBA accounts do not own application objects. The DBA shall ensure that default DBMS database accounts other than the default administration account are not used as the owner of an application s objects or schema.�T-SQL: Repeat the following for each database. -Enter the following statement: use select sys.schemas.name as 'Schema Name', sys.database_principals.n< ame as 'Schema Owner' from sys.schemas, sys.database_principals where sys.schemas.principal_id = sys.database_principals.principal_id 1. Verify that all schemas are owned by the database system, DBAs, or by a separate account created especially for application object ownership. 2. Verify that application user database accounts do not own any schemas. 3. Verify that DBA accounts do not own application specific schemas. 4. Verify that default DBMS database accounts other that the default administration account are not used as the owner of application specific schemas. Management Studio: N/A�T-SQL: 1. All schemas are owned by the database system, DBAs, or by a separate account created especially for application object ownership. 2. Application user database accounts do not own any schemas. 3. DBA accounts do not own application specific schemas. 4. Default DBMS database accounts other that the default administration account are not used as the owner of application specific schemas. Management Studio: N/A�Verify that application owner accounts are disabled/locked when not in use. The DBA shall ensure that custom application owner accounts are disabled/locked when not in use.�T-SQL: Repeat the following for each database. -Enter the folliwng statement replacing with the database to test: use select distinct schema_id from sys.objects where is_ms_shipped=0 1. If no rows are returned, then this database passed the test and you should proceed to the next database. -. If rows are returned, then enter the following statement for each row returned. Replace with the SID in the row. select suser_sname(p.sid) from sys.database_principals p, sys.server_principals s where p.principal_id= and p.sid = s.sid and s.is_disabled=0 and p.type not in ('A','R') 2. Verify that no rows are returned. Management Studio: N/A�T-SQL: 1. If no rows are returned, then this database passed the test and you should proceed to the next database (skip test 2 for this database). 2. Verify that no rows are returned. Enterprise Manager: N/A�Verify that when connecting to linked databases, the connection is authenticated using the current user's identification and password. Linked or remote servers shall only be configured to use Windows authentication. The capability to preserve a user s identification, and, therefore, maintain DAC integrity, is currently available only in a Windows 2000 or later environment where the connections can be protected with Kerberos and account delegation can be used. When linking SQL Server databases, the connection shall be authenticated using the current user s identification and passwords or certificates. The DBA shall configure linked servers to use the user s current authentication to access the remote database.�T-SQL: N/A Management Studio: Repeat the following for each server. -Expand the server. -Expand Server Objects. -Expand Linked Servers. -For each linked server, do the following: -Double-click the linked server. -Select the Security page. 1. Verify that the "Be made using the login's current security context" radio button is selected. 2. Under "Local server login to remote server login mappings", verify that there are no mappings.�T-SQL: N/A Enterprise Manager: 1. The "Be made using the login's current security context" radio button is selected. 2. Under "Local server login to remote server login mappings", there are no mappings.�Verify that version numbers, SQL Server-related or otherwise, are not present in database instance names. The DBA shall not include a version number, SQL Server-related or otherwise, in the SQL Server production database instance names.�T-SQL (preferred method): Repeat the following for each server. -Enter the following statement: use master select serverproperty(ServerName) 1. Verify that the version number, SQL Server-related or otherwise, is not in the server name. Management Studio: N/A - While it is possible to get the server name using Management Studio, for local servers this may not give an accurate result. Use T-SQL.sT-SQL: 1. The version number, SQL Server-related or otherwise, is not in the server name. Enterprise Manager: N/A�Verify that all databases are located in separate database files. The DBA shall locate the system database MASTER.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the miscellaneous system database MODEL.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the system database MSDB.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the system database TEMPDB.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the application databases in separate databases that reside within their own unique datafile(s).hT-SQL: Repeat the following for each server. -Enter the following statement: use master select name, filename from sysdatabases 1. Verify that there is a database named "master" and that the filename for it is "master.mdf". 2. Verify that there is a database named "model" and that the filename for it is "model.mdf". 3. Verify that there is a database named "msdb" and that the filename for it is "msdb.mdf". 4. Verify that there is a database named "tempdb" and that the filename for it is "tempdb.mdf". 5. Verify that all databases present are located in their own separate database files. Management Studio: N/A�T-SQL: 1. There is a database named "master" and that the filename for it is "master.mdf". 2. There is a database named "model" and that the filename for it is "model.mdf". 3. There is a database named "msdb" and that the filename for it is "msdb.mdf". 4. There is a database named "tempdb" and that the filename for it is "tempdb.mdf". 5. All databases present are located in their own separate database files. Enterprise Manager: N/A�Verify that all databases are named correctly. Databases shall be named in accordance with IRM 2.5.7, Data Name Standards, using a name descriptive enough to identify the function of the data contained within the database.4To locate the database names, do the following (repeat for each server): T-SQL: -Enter the following statement: use master select name from sysdatabases Management Studio: -Expand the server. -Expand Databases. For each database name listed with the exception of master, tempdb, model and msdb, verify the following: 1. Verify that only alphabetic (A-Z), numeric (0-9), and special characters (e.g. hyphen, colon, underscore) which are appropriate to the language are present in the name. 2. Verify that the first character of the name is alphabetic (A-Z). 3. Verify that the name does not start with a verb. 4. Verify that the length of the name is less than 30 characters long. 5. Verify that the name is unique. 6. Verify that the name is clear and accurate to reflect a condensed version of the data description.