��>� ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� g2�����\p Christa Bator B�a�=   � ThisWorkbook���=xL;�#8�@�"��1����Arial1���Calibri1���Calibri1���Calibri1����Arial1����Arial1����Arial1����Arial1���Arial1����Arial1����Arial1����Arial1����Arial1� ��Calibri1�4��Calibri1� ��Calibri1���Calibri1���Calibri1� ��Arial1�>��Calibri1�4��Calibri1�?��Calibri1���Calibri1� ��Calibri1���Calibri1,>��Calibri1>��Calibri1�>��Calibri1���Calibri1h>��Cambria1���Calibri1� ��Calibri1���Calibri1�4��Calibri1� ��Calibri1���Calibri1���Calibri1,8��Calibri18��Calibri1�8��Calibri1� ��Arial1�>��1�4��1�<��Calibri1�?��Calibri1h8��Cambria1���Calibri1� ��Calibri1�<��Arial1�<��Arial1���Arial1� ��Arial1����Tahoma"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)� m/d/yyyy;@,�'[<=9999999]###\-####;\(###\)\ ###\-####�0.0�"Yes";"Yes";"No"�"True";"True";"False"�"On";"On";"Off"]�,[$� -2]\ #,##0.00_);[Red]\([$� -2]\ #,##0.00\)�� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � � � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� � � �� �� �� �!� �� �� �� �"� �� � � �� �� � � �#� ff��� �� ff��� � +� �� � )� �� � +� �� � ,� �� � *� �� �$� �� �� �� �%� �� �� �� �&� �P� �� �P � �'� �P � �� �P � �(� � � �� � � �(� �� �� �� �)� �� ���� ���� �*� �� � � �� �� � � �+� �`� �� �`� �,� �� �� �� � � � � � � �� � �� � � � � � � �  � � � �  � � � �  � �-� ���� �� ���� � � �� �.� �� �� �� �/� �a>� �� �a � �0� �� �� �� � @� � ? �� � @ �� � `@ � � ? @ � � � � `� � x� �x� � `�@ � � `��� � h? ?  � h? � � ` �?  � ` �� � `? ?  � <��� �8��� � 4!��� �0��� � 4!!��� �8!��� �0!!��� �0� ��4��� �4? �� �0��� � 0��� �4��� � � �8? �� �8��� � x? �7 � x@ �7 � x��7 � x? � � x@ � � x�� �8 �@ � �x? ? � �x@ ? � �x�? � � x? @ � � x� � x�@ � � x@ �� � x��� �8? @ � �8� �x� � � � P� � x? ? � � x@ ? � � x�? � � x? �� �p? �, �x��, �x? �, �x@ �, �x��, �x? ? , �x@ ? , �x�? , � x? �, � x@ �, � x��, � x@ ? , � x�? , � x? �, � x@ �, � x��, �x��, � x!��, �p��, � x? ? , � x��, �8@ ? � � <@ ? � �8� � <� �  �@ ? , � � �  �, �  �, �  �, � �? �, �  �@ �, ��? ?  ��@ ?  � �? @  �� ��? � ��@ � ��? �7 ��@ �7 ��? �� ����� �1���� �2 �� ��? �, ��@ �, �3�@ �� �3��@ �� ��@ �, �)q � � �@ �7 � ���7 � �? @ � � �� � ��@ � � �@ �� � ���� � �� � �? �7 ��? �, ��@ �, ����, � �� �2�@ ? � �2��? � �2 �� �2�� �2��@ � �4�@ �� �4���� ��? ?  ��@ ?  ���?  � �? ? � � �@ ? � � ��? � ��? � ��@ � ���� � �? �� ��? � ��@ � ���� � �? �� � �@ �� � ���� ��? @  �� ���@  �2 �� �  � � ��?  �3�@ �� �3��@ �� � �� � �? ? , � �? @ , �3 �? @ , � 8��� � �4��� � 4? �� � 0��� �  x@ @ � �  p@ @ � �  x@ @ � �  x@ @ � � p@ @ � � ��? �� � � �  8��� �(�� �  x@ @  � � �  p@ @  �  x@ @  � x@ @  � p@ @  ���?, � �@ @  � �@ @  ��@ @ � � �@ @ � � �@ @ � ��@ @ � � �@ @ � � � �  �@ ? , �  �@ , �  �@ , �  �@ , �  �@ �, ��@ ?  ��@  ��@ � � �� � �@ � ��@ �7 �3�@ �� �3��@ �� �2�@ �� � �@ @ � � �@ @ � � �@ @ � � �� � �? �� �3 x@ @ � �3 x@ @ � � ���� � �� � x@ @ � � x? �� ����� ||AGN}A} 00_)ef[$� -}A} 00_)ef[$� -}A} 00_)ef[$� -}A} 00_)ef[$� -}A} 00_)ef[$� -}A} 00_)ef [$� -}A} 00_)L[$� -}A} 00_)L[$� -}A}  00_)L[$� -}A}" 00_)L[$� -}A}$ 00_)L[$� -}A}& 00_)L [$� -}A}( 00_)23[$� -}A}* 00_)23[$� -}A}, 00_)23[$� -}A}. 00_)23[$� -}A}0 00_)23[$� -}A}2 00_)23 [$� -}A}4 00_)[$� -}A}6 00_)[$� -}A}8 00_)[$� -}A}: 00_)[$� -}A}< 00_)[$� -}A}> 00_) [$� -}A}@ ��00_)��[$� -}�}B }�00_)�[$� -�##0.� � �}�}D 00_)�[$� -???�##0.???� ???� ???�}-}K �00_)}A}M a�00_)�[$� -}A}O 00_)[$� -}A}Q 00_)�?[$� -}A}S 00_)23[$� -}-}U 00_)}(}W  00_)}�}Z ??v�00_)�̙�[$� -�##0.� � �}A}\ }�00_)��[$� -}A}^ e�00_)��[$� -}-}c 00_)}x}e���00_)���[$��## �� ��}�}h ???�00_)�[$???�## ???�  ???� ???�}-}k 00_)}U}m 00_)[$## }-}o ��00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}���00_)}(}� ��00_)}(}� ��00_)}(}���00_)}(}���00_)}(}� 00_)}(}� 00_)}(}���00_)}(}�  00_)}(}���00_)}(}���00_)}(}���00_)}(}� ��00_)}(}� ��00_)}(}� ��00_)}(}� ��00_)}(}� ��00_)}(}� ��00_)}(}� ��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}��00_)}(}�00_)}(}�00_)}(} ��00_)}(} 00_)}(} 00_)}(}  00_)}(}00_)}(}00_)}(}00_)}(}00_)}(}00_)}(}00_)}(}��00_)}(}00_)}(} 00_)}(}2 00_)}(}3 00_)}(}4 ��00_)}(}: 00_)}(}; 00_)�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +���  �� !%�9� +���  �� !%�9� +���  �� !%� 20% - Accent1�M�� 20% - Accent1 ef� �%�20% - Accent1 2�4���20% - Accent1 2� 20% - Accent2�M�"� 20% - Accent2 ef� �%�20% - Accent2 2�4���20% - Accent2 2� 20% - Accent3�M�&� 20% - Accent3 ef� �%�20% - Accent3 2�4���20% - Accent3 2� 20% - Accent4�M�*� 20% - Accent4 ef� �%�20% - Accent4 2�4���20% - Accent4 2� 20% - Accent5�M�.� 20% - Accent5 ef� �%�20% - Accent5 2�4���20% - Accent5 2� 20% - Accent6�M�2� 20% - Accent6  ef� �%�20% - Accent6 2�4���20% - Accent6 2� 40% - Accent1�M�� 40% - Accent1 L� �%�40% - Accent1 2�4���40% - Accent1 2� 40% - Accent2�M�#� 40% - Accent2 L� �%�40% - Accent2 2�4���40% - Accent2 2� 40% - Accent3�M�'� 40% - Accent3 L� �%�!40% - Accent3 2�4���40% - Accent3 2�" 40% - Accent4�M�+� 40% - Accent4 L� �%�#40% - Accent4 2�4���40% - Accent4 2�$ 40% - Accent5�M�/� 40% - Accent5 L� �%�%40% - Accent5 2�4���40% - Accent5 2�& 40% - Accent6�M�3� 40% - Accent6  L� �%�'40% - Accent6 2�4���40% - Accent6 2�( 60% - Accent1�M� � 60% - Accent1 23� ����%�)60% - Accent1 2�4���60% - Accent1 2�* 60% - Accent2�M�$� 60% - Accent2 23ږ� ����%�+60% - Accent2 2�4���60% - Accent2 2�, 60% - Accent3�M�(� 60% - Accent3 23� ����%�-60% - Accent3 2�4���60% - Accent3 2�. 60% - Accent4�M�,� 60% - Accent4 23� ����%�/60% - Accent4 2�4���60% - Accent4 2�0 60% - Accent5�M�0� 60% - Accent5 23� ����%�160% - Accent5 2�4���60% - Accent5 2�2 60% - Accent6�M�4� 60% - Accent6  23� ����%�360% - Accent6 2�4���60% - Accent6 2� 4Accent1�A��Accent1 O� ����%�5 Accent1 2�(��� Accent1 2� 6Accent2�A�!�Accent2 PM� ����%�7 Accent2 2�(��� Accent2 2� 8Accent3�A�%�Accent3 Y� ����%�9 Accent3 2�(��� Accent3 2� :Accent4�A�)�Accent4 d� ����%�; Accent4 2�(��� Accent4 2� <Accent5�A�-�Accent5 K� ����%�= Accent5 2�(��� Accent5 2� >Accent6�A�1�Accent6  F� ����%�? Accent6 2�(��� Accent6 2�@Bad�9��Bad ��� ���%� ABad 2� ���Bad 2�B Calculation���� Calculation �� �}�%������ ���C Calculation 2�0��� Calculation 2�D Check Cell��� Check Cell �� ����%�???��???��???� �???��E Check Cell 2�.��� Check Cell 2�F�� ��Comma�G��(�� Comma [0]� HComma 2�I��&��Currency�J��.