�Either test method: 1. Only alphabetic (A-Z), numeric (0-9), and special characters (e.g. hyphen, colon, underscore) which are appropriate to the language are present in the name. 2. The first character of the name is alphabetic (A-Z). 3. The name does not start with a verb. 4. The length of the name is less than 30 characters long. 5. The name is unique. 6. The name is clear and accurate to reflect a condensed version of the data descrip< tion.*Verify that all DBMS administrator passwords are required to be changed every 60 days. The DBA shall ensure that database administrator account passwords are changed every 60 days or more frequently and shall implement scripts, profiles, or other controls as necessary to enforce this requirement.�This procedure should be performed by the system administrator. All database administrator accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Password Policy. 1. Verify that "Maximum password age" is set to 60 days or less (but not 0).?1. "Maximum password age" is set to 60 days or less (but not 0)Verify that all DBMS user passwords are required to be changed every 90 days. The DBA shall ensure that database user account passwords are changed every 90 days or more frequently and shall implement scripts, profiles, or other controls as necessary to enforce this requirement.This procedure should be performed by the system administrator. All database user accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Password Policy. 1. Verify that "Maximum password age" is set to 90 days or less (but not 0).@1. "Maximum password age" is set to 90 days or less (but not 0).�Verify that the password for the SA account is password protected. The default SA password, used to connect as administrator, shall be changed from the default installation value. Leaving the default password unchanged could result in unauthorized accounts accessing the server as sa, which provides them full database administration privileges. The DBA shall password protect the SQL Server sa pseudo database account. The DBA shall change the SQL Server sa pseudo database account default password.�T-SQL: Repeat the following for each server. -Enter the following statement: select count(name) from syslogins where password is null and name = 'sa' 1. Verify that "0" is returned. Management Studio: N/A4T-SQL: 1. "0" is returned. Enterprise Manager: N/A�Verify that all DBMS account passwords are not reused within three password changes. The DBA shall ensure that database account passwords are not reused within three password changes.�Verify that all DBMS accounts are limited to three failed logons before they become locked. Where available, the DBA shall limit database account logons to three failed logons before they become locked.lThis procedure should be performed by the system administrator. All database accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Account Lockout Policy. 1. Verify that "Account lockout threshold" is set to 3.+1. "Account lockout threshold" is set to 3.�Verify that the DBMS is not installed on a Microsoft Windows domain controller or backup domain controller. The installation of a DBMS on a host platform introduces additional vulnerabilities and resource requirements to the host. Additionally, vendor DBMS software distributions frequently offer additional functionality, such as web servers and directory server software, on the same installation media that the DBMS is provided on. Since it is a best security practice to separate or partition services offered to different audiences, any DBMS should be installed on a host system dedicated to its support and offering as few services as possible to other clients. For this reason, a DBMS shall not be installed on a host system that also provides web services, directory services, directory naming services, etc. In particular, DBMS software shall not be installed on Microsoft Windows domain controllers or backup domain controllers under any circumstances.�-Click Start, Run then launch regedt32.exe. -Expand HKEY_LOCAL_MACHINE. -Expand System. -Expand CurrentControlSet. -Expand Control. -Select ProductOptions. 1. Verify that ProductType does not have a value of "LANMANNT" or "LANSECNT".A1. ProductType does not have a value of "LANMANNT" or "LANSECNT".:Verify that the sample databases have been removed. Microsoft SQL Server ships with sample databases. These databases contain many default permissions that do not conform to policy. Additionally, sample items can be used as an entry point into systems. The DBA shall ensure that the sample databases are removed.�T-SQL: Repeat the following for each server. -Enter the following statement: use master select name from sysdatabases 1. Verify that none of the following databases exist: - Northwind - pubs - AdventureWorks - AdventureWorksDB - AdventureWorksAS Management Studio: Repeat the following for each server. -Expand the server. -Expand Databases. 1. Verify that none of the following databases exist: - Northwind - pubs - AdventureWorks - AdventureWorksDB - AdventureWorksAST-SQL: 1. None of the following databases exist: - Northwind - pubs - AdventureWorks - AdventureWorksDB - AdventureWorksAS Enterprise Manager: 1. None of the following databases exist: - Northwind - pubs - AdventureWorks - AdventureWorksDB - AdventureWorksAS%Verify that statement permissions have been revoked for guest, public and all user accounts in all databases. The DBA shall ensure that SQL Server statement privileges are not granted to PUBLIC or GUEST. Verify that statement permissions have been revoked for user accounts in all databases.tT-SQL: Repeat the following for each database. -Enter the following statement: use select user_name(grantee_principal_id),permission_name from sys.database_permissions where state in ('G','W') 1. Verify that no records are returned for the guest account, the public account or for any user accounts. Management Studio: Repeat the following for each database. -Expand the server. -Expand Databases. -Right-click the database and click Properties. -Select the Permissions page. 1. Verify that no Grant or With Grant permissions are specified for the guest account, the public account or for any user accounts.�T-SQL: 1. No records are returned for the guest account, the public account or for any user accounts. Enterprise Manager: 1. No Grant or With Grant permissions are specified for the guest account, the public account or for any user accounts.�Verify that statement permissions are not granted to any application user, application administrator, application developer, or application role. The following list of SQL Server statement privileges shall not be granted, directly or indirectly through the use of roles, to any application user, application administrator, application developer, or application role. CREATE TABLE CREATE VIEW CREATE SP CREATE DEFAULT CREATE RULE CREATE FUNCTION BACKUP DB BACKUP LOG CREATE DATABASE�T-SQL: Repeat the following for each database. -Enter the following statement: use select user_name(grantee_principal_id),permission_name from sys.database_permissions where (type like 'CR%' or type like 'BA%' or type='CL') and state in ('G','W') 1. Verify that no records are returned for application users, application administrators, application developers, or a member of an application role. Management Studio: Repeat the following for each database. -Expand the server. -Expand Databases. -Right-click the database and click Properties. -Select the Permissions page. 1. Verify that Grant or With Grant is not checked for application users, application administrators, application developers, or a member of an application role for the following permissions: CREATE TABLE CREATE VIEW CREATE SP CREATE DEFAULT CREATE RULE CREATE FUNCTION BACKUP DB BACKUP LOG CREATE DATABASE�T-SQL: 1. No records are returned for application users, application administrators, application developers, or a member of an application role. Management Studio: 1. Grant or With Grant is not checked for application< users, application administrators, application developers, or a member of an application role for the following permissions: CREATE TABLE CREATE VIEW CREATE SP CREATE DEFAULT CREATE RULE CREATE FUNCTION BACKUP DB BACKUP LOG CREATE DATABASE�Verify that the guest account does not have any role assignments granted. The DBA shall not grant SQL Server predefined roles to PUBLIC or GUEST.�T-SQL: -Enter the following statement for each server and verify that no results are returned: select suser_sname(role_principal_id) 'Role' from sys.server_role_members where member_principal_id = 2 -Enter the following statement for each database use select user_name(role_principal_id) 'Role' from sys.database_role_members where member_principal_id =2 1. Verify that no results are returned: Management Studio: N/A=T-SQL: 1. No results are returned: Enterprise Manager: N/A�Verify that only DBAs are granted server role memberships. The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�T-SQL: Repeat the following for each server. -Enter the following statement which displays all users who are granted server role memberships: exec sp_helpsrvrolemember 1. Verify that only DBAs are granted server role memberships. Management Studio: Repeat the following for each server. -Expand the server. -Expand Security. -Expand Server Roles. -For each server role, do the following: -Double-click the server role. 1. Verify that only DBAs are granted membership to the server role.�T-SQL: 1. Only DBAs are granted server role memberships. Enterprise Manager: 1. Only DBAs are granted membership to the server role.�Verify that only DBAs are granted database role memberships. The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�T-SQL: Repeat the following for each database -Enter the following statement which displays all users who are granted database role memberships: exec sp_helprolemember 1. Verify that only DBAs are granted database role memberships (memberships beginning with "db_"). Management Studio: Repeat the following for each database. -Expand the server. -Expand Databases. -Expand the database. -Expand Security. -Expand Roles. -Expand Database Roles. -For each database role that begins with "db_", do the following: -Double-click the database role. -Select the General page. -Under "Members of this role:", 1. Verify that only DBAs are granted membership to the database role.�T-SQL: 1. Only DBAs are granted database role memberships (memberships beginning with "db_"). Enterprise Manager: 1. Only DBAs are granted membership to the database role.�Verify that only authorized DBAs are assigned the SYSADMIN role. The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�T-SQL: Repeat the following for each server. -Enter the following statement: exec sp_helpsrvrolemember  sysadmin 1. Verify that only authorized logins are members of the System Administrators server role. Management Studio: Repeat the following for each server. -Expand the server. -Expand Security. -Select Server Roles. -Right-click the System Administrators (sysadmin) server role and click Properties. 1. Verify that only authorized logins are members of the System Administrators server role.�T-SQL: 1. Only authorized logins are members of the System Administrators server role. Enterprise Manager: 1. Only authorized logins are members of the System Administrators server role.�Verify that the BUILTIN\Administrators group is not assigned the SYSADMIN role. The DBA shall deny the Windows BUILTIN\Administrators group the assignment to SYSADMIN role.�T-SQL: Repeat the following for each server. -Enter the following statement: exec sp_helpsrvrolemember  sysadmin 1. Verify that BUILTIN\Administrators is not a member of the System Administrators server role. Management Studio: Repeat the following for each server. -Expand the server. -Expand Security. -Select Server Roles. -Right-click the System Administrators (sysadmin) server role and click Properties. 1. Verify that BUILTIN\Administrators is not a member of the System Administrators server role.�T-SQL: 1. BUILTIN\Administrators is not a member of the System Administrators server role. Enterprise Manager: 1. BUILTIN\Administrators is not a member of the System Administrators server role._Verify that users do not have administrative privileges. The DBA shall ensure that application user database accounts, application administrator accounts, application developer accounts, and application roles do not have the administration option of any object privilege. The DBA shall deny PUBLIC and GUEST the grant option of any object privilege.sT-SQL: Repeat the following for each database. -Enter the following statement: use select USER_NAME(p.grantee_principal_id) 'DB User', o.name 'Object', p.permission_name from sys.database_permissions p, sys.objects o where p.state='W' 1. All privileges returned have the "GRANT WITH GRANT" option enabled. Verify that all accounts returned are authorized to have "GRANT WITH GRANT" enabled. Application user database accounts, application administrator accounts, application developer accounts, and application roles should not be listed. PUBLIC and GUEST should have this option DENIED. Management Studio: N/AiT-SQL: 1. All privileges returned have the "GRANT WITH GRANT" option enabled. All accounts returned are authorized to have "GRANT WITH GRANT" enabled. Application user database accounts, application administrator accounts, application developer accounts, and application roles are not listed. PUBLIC and GUEST have this option DENIED. Enterprise Manager: N/AkVerify that object privileges are not assigned directly to individual application user database accounts. The DBA shall ensure that all object privileges granted to application users are granted through the use of application specific roles. The DBA shall ensure that object privileges are not assigned directly to individual application user database accounts.