�� Currency [0]�KExplanatory Text�G�5�Explanatory Text ��%�LExplanatory Text 2�:���Explanatory Text 2� MGood�;��Good �� �a�%� NGood 2�"���Good 2�O Heading 1�G�� Heading 1 I}�%O��P Heading 1 2�,��� Heading 1 2�Q Heading 2�G�� Heading 2 I}�%�?��R Heading 2 2�,��� Heading 2 2�S Heading 3�G�� Heading 3 I}�%23��T Heading 3 2�,��� Heading 3 2�U Heading 4�9�� Heading 4 I}�%�V Heading 4 2�,��� Heading 4 2�W��4�� Hyperlink  ���X Hyperlink 2�Y Hyperlink 2 2� ZInput�u��Input ��̙� �??v�%������ ��� [Input 2�$���Input 2�\ Linked Cell�K�� Linked Cell �}�%����] Linked Cell 2�0��� Linked Cell 2� ^Neutral�A��Neutral ��� �e�%�_ Neutral 2�(��� Neutral 2���"��Normal� `Normal 2�a Normal 2 2� bNormal 3�c Normal 3 2�;��� Normal 3 2 �%� dNormal 4� eNote�b� �Note ���������� ��� fNote 2�"���Note 2� gNote 3� hOutput�w��Output �� �???�%�???��???��???� �???�� iOutput 2�&���Output 2�j��$��Percent� kTitle�1��Title I}�%� lTitle 2�$���Title 2� mTotal�M��Total �%O�O�� nTotal 2�$���Total 2�o Warning Text�?� � Warning Text ���%�pWarning Text 2�2���Warning Text 2�X��TableStyleMedium2PivotStyleLight16`�MQ Dashboard�jResults�} Instructions� Test Cases�Appendix� Change Log������&!  ;`   ;   ;   ;*  ;%   ;   ;E   ;����8fNf�8�@������ �8�P�5b�-!ODw�30@Gbe� n�!ODw�30@Gbe�PNG  IHDR��<q�sBIT|d� IDATx^}`�`SJsH� JH��"�� btJww� `�ynw]^O�9��f�3 o�7��𿴾gN��3�R+[V]ò2 -EcYt�޸!V66�+�-{mUu?RN}>_:ϭ��՛ֳ*ի�d~=qك۽rn}L=Q")))�,g%6�$.�(~f8x|G�=1�%1� "�;KaL!w�8يZdy(%,"ZB�f鴵�(�4\JV--� 8+x9|�o�=y�w�Oևo1|WF�o�9�h4�dqp56kWP�8>�7J( })�'�$8\�t�"\&�{r9|)��4� �JSkW�MjJBve |�>xW�?�3_T;F� ߶3>�b'{�j�-&VK)X�ܒ�[wBD86Xۊ�NORK�,"�*JK�z[6,goóIF7x�,bڮ~)w�-έf0�aC[cwnݱHGbo^rΓƠw @?�"�< /7�*kTK7e+600hG�K/)Xj\�Ir�`7VFd �0�|˗0o[мl�;�޻u3~�Y�+�#�#� ݈Je�-N�J�*"ݛ֔ƕ}�&0X ��!%?��"�c6^^^jR]J�|K�8gK keeج_)eݬ�tTz�_XAz ��VWӻE-�� f|rJH�1�9&UDG�.LXDI${J�30� o"Ψ"zɪ}`2E]Wz-%��;Yj�?`}ŔwX�#Io�G�>m e�ŻO�0q{He,H}Hs$M^xa�RT�2u�YuB�:DY:i_�#?�;� �CG�-C`סO/spC�nO� �5�� ~`_o]Gɗv�"� ^żd\צҶ{>�?�Հ܉�5~vyd~D7Gt���1痲sH~uwC:K�e\x+D⁰仡]doP_Kh$Rĭ{V�;ӆu.�2%�FZV/'�% ˹γWeEnߌF� ߢ^i߶1Xg!Oi ^� ],&Z׷uW|g[��kko^3cuDBy�䎋c^򍪚�$ٓ$fljK2 {K@�=yB bSI��ݭj�4Ho �M�� �7tl�+I�]'eڢmK�:34�5P�5g 8}LEloun탽l'�01�1XO�%R`~C)T4j�6`9�kE�r$X}Pa\Zש$H(I cz�8߮إmS} zH �1yVvd[=q�3�@ӍQnT�.zL��M!L�?t�8w�9� o =n�I̝w0_�k�;#|O�:sAS{:h|ч�ZV/+-G� �dJ�2/�&>nW� Zʜ-G��,<0ƯS,9�$r%t_E zs�,�>tml�+f�|%_ D�>⵼N� �6�?O�?Q � U;PA2 R� � xH�"}ֿ8Y� **�!mGȗ)Xv�9�;[��2 �lCsӹVB�+N?�0]���.]~ÜU*�&0 JDRP|hkeܜ `Rcf�>$ɪ�7<�+A�e 0G2�$�;Ag�2HI�9)Cț~ue)ɛ~�% ϟfB� x�%> �soL�=yDAwym]��0Mo�* �;^AV}4@�y%�$_k�n�)nBa`X�*rGvLIaZ7MeΓr;ުƁew�i� G�k@�?(6lĈ>[� � �:@d�ߍ_̇J�ud�|`�2CFK~r� כ߭�C7qd7iS'iO]xG~B/-xݨ_'�tq/ �: 76wɟkk&%мO_H�_)otCw%y�rn(�3��5GA��,ÿ[.Q5Q�7 #z1oP/_ݓ^ع}{G_Wuym���fK�>oLӘs�,z`�K0St@_TGb1M)C�(� DB�? U[�+H �H)W�&��rD!w�zC'E,jQ�!|�@~X3Jj�8ove�qr-5�'k{N�;u`BD�0w|6�&�_/HLQEz6�)Vմ�ѷP�E�Gk�8:L`Xxn�7�*�-ںx�:�?`06ʖ/�]��JBݦU�:o;(c�0�25^5ߐW^H�X]o��+Z~[� L2}r ׃GO���ltc!�9�pŰ�>*@H%kPH�i�pA%�� oՓmWI~.͔ݫxm3sp2 s5=Z~m7�-'/hX �0/Э�GMv}9Đz_�H�7.�x|˄ߍPmCiiX~z~e$��5 篷�+vK �,� �8.O� @/eL�L:mkWP� )gYI4 ͰNV]J� <4(� yHcown,�Ki�KR.S�%CA|X/ʬ]�"ƮN=�e 4�Bk�ۦC�mQsos��Y rd�CgL͸�7b-\�w,1ֵ g_C�&i]cPH.s�)\�,H_� ` `d?6J0R<� `�>E Hf{p0g+x|Wl�9w&�P#0Y�):4�&�t�/ޒU�x`�p KƆH�:C�̃D�% B�6��5gn/�zbAf�> rfҤ 5�QGkeJV=y�w̍:@?Co2A0ߏzECs=5�vxz/(sL8e{N� �5lXouUy$]J�>г�m�$&��.@=>�+� e㴑pV,/Ni�4�6�!opu�1A#�6hվ�Yk!^>x+�?g찭S�g&� >k˼AV#�5\=n� �,� `jF_l^Sz4�.;ay~860K�H[��gK^�?�10zai ,X`�g+��~� !T@=%__ӄ)�0.MgJ�?{w_� md�� �%d|?Tω�4W��&fv򛡆5kWOMҼV�`|Ń94ss�1�Xbk�3Ǒ%;a�A�*A�)�>~]jJ2|5rQ NP�<s�4Dn�~�(�& s� T/n{~փLZkO� �tGY�}:hCy�>}ʲ��,尪P?$ڲT2mնĹ�;帿7ρ%綊�<\M:N��އ\�)g�� m��!M}�*ǻa^&� Cwlp h�:M&i <1T0,٥�0h%=�}jwJ-�>�܌W.�~ܨջN)�TSL_eI󷾕4T�+�(.(JVOck>[� &~}@vE�-&>�SkZU;Gk|Oy.^-_}�/�.7�{�2 \ƞ#�QJϵ�RuVzg7� �,� 'Icp\�>{3�1݇Ӂr²Ѳֽ�|5ea'�;+价�!97�WQ͚:j�9�=� �9Hh�#Eo �Q5cJ?q7�$__ >ytik>}f�vX�6�~D!�+7�P^�Mcҋڜa�""=YbHD�~:�,?wE )x"`��3QitOU|�*Za(�t(� I�يfsI[ݣ?H Caֿ>V |38c�({�7SB#˱fKZu�x�=IdkOADtuiL_M`7(� F0Q.bJM@� �8Jp�#iN5f dv_ ܼf-to![(d�%B=?~�$a�b�夡Sߕ [g EKֽkbw5oڜrq߹V@G߁;pdP'�W�3 V\֧\p� j`iûɅ[e1kUJ!|>� � =m*˟̼60oT~[`�GX#HJE�9�/,��*`Wf�$�zl(,� Ow�z<�ȑrꮭ| @/faj>p�6+`,.J z_U]j�2�!O0q1�CpVG>@o&�wpi ';b%�'Vi-� l�?{쫈<(|1Q5*�+� i|֭�Sޘ�A8�>R�Ɉ�1�R� ݧ�%H}V陫a*mհ� zIzFH�$2ZL�6~怖If{Š�Lep[I�<@gx`Mn·!ǾX�b+uCױqɺ8YFá� Kf# `yW+FGm5�d`0D?I3䑘ۿrUk|qNrg潨O1O�'e\D4VC]'ĽG��1Wb@\ ʋR &�A*]�=��!u �JcxN�6Q� �9SwT�--M�ǟB�>[ϲ�4`���ک5��3KUG^�sr� 4h�$N=-HR_W�$խ˹qS�n8BƊ]�ⅲ޲R�%֫y�c�6CJMm�-_{懳�'җz] 1~A |P ;XrZ#�?oE�``]W�4H^vN7K�.