�T-SQL: Repeat the following for each database. -Enter the following statement: use select u.name, o.name, p.permission_name from sys.objects o, sys.database_principals u, sys.database_permissions p where o.object_id=p.major_id and p.grantee_principal_id=u.principal_id and p.state in ('G','W') and u.type in ('S','U') 1. Verify that there are no rows returned. Management Studio: N/A9T-SQL: 1. No rows are returned. Enterprise Manager: N/AVerify that application users, application administrators, and application roles are not granted the references object privilege. The DBA shall ensure that application users, application administrators, and application roles are not granted the references object privilege.8T-SQL: Repeat the following for each database. -Enter the following statement: exec sp_helprotect NULL, NULL, NULL, 'o' 1. For each row where Grantee is an application administrator or an application user AND Action is "References", verify that ProtectType is < not "Grant" or "Grant_WGO". Management Studio: N/A�T-SQL: 1. For each row where Grantee is an application administrator or an application user AND Action is "References", ProtectType is not "Grant" or "Grant_WGO". Enterprise Manager: N/A�Verify that the SQL Server service accounts have the appropriate user rights and privileges. NOTE! The information given here is not currently present in the IRM. The IRM does not currently contain SQL Server 2005 specific information. This information is provided here for guidance purposes only. Verify that the SQL Server service accounts have the appropriate user rights and privileges.�-Open the SQL Server Configuration Manager to view login accounts for the following services (some services may not exist): - SQL Server () - SQL Server Agent () - SQL Server Analysis Services () - SQL Server Reporting Services () - SQL Server Integration Services - SQL Server FullText Search () - SQL Server Browser () 1. Verify that all of the above services use a custom account. 2. If any service uses a domain user account, verify that the service requires network or domain resources. 3. Verify that the accounts are not members of the local or domain administrators groups. 4. Verify that the accounts listed are not builtin accounts (LocalSystem, Local Service, Network Service, etc.) Exception: SQL Server Active Directory Helper or SQL Writer. 5. Verify the user rights granted to the above accounts. Note that user rights may be assigned to the service accounts via Windows groups. Only the below user rights should be assigned to the accounts. SQL Server account: - Log on as a Service - Act as part of the Operating System - Log on as a batch job - Replace a process-level token - Bypass traverse checking - Adjust memory quotas for a process - Permission to start SQL Server Active Directory Helper - Permission to Start SQL Writer SQL Server Agent account: - Log on as a Service - Act as part of the Operating System - Log on as a batch job - Replace a process-level token - Bypass traverse checking - Adjust memory quotas for a process Analysis Server account: - Log on as a service Report Server account: - Log on as a service Integration Services account: - Log on as a service - Permission to write to application event log - Bypass traverse checking - create global objects - Impersonate a client after authentication Full-Text Search account: - Log on as a Service SQL Server Browser account: - Log on as a Service�1. All of the above services use a custom account. 2. If any service uses a domain user account, the service requires network or domain resources. 3. The accounts are not members of the local or domain administrators groups. 4. The accounts listed are not builtin accounts (LocalSystem, Local Service, Network Service, etc.) Exception: SQL Server Active Directory Helper or SQL Writer. 5. The user rights granted to the above accounts. Note that user rights may be assigned to the service accounts via Windows groups. Only the below user rights should be assigned to the accounts. SQL Server account: - Log on as a Service - Act as part of the Operating System - Log on as a batch job - Replace a process-level token - Bypass traverse checking - Adjust memory quotas for a process - Permission to start SQL Server Active Directory Helper - Permission to Start SQL Writer SQL Server Agent account: - Log on as a Service - Act as part of the Operating System - Log on as a batch job - Replace a process-level token - Bypass traverse checking - Adjust memory quotas for a process Analysis Server account: - Log on as a service Report Server account: - Log on as a service Integration Services account: - Log on as a service - Permission to write to application event log - Bypass traverse checking - create global objects - Impersonate a client after authentication Full-Text Search account: - Log on as a Service SQL Server Browser account: - Log on as a Service�Verify that the BUILTIN/Administrators group is not a valid SQL Server logon. Verify that the BUILTIN/Administrators group is not a valid SQL Server logon.oT-SQL: Repeat the following for each server. -Enter the following statement: use master select name from syslogins where (loginname = 'BUILTIN\Administrators') 1. Verify that nothing is returned. Management Studio: Repeat the following for each server. -Expand the server. -Expand Security. -Select Logins. 1. Verify that BUILTIN\Administrators is not a valid login.dT-SQL: 1. Nothing is returned. Enterprise Manager: 1. BUILTIN\Administrators is not a valid login.�Verify that SQL Mail is disabled. The DBA shall ensure that SQL Mail is not implemented. The SQLServerAgent uses its own mail that is configured and controlled separately from the SQL Mail.�T-SQL: -Enter the following statement: exec sp_configure 'show advanced options', 1 reconfigure exec sp_configure 'SQL Mail XPs' 1. Verify that "0" is returned for config_value. Management Studio: Repeat the following for each server. -Expand the server. -Expand Management. -Expand Legacy. -Right click on SQL Mail and select Properties. 1. Verify that a a prompt to enable SQL Mail is displayed. Answer "No" if prompted.�T-SQL: 1. "0" is returned for config_value. Enterprise Manager: 1. A prompt to enable SQL Mail is displayed. Answer "No" if prompted.�Verify that Database Mail is disabled. NOTE! This check is not present in the IRM. It is included here only to help secure the system. Database Mail is new to SQL Server 2005. Disabling it increases the security of the system.�T-SQL: -Enter the following statement: exec sp_configure 'show advanced options', 1 reconfigure exec sp_configure 'Database Mail XPs' 1. Verify that "0" is returned for config_value. Management Studio: N/AET-SQL: 1. "0" is returned for config_value. Enterprise Manager: N/A*Verify that snapshot folders do not exist on Windows administrative shares. Verify that snapshot folders have the appropriate permissions assigned. NOTE! This check deviates slightly from the IRM. Since the IRM does not contain SQL Server 2005 specific information, the comparable DISA check is used instead. The DBA will ensure all access to sensitive application data stored inside the database, and in external host files, is granted only to database accounts and OS accounts in accordance with user functions as specified by the Information Owner.