�*wFJ26~k9n ci.f�6ۼ�:ㇿ&VMP{U�-�$ރZ� n=0^׶miKfu]uٻcۢ^wm[ґ�݉.C-�:Ȓـ &A@g u9ɌS�)�:D*<��`mFzZD.Ŗr)�(Kwkr3Sj��9z�sx*�>xKL � KBwlq2s IDAT�bch͜{i}�DYr��/lf�`q1t&yU lBH͂� Cjmrŭw:]�@]V@N3�)y �xO@�8�T\2�H�4gx br=8W�/'ۏ>*� qN�oD=AD�ebk�.LOt� �,X��-%@��R�9nx�$ޑB�#I׃?@ouz5Z� �#zo.KW\rbwxS̿�e"߱W!FKcXU ��2q� Sgl`b�%�mҵ��)5�%[[9񤸜�,)�Jky�7ڋUJ<ɮ[� mfRiZI6R�)Rk Ћ{CR{]�$�%%�*Xiy_��'� ݑ̿귕:zicD{� Z�5�0y` ��zOI󄎎Oq_�O[~¯fq�2?a�܍��(=CmA�J-np6WQ�: k�/�B�ztDc Ⱦ� e&=]D� qf֑g�%,G\]�AqDL�EnBU��)|VѮކ.aY4y6|l�@ɭHjyJ �;ҥ�5U�>dycjjgeR Pf��S LBZ�('�9�1iCn u.JPa�/�;�<~� � /5�&{d�kgY)\`jlBJ�]͸ nlKd֬QVܯ.}_�G�3�X�-�+N5o_Olh b �%Pa֯Jo~6lhՁX@Y'�5lUd��2L{g)}A<~'�z�2$#�<-j*BPT�$u{\k�9~űe�iK{J�0�5ԯrq/Cc/E`鮙� k~E6�29DiE# FE�!jee#n]Urc {� �&e�>H x&p{�jy)�3褴ǪJ~ӽK�M?S�0y)��hhfCus̪YUN� lK#J.zg��,Bq}ە0��6T\�']ʑ�8Y;],'�$eYڥrj ì -Y1ݸAI^��1Rʧ앣jQ�w;W5C%61EJ#-LjRyhI�6lϰE��:�Y�3�&Bk =^߭ | H =N*r�*mՂr/aNhf�2� EsoGWe�4 s~|~ t`ːkB�62v�á���ǰ0GR�'n]!wo#�&� Ą�6^!JUF<* P�3D.+U�V&�5= �+�4h\�Mmj!�W� g�12s�*\#Ћt��";�5�S�l1֑o>~Eg�(S,reל@Rm�-`&@�uИAQ�(l�7ێp3z,eZ?*;Y��+S-��&Hj^ҿF xjY�pÙƞs�:_,}%A~ ,�'ˁ�eWW֫�/wQ:= I�=R�>g.l�:��=ͦKQdP/2kf ]U,�5><#؁J̴ͤ9OU�bKRIu6I rH<s�35`@l�Hy\[H]q?v�.7_$� M˪넒�ZKI4+�6 vRf58AO3OJW�dnVՕ�#a"L '} qr�cunצZll LO�#�n�'gZ&v�� 5`�SbxY}Rb� t^ ߇q�ZԮ)�.A�0l;N(a5w�+�-� �6[KU� PqB%�-bX��43� v�-V�>}\Sz ϗ y 8y1�;58&T� @� bL׺b3f*�?o;�.Cn,… eJBRZ)CL� Ľ�,y*�%�=H_�>J%}Pf/�"iڳ!8]�9_ݺ[ԼZ�}kXoV�T5^�=;o[[4Q� cn*ŒPuF/j=|[miQD2S�){�4y��*2�K�~eldZ�$,k $p{t̩U  y]t[iKB͊ff�!.B@�;�&6vt'Z_L_y�^�`� y��׬]ccVEUĻPS耭>s�>N`R�3}Sx+fݑH~erbKG0� *?0�.^O �[$2) ̫b\qez ki�;gzK!yGrB]�/4lu(�0UXZ�Nsv͝2BkkeəP�5AfGF� ?AءR GZ �;N+3m僣�a�0Rj�,-EY �oX�;Z'X{kI c_Δ@H=X˔@�ԉ]&�*Cn$!>b`�Ɗ@�L�S[�!Fc*m� Dnar0X P%P �[+ ˫X�?ӻ�Zˎea\n� ض�/�6u7դ�7u��?Y�>oXFy^?sdL\C1 �8Qy�4+CWbFæK=W�<�8R>ޜ2|Jڸl�,J% d,.6GScM�0� :Ex11`�\wpaH ��Ҡb)9q%H�-Kg{ �0P�pƇ#!�W}�� BNZŅ k�#_s0 k�uL76 [�Y*&�9P�( gj6�&TWSI�24ws�{�>󴥘?< ǵ€ 7a bt~X$v��b\\ ,4kEUulf5�s�`�,d%�(oY #,@.wϷjJG�'Jg �< ǰ�!8�:�+�sR@� �!@I�2cn�' �]�:,p� ��!ϵ~'^E/멐-�0X`�Lflu �M�+L֗Fe62n E�4�/<ɝx5u�du"�78jN�}��3ve&q݊u+~��NUeHrLEjtoB� JzZ�1ٔ۴�,U�" KJBB�( {!O+":IA2ֺիSF?�'x S`@'xF_sQOw�J m�lh5�Ov`" =�IW�iOJە� ;h�QFR2xQ14o˺�L2ES[#=�7rS�-`B�#^UsS�(��w �%:�8TvrILoyt0)(�ʰ�7V�5wHT��:aߴ~J� D� 5Ϭ%�ij,{q�>P5ݼ@:6v�2� 0KR^Z3�/u!Z|�'[�#�z $'m6r�p<~*Rui� �$tM�Az!tz�_{ߐ�w#bhNZq7;Yw9\~�M�6ȋ0Z�v`0[�0I�4� ["�%_}sx�;}A W�7,8�H>{9�<@:Co_gŒ�픲K�#1�P�6Wz|�__f>�?�r�:[�S� )�Oa,iH鉶6�(z SHi^w r�*UQko�!�>uYmz2RU쟐Q3�� T0B� ?�fx�yS � �,j�Q(Z$}7'�(Ld]Uw�8ixf�m4H�$Y9HYH�;Pj}:%2fDZ�-H_$K[�nq�m T� \ ~kC5v �%^7da'`Yc`/`M�1`S�Lmd2 PyO45dKuV�FQrCHJK  �;L FpA&Q&zJ%|F�r\M6�:A��7͗�*�N2}_�?JCr�=�ӡY�- -_M$[bQg5L��. �9CKPꑶʶz�)�".AU�/Etå}�, {Kr ̋Hh)\�ܧo?YR 6æ)P=�6 YVjTw�%JBe�wlTyU v0E���5=rHB|� qm�z {<�j|SQqM�?TZK�:� UPW�.K� X�"yfju��=�3� 8ːr⢭3!M�߉>8@Lƒ c�?e;_T�Cn IDAT�+ u NJq�. >HYUqxI�0\#I�!)RUe�026�s@ޫCrRYI;�W^ SR�5Tk�&� �gCvW@_]%>Y$gi`� �3�&_},GI@ dWCT�7m�)r/M@JwʞQlZ|Z*9o�M1Fʌu1Udg�ITa��5`i9NBԌ@:3dK%eFmTMȍV� QBc|_|�%PX�Rz (EkNε�'η2Ln"^s G�Hjo�:T8+�:$' !Xh�9c�2`]JWA=G `k� ~~fn p'@�6�>=Zޡ�._� �2nS�4�L̴E�?�6uT: |Q0x S39YBT ;Z�L�CL-lM'=q`2)WYl�XK#W�>d�F~J ,0LJ?N�3BI%.FbƮ� �]I�:2U)l&��3`uo�o\�3��8:�4_�o%� @*oہzHta x�]~t}<]8SV&~ژLJ���s1x{QN^*J'�2Ep:�2ZDd�2np�/$N^ZC^=U- Ju`��>dMلVˢs�bwK_8*(kȺkU uK|Z{ߑnG�qlL^�$E3H�y24EDbܛ'W:�#*hEgʬC΀ԃYvkI3I�op?zh7⣑|�=?K 6#nN۶l%}�X:% ڽ�E ]Jh|cV�zOouW I=�"�SIw*uSom-j*Ҍr&h]J>v]l~!O�;> �4�]T&U:(V:چ|Ҁ�P2>`\jx�69H~�5�).b)�PN@jP� uc�7N�8w7hW�weܤr�$�� BZ!�2@�0o@�9[%1�a� :�+Cq�hpwgXH~N.aJ�oxhwp��0�:ZM�,L, : 5�7AG'ϐ"QPEp[9 E�#eMu*\2�=rZu;� �~�,_ '?�@A� ʯv(.U�4~^ju V"_Lm�G{u� q\N�rCMesd'*R6Q� �Š)j.�,ڡ2׉E� xӋP\q�*v#ke6`UP�eTJ�#&Y�>~R -��bD@�00XU_w2��*��3��"Xq./K�_R�P�&�( W8>Of6�ZOw�/XB�;M~5rM�$g±� {T.h��@nCZ�J zJƛB\�>βb` pڌZ�<�h\u�{2K̻�k�2q2 � N<�>N>XT=Qd`t�>�$Ac'�=�ض�{�Yt(�.#�vp~^j�� Nz"Q �5!�wr^�*�_L׃uRǶzYx� Bcsh�<$ftJԌ�4�;C6ï�x48mBD@n'U{k4N&�2H HSJӿ8#�,�*�x^IzKJf[EK~�6q�bT-ފk� ‰E_�,LTqgkq�35K7aAGɯ>\dßٴ{w�`Q/GXS1[2HT�:ҰV�(�� L~�)Gpns�5C�U�H�+Y �_�;qfث!`�0A�(l��!�'+G n?� �fG(G<|*C@�'M�љ{T]y R9$i�z٬I[fFt2� 䪅��)�=?|7JYOt��%e�?!k�[\�)?D|�#KHcqNbu9 n+uIuG4KlM/�&%B@J�8go%�(7 ?P#S^o/c{��3|SIn+CIW�#Y5o�;|^N]�*G� sF=|,ҴvuOIHV8�8:Y�M6Bb��B}a���;6Ej?4�(`�*t`AUРvf|�[뇍HdBlC�q��:ӣ$� S NJϩ�2hg�?7iy}Ƴ�-x*Y)wm ?�~v�X3S[[�A BD�#�.&ݥkz<�+~sdɎF0FUL؈.