�T-SQL: N/A Management Studio: Repeat the following for each publication on each server. -Expand the server. -Expand Replication. -Expand Local Publications. -Right-click the publication and click Properties. -Click the Snapshot page. 1. Under "Location of snapshot files", verify that the directory listed is not a Windows administrative share. -Navigate to the directory listed under "Location of snapshot files", using Windows Explorer. -Right-click on the directory and click Properties. -Select the Security tab. 2. Verify that the only permissions are the following or less: - full control - Administrators - DBAs (custom group/user) - read - Merge and Distribution Agents (custom group/user) - write - Snapshot Agents (custom group/user)gT-SQL: N/A Enterprise Manager: 1. Under "Location of snapshot files", the directory listed is not a Windows administrative share. 2. The only permissions are the following or less: - full control - Administrators - DBAs (custom group/user) - read - Merge and Distribution Agents (custom group/user) - write - Snapshot Agents (custom group/user)�Verify that all database connections for replication agents are using Windows authentication logons. The DBA shall configure all database connections for replication agents to use Windows authentication logons.�T-SQL: N/A Management Studio: -Expand the server. -Expand Replication. -Expand Local Publications. 4. Right-click each publication, select Properties, and perform the following steps. -Select the Agent Security page. -Click the "< Security Settings..." button. 1. Verify that the radio button "Run under the following Windows account:" is selected. 2. Verify that "Process account:" is a Windows account that is authorized to run the Snapshot Agent process. 3. Verify that the radio button "By impersonating the process account" is selected. -Expand Local Subscriptions. -Right-click each subscription, select Properties, and perform the following steps. 4. Verify that "Agent process account" is a Windows account that is authorized to run the Snapshot Agent process. 5. Verify that "Distributor connection" is "Impersonate agent process account (Windows Authentication)".�T-SQL: N/A Enterprise Manager: 1. The radio button "Run under the following Windows account:" is selected. 2. "Process account:" is a Windows account that is authorized to run the Snapshot Agent process. 3. The radio button "By impersonating the process account" is selected. 4. "Agent process account" is a Windows account that is authorized to run the Snapshot Agent process. 5. "Distributor connection" is "Impersonate agent process account (Windows Authentication)".BVerify that inactive database accounts are disabled/removed. The DBA shall monitor database account expiration and inactivity and remove expired and inactive accounts in accordance with IRS requirements, which requires disabling of accounts after 45 days of inactivity and removal of accounts after 90 days of inactivity.�T-SQL: Repeat the following for each server. -Enter the following statement: select name, type from sys.server_principals where type <> 'R' and is_disabled <> '1' 1. Verify that all accounts listed are actually in use. Management Studio: N/ALT-SQL: 1. All accounts listed are actually in use. Enterprise Manager: N/A�Verify that restore permissions on databases are restricted to DBAs and/or the database owners. The DBA shall restrict restore permissions on databases to DBAs and/or the database owners.�T-SQL: -Enter the following statement for each server. Note that the statement checking for the "CREATE DATABASE" statement will return an error if CREATE DATABASE is not assigned. exec sp_helpsrvrolemember 'sysadmin' exec sp_helpsrvrolemember 'dbcreator' exec sp_helprotect 'CREATE DATABASE' 1. Verify that only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). -Enter the following statement for each database. Replace with the name of the database being tested. use exec sp_helprolemember 'db_owner' 2. Verify that only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). Management Studio: N/AT-SQL: 1. Only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). 2. Only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). Enterprise Manager: N/A�Verify that when sensitive data is sent over the network that it is encrypted. When a database connection is requested via the network to a database server, the client shall provide an individual account name and authentication credentials to access the database. The database account name and any password transmission from a client to a database server over a network shall be protected.�-Open the SQL Server Configuration Manager. -Expand SQL Server 2005 Network Configuration. -Right-click on Protocols for and click Properties. -Select the Flags tab. 1. Verify that the value for ForceEncryption is "Yes".*1. The value for ForceEncryption is "Yes".�Verify that only authorized batch jobs or database scripts are being run against the database. The DBA shall review the DBMS job queues daily to ensure that no unauthorized batch jobs or database scripts are being run against the database.�T-SQL: Repeat the following for each server. -Review jobs scheduled to start automatically at system startup. Enter the following statement: use master select name from sys.procedures 1. Verify that all jobs listed are authorized. -Review the SQL Server job history. Enter the following statement: use msdb select distinct (j.name) from sysjobhistory h,sysjobs j where h.job_id=j.job_id 2. Verify that all jobs listed are authorized. Management Studio: N/AgT-SQL: 1. All jobs listed are authorized. 2. All jobs listed are authorized. Enterprise Manager: N/AVerify that a DBA Windows OS group exists. Verify that only authorized DBA Windows accounts exist within the DBA Windows OS group. The SA/DBA shall create a DBA Windows OS group. The SA/DBA shall assign only SecSpec-authorized DBA Windows accounts to the DBA OS group.i-Open Computer Management. Click Start, Control Panel, Administrative Tools, Computer Management. -In Computer Management, expand System Tools, expand Local Users and Groups, and select Groups. -View the list of groups defined. 1. Verify that a DBA Windows OS group exists and that only authorized DBA accounts exist within that group. -In Management Studio, expand the server -expand Security -expand Logins 2. Verify that the group exists as a login. -Double click the group -click the Server Roles page 3. Verify that sysadmin is checked. 4. Verify that the DBA Windows OS group exists as a SQL Server Login. �T-SQL: 1. A DBA Windows OS group exists and that only authorized DBA accounts exist within that group. 2. The group exists as a login. 3. Sysadmin is checked. 4.The DBA Windows OS group exists as a SQL Server Login. Enterprise Manager: N/A$Verify that access to replication procedures and facilities is restricted to authorized DBAs and designated replication database accounts. The DBA shall ensure that access to replication procedures and facilities is restricted to authorized DBAs and designated replication database accounts.*T-SQL: -Determine if replication is in use. Enter the following statement which checks to see if the replication database exists: select count(name) from sys.databases where name = 'distribution' 1. If 0 is returned, then replication is not in use and this check passes. If 1 is returned, continue. -Enter the following statements: use distribution exec sp_helprolemember 'replmonitor' 2. Verify that only DBA and designated replication database accounts are returned. -Determine the databases participating in replication. Enter the following statements: exec sp_helpreplicationdboption -For each database returned, enter the following statement use exec sp_helprolemember 'db_owner' 3. Verify that only DBA and designated replication database accounts are returned. Management Studio: N/AT-SQL: 1. If 0 is returned, then replication is not in use and this check passes. If 1 is returned, continue. 2. Only DBA and designated replication database accounts are returned. 3. Only DBA and designated replication database accounts are returned: Enterprise Manager: N/A�Verify that development databases do not co-reside on the same hosts as production databases. The DBA shall ensure that development databases do not co-reside on the same hosts as production databases on Unix-based and Windows operating system platforms.1To locate the database names, do the following (repeat for each server): T-SQL: -Enter the following statement: use master select name from sysdatabases Management Studio: -Expand the server. -Expand Databases. 1. Verify that all databases listed are production databases and not development databases.�T-SQL: 1. All databases listed are production databases and not development databases. Enterprise Manager: 1. All databases listed are production databases and not development databases.�Verify that no database links are defined between production and development databases. The DBA shall ensure that no database links are defined between production and development databases.�Repeat the following for each server. Management Studio: -Expand the server. 1. Verify that the server contains either production or development databases. If the server contains both production and development databases, then this< server fails this check. -Expand Server Objects. -Select Linked Servers. 2. Verify that each linked server's function type matches the function type of the local server. For example, if the local server contains production databases, then all linked servers must contain only production databases. If the local server contains development databases, then all linked servers must contain only development databases.1. The server contains either production or development databases, not both. If the server contains both production and development databases, then this server fails this check. 2. Each linked server's function type matches the function type of the local server.Verify that when not in use the ODBC tracing executable is deleted from the system to ensure the function is unavailable. The DBA shall ensure that when not in use the ODBC tracing executable is deleted from the system to ensure the function is unavailable.�-Click Start -> Search. -Search all hard drives (including subfolders) for the file Odbctrac.dll. 1. Verify that the file does not exist anywhere on the system.21. The file does not exist anywhere on the system.SQL05-01SQL05-02SQL05-03SQL05-04SQL05-05SQL05-06SQL05-07SQL05-08SQL05-09SQL05-10SQL05-11SQL05-12SQL05-13SQL05-14SQL05-15SQL05-16SQL05-17SQL05-18SQL05-19SQL05-20SQL05-21SQL05-22SQL05-23SQL05-24SQL05-25SQL05-26SQL05-27SQL05-28SQL05-29SQL05-30SQL05-31SQL05-32SQL05-33SQL05-34SQL05-35SQL05-36SQL05-37SQL05-38SQL05-39SQL05-40SQL05-41SQL05-42SQL05-43SQL05-44SQL05-45SQL05-46SQL05-47SQL05-48SQL05-49SQL05-50SQL05-51SQL05-52SQL05-53SQL05-54SQL05-55SQL05-56SQL05-57SQL05-58SQL05-59SQL05-60SQL05-61SQL05-62SQL05-63SQL05-64SQL05-65SQL05-66SQL05-67SQL05-68SQL05-69SQL05-70SQL05-71SQL05-72SQL05-73SQL05-74SQL05-75SQL05-76SQL05-777Out of Scope Controls - Unselected NIST 800-53 Controls�% NIST Control Name&Full name which describes the NIST ID.hMinor update to correct worksheet locking capabilities. Added back NIST control name to Test Cases Tab.NIST Control NameTransmission ConfidentialityAccount Management%Audit Review, Analysis, and ReportingNetwork DisconnectSeparation of DutiesProtection of Audit Information Time StampsLeast FunctionalityFlaw RemediationAudit GenerationAudit Storage CapacityAuditable EventsAuthenticator ManagementAccess EnforcementApplication PartitioningLeast PrivilegeHPlease submit SCSEM feedback and suggestions to SafeguardReports@IRS.govHObtain SCSEM updates online at http://www.irs.gov/uac/Safeguards-ProgramPUpdates based on Publication 1075. See SCSEM notes column for specific updates.h�% NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and OrganizationsSC-8*Transmission Confidentiality and Integrity3/3/14: Update to 30 minutes.�1. Interview the DB administrator and review DB configurations to determine if there is a remote session termination after no more than 30 minutes of inactivity.l1. The DB system terminates a remote session if there is a period of inactivity of no more than 30 minutes._Verify that the OS is running the latest available and tested version and Service Pack level of Windows Server 2008, Windows Server 2003, Windows Server 2012 or Windows 7. The latest available and tested version and Service Pack level of Windows Server 2008, Windows Server 2003, Windows Server 2012 and Windows 7 operating system shall be employed.WWindows 7 1. Verify that the latest available and tested Service Pack is installed by visiting the below link and consulting with the system administrator. http://support.microsoft.com/ph/14019 Windows Server 2008 R2 1. Verify that the latest available and tested Service Pack is installed by visiting the below link and consulting with the system administrator. http://technet.microsoft.com/en-us/windowsserver/bb310558 Windows Server 2003 1. Verify that the latest available and tested Service Pack is installed by visiting the below link and consulting with the system administrator. http://support.microsoft.com/kb/889100 Windows Server 2012 R2 1. Verify that the latest available and tested Service Pack is installed by visiting the below link and consulting with the system administrator. http://technet.microsoft.com/en-us/windowsserver/hh534429�Verify that audit trails are reviewed at a minimum weekly for anomalies (i.e. standard operations, unauthorized access attempts, etc.). Exceptions and violations are properly analyzed and appropriate actions are taken. 1. Interview DBA and ask for the system documentation that states how often audit logs are reviewed. Also, determine when the last audit logs were reviewed. 2. Examine reports that demonstrate monitoring of security violations, such as unauthorized user access. /1. The DB Administrator can provide system documentation identifying how often the auditing logs are reviewed. 2. The audit trail is reviewed weekly or more frequently at the discretion of the information system owner for indications of unusual activity related to potential unauthorized FTI access. 31. "Enfore password history" is set to 24 or more.mThis procedure should be performed by the system administrator. All database accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Password Policy. 1. Verify that "Enfore password history" is set to 24 or more.~The current service pack is SP4 (9.00.5000) as of Decemebr 17, 2010. T-SQL:. 1. Enter the following statement: select serverproperty( ProductVersion ) -Verify that the result is 9.00.4035 (SP3) or higher. Enterprise Manager: 1. Right-click the server, and then click Properties. -Click the General tab. -Verify that the value for "Product version:" is 9.00.4035 (SP3) or higher. �T-SQL:. 1. The result is 9.00.4035 (SP3) or higher. Enterprise Manager: 1. The value for "Product version:" is 9.00.4035 (SP3)or higher.SA-22Unsupported System Components Agency Code: Closing Date:Shared Agencies: DB Version: �% SCSEM Version: 1.4All SCSEM Test Results JFinal Test Results (This table calculates all tests in the Test Cases tab) Overall SCSEM StatisticsPassedFailed Additional Information RequestedTotal Number of Tests PerformedWeighted Pass RateTotalsWeighted Score Risk RatingWeightPossibleActual-Device Weighted Score: �% Criticality.A baseline risk category has been pre-populated next to each control to assist agencies in establishing priorities for corrective action. The reviewer has the discretion to change the prioritization to accurately reflect the risk and the overall security posture based on environment specific testing. CriticalityIssue Code MappingCritical SignificantModerateLimitedCriticality Ratings Criticality Rating (Do Not Edit)sAdded baseline Criticality Score and Issue Codes, weighted test cases based on criticality, and updated Results Tab,Sections below are automatically calculated.HCM3HSI2HSC1HAC7HAU3HRM5 HAU10 HAC12HAU10 HAU12 HAU11HCM10HCM1HAU7 HAU4 HAU100 HAU2 HAU5HAU100HAU100 HAU8 HAU9HAC13 HAU14 HRM7HAC100HSC100 HSC15 HAC100HAC31HCM9HAC11 HAC11 HAC31HAC10 HSI100 HAU100 HAC100 HSA100<�HPW4 HPW15 HPW100HPW6HAC15HAC11 HAC100 HSI100% �% SCSEM Release Date: March 31, 2015�* ���I��86��O�� ��h��)�� �� j ��0l.���m�^�  �2bh� 0'l�7��?�f�\zP�T r{ȵt`V��6��:��B��X������"��-�7�C�J�J�PKHK�L�XLPL�M`MXM�N�O� ZPR |Rt [�`�a�gb_ de XePe��e�Yf2cc��B����� T8� /ntv  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M6Microsoft XPS Document Writer�X�� odXXLetter����DINU"L r SMTJMicrosoft XPS Document WriterInputBinFORMSOURCERESDLLUniresDLLInterleavingOFFImageTypeJPEGMedOrientationPORTRAITCollateOFFResolutionOption1PaperSizeLETTERColorMode24bpp MXDW�"d���?�?�&�U} $ �} i�} $ �/;;�����h@�@ � � � � �������������������@�@� �b� ��� �a� ��� ���� ��� ��� ��� ��� �!� ��� ���� �� ��� �c� ��� �d� ��� �e� ��� �f� ��� �g� ��� ����� �� ��� �� ��� ��� ��� �� ��� �� ��� ��� ��� ��� ��� �� ��� �`� ��� ��� ���� �>� ��� ���� � � �� � � �� � � �� � � ��D�l   �!�"�#�$�%�&�(�)�*�,�`-�`.�`� � � �� !���� "� � "�� #� � #�� $� � $�� %� � %�� &� � &�� (�?� )��� *������ �5�( � �� �5 � �A�:?��?�:�The official logo of the IRSPicture 1The official logo of the IRS"�PK!�9^�[Content_Types].xmlAN�0EH�%NY tA�*T0�'E2�� JMN� vi{ɖz$cȢ*%�2�-uAg�>zӶ/�3[0߀:r5�a8�>GT�8W�r>wOo?aΫ�Uv_��PK!҆&�drs/picturexml.xmlU[o�0~�`r)@%UiRU]�\0�&sIUCS}}fZvTi&E+#*JY1ǵ`� R���?~�9T*#lB!t9n2eC[dGxkZb`n[��ST��{lKb3 c`w�3p|ܸV�5{0��/RaR�)Fߎh�-:^Qa b/{)z���PK![��drs/downrev.xmllN1M|fL̖)��B,qے;x7gf7[Ӱ P;�殨Rb~{� QB7΢O 0 p[;MBlhU�!q+�4+�7:K^xp��][z+V�dkuXw�&�x2T\ |�.]C%�m&6g� CE~amнk`_�2`TЗvT~/`�YU"vf~ڋ'��PK-!�9^�[Content_Types].xmlPK-!�� 1_rels/.relsPK-!҆&�.drs/picturexml.xmlPK-![��Ldrs/downrev.xmlPK���Kb�i�]&5`��>�@P����w������d ?Identify OS or App Version and include Service Packs and Builds���X 3Insert unique identifier for the computer or deviceBuds�H #Insert tester name and organization ode�O *Insert City, State and address or building� Sheet1gg����D T8�  �ڙ  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV� ''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} � } � } � } � } I } I } } $  �h�q��q�q�q�q�q���q ��q � �@ �@ �@�@�@�@�@�@�`�@�@�@�@�@��`�`�`� |@�$}}}}}}}}}}}}}}~� �$�� ���$����������������&����������������� �\�$���������������� �]�$����������������&�����������������&� ��   � ��  ��   � ��   � �� �� �� � �� ��  �� � �   + �;6��PassAZ+  �;6��FailAZ+  �;6��InfoAZ*  �;6��N/AAZ!  � D D �  �D � % ! �;6�B�! !@S@� D D �% "@S@ �;6�B� #� $rrrrr� �����# �  �� %� �����#&� '�� ',� '� '� '� '�� (�� (�� ttttt&~ )@)*�?�;��@@DAZ?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�� +�� rrrrr&~ )@)*E@�;��@@DAZ?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�~ +$@)@z@�DD�D�!� DD�� rrrrr&~ )@)*A@�;��@@DAZ?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�~ +@)@U@�DD�D�!� DD�� rrrrr&~ )�?)*�;��@@DAZ?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�?�)#;��@@D�;��@@DB�~ +�?)�DD�D�!� DD�� rrrrr&� ,�-z. �dD� 0%��p�%��d�?&%��%��dB� rrrrr�&/000000000111112�"rrrrrrss������ �"rrrrrrss������ �"rrrrrrss������ �"rrrrrrss������ �ttttt � � � �>$0666*66**<X��.B�2����*&&&&�   �PH ��0�( � �>�@Z���   �w�  ����;� �0�( � ���������� ����{+{ � Sheet4gg����D T8� (L�  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV�0''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} $ �} $ �} $ �(������������������� �� �� �@ �@��@�@�@��@�@�������@��@�@��@��� �� ������������� � �A� ������������� � ��� ������������� � ��� ������������� �"�������������� � �h� ������������� � �i� ������������� � �j� ������������� �"�������������� � �k� ������������� �" �������������� � �� ������������� � �4� ��� �B� ���������� � ���� �C����������� � �5� ��� �/����������� � ��� ��� ������������� � �0� ��� �D����������� � ���� �E����������� � ���� �F����������� � �1� ��� �G����������� � ���� �H����������� � �6� ��� �I����������� � ���� �J����������� � �7� ��� �K����������� � ���� �L����������� � �^� ��� �8����������� � �_� ��� �M����������� � ���� �N����������� � �3� ��� �O����������� � ���� �P����������� � ���� �S����������� �B� X2222&222&2&2H<HHH<<H<H<H<HH<H< �!�"�@#�$�@%�&�'�� ���� �Q� ���������� � !���� !�R�!���������� � "�:� "��� "�T�"���������� � #���� #�U�#���������� � $�9� $��� $�2�$���������� � %3�� %45� %D��%EEEEEEEEEF �"&6�7GHHHHHHHHHI �"'89:JKKKKKKKKKL �x�<<H<HH&�PH0��0�( � �>�P���A )))� %' �w� Sheet6gg����D T8� _O�|�  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� oN��LetterPRIV�0''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"N��333333�?333333�?�&�43U} $ �} ��} ��} $�} �"�} ,�} ��} �} $ �} �} � �} � A} IA} � �} $ �}  �} $ �� _�@������ � � �  � �  ��� � � � � ��� �� �������� �,�����������;< �� �� �� ��� �� �;� �|� �� �� ��  � �  �<�  =��  >�� >�� �g� ��� ��� ��� ��� ��� �����{{ �  ?��  ?��C@D �Critical qD � Significant JD �Moderate &D �Limited """B� �h� �u� ��� ��� ��� ��� �����{{ �  ?��  ?C@���B@�LCritical qL Significant JLModerate &LLimited """B� �i� �u� ��� ��� ��� ��� ����{{ �  ?��  ?C@�� �j� ��� ��� �l� �}� �~� ����{{ �  ?��  ?C@�� �k� �m� ��� �l� �� ��� �����{{ �  ?��  ?C@�� �l� �n� ��� �l� ��� ��� �����{{ �  ?��  ?C@�� �m� �o� ��� �l� ��� ��� ��� ���  {� {�  ?��  ?C@ �� �n� �p� ��� �l� ��� ��� ��� ��{{ � ?�� ? C@ �� �o� �q� ��� �r� ��� ��� ��� ��{{ � ?�� ? C@ �� �p� �s� ��� �r� ��� ��� ��� ��{{ � ?�� ? C@ �� �q� �t� ��� �r� ��� ��� ��� ��{{ � ?�� ? C@ �� �r� �u� ��� �l� ��� ��� ��� ��{{ � ?�� ?  C@�� �s� �y� ��� �l� ��� ��� �����{{ �  ?��  ? C@�� �t� �n� ��� �l� ��� ��� �����{{ �  ?��  ?C@�� �u� �u� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� �v� �x� ��� ��� ��� ��� �����{{ �  ?��  ? C@�� �w� �{� ��� ��� ��� ��� �����{{ �  ?��  ? C@�� �x� ��� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� �y� �{� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� �z� �{� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� �{� ��� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� �|� ��� ��� ��� ��� ��� �����{{ �  ?��  ? C@�� �}� ��� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� �~� �v� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� �� �v� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� �� �v� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� ��� �z� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� ��� ��� ��� ��� ��� ��� �����{{ �  ?��  ? @@C@�@� ��� �v� ��� ��� ��� ��� �����{{ �  ?��  ?C@�� ��� ��� ��� ��� ��� ��� �����{{ �  ?��  ?C@ ��DWl:�8K��������������������������� �!� "�#�$�%�&�'�(�)�*�+�,� -�.�/� 0� 1�2� 3� 4�5�6�7�8�9�:�;�<�=�>�?� � ��� ��� ��� ��� ��� ��� ��� ��{{ � ?�� ? C@!�� !��� !��� !��� !��� !��� !��� !���!��{{ � ! ?�� ! ?!C@"�� "��� "��� "��� "��� "��� "��� "���"��{{ � " ?�� " ?"C@#�� #��� #��� #��� #��� #��� #��� #���#��{{ � # ?�� # ?#C@$�� $��� $��� $��� $��� $��� $��� $���$��{{ � $ ?�� $ ?$C@%�� %��� %�{� %��� %��� %��� %��� %���%��{{ � % ?�� % ?%C@&�� &��� &��� &��� &��� &��� &��� &���&��{{ � & ?�� & ?&C@'�� '��� '��� '��� '��� '��� '��� '���'��{{ � ' ?�� ' ?'C@(�� (��� (��� (��� (��� (��� (��� (���(��{{ � ( ?�� ( ?(C@)�� )��� )�{� )��� )��� )��� )��� )���)��{{ � ) ?�� ) ?)C@*�� *��� *�m� *��� *��� *��� *��� *���*��{{ � * ?�� * ?*C@+�� +��� +�m� +��� +��� +��� +��� +���+��{{ � + ?�� + ?+C@,�� ,��� ,��� ,��� ,��� ,�� ,�� ,��,��{{ � , ?�� , ?,C@-�� -��� -��� -��� -��� -�� -�� -��-��{{ � - ?�� - ?-C@.�� .��� .��� .��� .��� .�� .�� .��.��{{ � . ?�� . ?.C@/�� /��� /�{� /��� /��� /� � /� � /� �/��{{ � / ?�� / ?/C@0�� 0��� 0�{� 0��� 0��� 0� � 0� � 0��0��{{ � 0 ?�� 0 ?0C@1�� 1��� 1�{� 1��� 1��� 1�� 1�� 1��1��{{ � 1 ?�� 1 ?1C@2�� 2��� 2�{� 2��� 2��� 2�� 2��� 2���2��{{ � 2 ?�� 2 ?2C@3�� 3��� 3�{� 3��� 3��� 3�� 3�� 3��3��{{ � 3 ?�� 3 ?3C@4�� 4��� 4�z� 4��� 4��� 4�� 4�� 4��4��{{ � 4 ?�� 4 ?4C@5�� 5��� 5��� 5��� 5��� 5�� 5�� 5��5��{{ � 5 ?�� 5 ?5C@6�� 6��� 6��� 6��� 6��� 6�� 6�� 6��6��{{ � 6 ?�� 6 ?6C@7�� 7��� 7��� 7��� 7��� 7�� 7� � 7�!�7��{{ � 7 ?�� 7 ?7C@8�� 8��� 8��� 8��� 8��� 8�"� 8�#� 8�$�8��{{ � 8 ?�� 8 ?8C@9�� 9��� 9�m� 9��� 9��� 9�%� 9�&� 9�'�9��{{ � 9 ?�� 9 ?9C@:�� :��� :�m� :��� :��� :�(� :�)� :�*�:��{{ � : ?�� : ?:C@;�� ;��� ;�m� ;��� ;��� ;�+� ;�,� ;�-�;��{{ � ; ?�� ; ?;C@<�� <��� <��� <��� <��� <�.� <�/� <�0�<��{{ � < ?�� < ?<C@=�� =��� =�m� =��� =��� =�1� =�2� =�3�=��{{ � = ?�� = ?=C@>�� >��� >�w� >��� >��� >�4� >�5� >�6�>��{{ � > ?�� > ?>C@?�� ?��� ?��� ?��� ?��� ?�7� ?�8� ?�9�?��{{ � ? ?�� ? ??C@@��D`l�������������������������������@�A�B�C�D�E�F� G�H� I�J�K�L� M�N�O�Q� R� S� T� U� V� W� X� Y� Z� [� \� ]� ^� � @��� @��� @��� @��� @�:� @�;� @�<�@��{{ � @ ?�� @ ?@C@A�� A��� A��� A��� A��� A�=� A�>� A�?�A��{{ � A ?�� A ?AC@B�� B��� B��� B��� B��� B�@� B�A� B�B�B��{{ � B ?�� B ?BC@C�� C��� C��� C��� C��� C�C� C�D� C�E�C��{{ � C ?�� C ?CC@D�C��CN �LCritical qL Significant JLModerate &LLimited """B� D��� D��� D��� D��� D�F� D�G� D�H�D��{{ � D ?�� D ?DC@E�C� E��� E��� E��� E��� E�I� E�J� E�K�E��{{ � E ?�� E ?EC@F�C� F��� F�m� F��� F��� F�L� F�M� F�N�F��{{ � F ?�� F ?FC@G�C� G��� G��� G��� G��� G�O� G�P� G�Q�G��{{ � G ?�� G ?GC@H�C� H��� H�m� H��� H��� H�R� H�S� H�T�H��{{ � H ?�� H ?HC@I�C� I��� I�m� I��� I��� I�U� I�V� I�W�I��{{ � I ?�� I ?IC@J�C� J��� J��� J��� J��� J�X� J�Y� J�Z�J��{{ � J ?�� J ?JC@K�C� K��� K�m� K��� K��� K�[� K�\� K�]�K��{{ � K ?�� K ?KC@L�C� L��� L�z� L��� L��� L�^� L�_� L�`�L��{{ � L ?�� L ? LC@M�C� M��� M�z� M��� M��� M�a� M�b� M�c�M��{{ � M ?�� M ? MC@N�C� N��� N�m� N��� N��� N�d� N�e� N�f�N��{{ � N ?�� N ?NC@�CO�� O�-�O����������� O�� R�� S�� T�� U�� V�� W�� X�� ZA�� [B�� \A�� ]A�� ^A��@D���K�����������B� � ���@��( � �R� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� �  C ����� �]F ! d ��ZR� �  C �����  �]F ! d ��ZR� �  C �����  �]F ! d ��ZR� �  C �����  �]F ! d ��ZR� �  C �����  �]F ! d �>�<P���A �w�N N ����;�N d � ���������*����Pass����;�N d � ���������?���@Fail����;�N d � �������������Info{+{N {+{N {+{N ������/  %SVN�/  %WXN�/  %[^N � Sheet2gg����Dh<h  Range1h6hRange1_1h8hN Range1_1_1h6h Range1_2h6h Range1_3h6h Range1_4h6h Range1_5h6h Range1_6h6h Range1_7h6h Range1_8h6h  Range1_9h7h Range1_10h7h Range1_11 T8� ��  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV�0''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} $ } mT} m���q������� � � � � ���������� |+� }}}� �(� �)� �*� �=���?�@� �.� ����?~ ��@� ��� ���u^@v�,@� ��� ���u@`@va@� w�� w��ua@v@� ��� ���uvxx�uvxx� uvxx� uvww� uyww� uyww� uywwzzzzzzzz�0��82<222 �PHP� �0�( � � >�P���A �w� Sheet8gg����D T8� �'  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV�0''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} $ �} $ �} $ �������������������� �@ �@ �@ ���@�@�@�����@�@�@��� |!� }}}}}}}}}}}}~ � �"� ������������� � �V� ������������� � �W� ������������� � ��� ������������� � ��� ������������� � ��� ������������� � ��� ������������� �"�������������� � ��� ������������� � �'� ������������� � ��� ������������� � ��� ������������� �"�������������� � �&� ������������� � �%� ������������� � �X� ������������� � �Y� ������������� � �Z� ������������� � �[� ������������� �"�������������� � �#� ������������� � �$� ������������� � ��� ������������� � ��� ������������� �"�������������� �8��22222222&2222&222222&2222>�P�����A �w� Sheet7gg����D �Oh+'0� hp����� � � ��� IRS Office of Safeguards SCSEM$IT Security Compliance EvaluationBooz Allen Hamiltonusgcb, stig, pub1075�The IRS strongly recommends agencies test all SCSEM settings in a development or test environment prior to deployment in production. In some cases a security setting may impact a systems functionality and usability. Consequently, it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration should match the production system configuration. Prior to making changes to the production system, agencies should back up all critical data files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.Buffum, Tyler [USA]Microsoft Excel@D^0;@s@�%op��՜.+,D՜.+,�@ `h|�� ���� � � securityOffice of SafeguardsInternal Revenue Service  DashboardResults Instructions Test Cases Change Log AppendixAppendix!Print_Area'Change Log'!Print_AreaDashboard!Print_AreaInstructions!Print_AreaResults!Print_Area'Test Cases'!Print_Area'Test Cases'!Print_Titles  Worksheets Named Ranges�(Zb�_PID_LINKBASE_NewReviewCycle�AThttp://www.irs.gov/uac/Safeguards-Program  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~�������������������������������������������������������������������������������������������������������������������������������      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Root Entry�������� �F���Workbook�������������'SummaryInformation(�����DocumentSummaryInformation8�������������