� ppWn^NҸ�->P{=�JP�z{խYM򊔃d"-kx�qbL�5 (@`�*KNM7d5YVlḽ>Jx_`@C 0}��8#�?A� �+gh4OPSTAA�1/&�:WJ7�&Y˱`'_ �_� E6Sjp@KoD&ei�;PY}'8�<2]:�M|��*fp>5E{¼1k�Ǹy<�;x>��>0~15%Ė}7^��Ta�=5p�Ѱ¹7�??l1֧5ؘٿg����$gcQDp_�u7K(H|8 ~\p8�;�7ˑ0d֛Mn#zHO`eM�Y�/� ��IUFis�\U��(tQ^mZ#)�/khV�'}N'i9{ ۧ.c\�h^3ռ%+? #;6-3dN�'P�$�!u!B�ݞd;~w��-~�ls� A#~j8�)Y5vvq�TT� BL�*[HT !ʐ$�/k 'e�?�E}FDA;i|YzdߝlS&x_ s7R%}[�r�V*ѰݸkwXط�6iMN3�-ŗ� �/�9LqF*n>"?ݳ#<'e^�od�B_BiP��xH\�9��.9IBaВyhh鬹`"Пud� Tnh�9v%hP"!p L%jipX�'pCy-� �g8VY^w=tuZ~0e58Q0DN^4KotQT�'�/`]a�2}�>ˊ˾dASTFIx�>tu �.|ӜX=;߲:99�*i� ϭxy[)[QHzr�0�>`EG!9YpN#�gxXRjd+�ar�9ҫ�5IMh,S� �dzA]|n�:�Bb" e�4�3el� 8"\&�&ݥ?xXfp11�,M"Q=1@0dƁll�>�S�*ƺܱ<BXٚ�_AE}�h�1B�}4�? @�� Kӡ]CPZzu��gټԏU�<*iEbCb53Sn>NP k%�dyy)Aʅ,��,Ze~B?,�r�+6� _ij�%Ŝ׉!W��@�Bqw�')�IE.�5z�R�|`e�% 'HFk� Ye�$n1IA�kV1�%DͱI�bT#�hn0wʝvo){wK矁mT�m|� >�<> Ѯ)e�Edx�>W'�js /o8IU\ky\xvrYڲp!^e~s\�>�3|h��7w�mܟpTl�7^ \-O$[�8;�,t�r�5�%M�*S˜?�:E{cR#wǍPJz��9-ţf��Bs,lj!}{bL�:1c'RV2x]�� Q9� L�8 ĘZMLM�$�L*K`nd7YeU)Y}=F� %7�-H_-wVQlgkɛ%x7��!�n�)@#�Q�_FmuRN�% Ut3߉3y�(`PgDf�rHB] �!!�&8^~� pW%�2P�8A�:܏ xTE�N�qy�H� �(�0�:��:ā~u w�mWVݳA�SRx!iz;m�\a*�8vZvCf yYE՞�.{g��?�-i6zXyØ\7؍OBhei�6M��2r08yh; k'{Iw8Jm4 4dyZr|VP8LAţ�3,tjA_�4 f}]-,SJ)�, _�.c RajAvX ˦�T-�:\߶|Ы� �kfFJU8tA_.ޮa6\Jkz�2\l\�JmHس}8o�9�2�2 "R�fISG�4{�S�\�2&��3y2kdqZWܡ%HVN:B_HJy�l)NJ��%aFBEeߢ�Ri+ĬG�F�'*�>R0PrMN+[V�(�i_�&.6IX[Sn]o�ڔ6ڛ5fzF[|C�زb�6LIV�;qp)C2?Q q{:���2�zJӺ6Bk r�爄\>�ڔ1oW>��1J_A�8O:cu\~W;s@M|:6W$2)LHvxS�jJ~󅲦{rfWbu([Q�1,Wd]nVA Ѹ�2mLA�́y,/ۼC�ʛU��);Zc�7rWhQ3}VRTO�/ej`֍@PEB�#0 oܞz~ d:0�n~ce1�.1T� �J0l�"�"EiOZYN"�v56a%�2d�QN � =VtZBO*�,�;�33g3q\�ηZ]Pz�"R Nϗ4W h(S}�(\“�ɧswt�9> p(1nbMBg\�DU%,st_{\p;U5�&�$2C>Xt6q�ܕP*.Ji�yW>d�X�7C�:�#x�9� s;Sz<�-M BN~yy�:_T[-#V�zBDnʛX_4FmH6D>Jf.�;f�0 ˍFz:ߤgYi�9ԞHV_XD̑꬙]4yΛiYU@jO�#x�$PӳlGϐ�$f}Խf%�?(cLB۞�ȓc5!`~SbH�?jryUU16O29p?�$7J=>t$s᭒�>zٖː�x٬�>&}�Ϸ[F,zΌiVJ>],�a_ӉK:Dמ�#�Ĥ}~S g&ӋlQS+,Zf;jF�+ FL� a}}⇥zy1E3Iq�9/oQ䘟H�'1S7%uHZoƢϒE-!F1�2*�7U8u�@�/�\X)�ή3]cBYR�;y 2TTog,T4�ר�[ǭ[b\V?� /N~E:ݘɗ6Ϻ�?aav`�� Hs� X �'�c� 4�64|X$�ё&S�6sR蓉o]ÓUxJ��J�4&kzLߖD�*CVS|KۇT�laJ0p�fA�36cf =Jqd_OSg�3 >4ȗa@*n v׿M;v\�4�.Y?){S>�a6~�I�x�H� 8ӈmmfpoi3ԛ�,�dPF.�M7| x)}?o׸kn'^�=v�4Da�"6Qu�09XLZ �FZR���3U'YyכCfJr�a!_t�G� �=||5+��mkrw�-RH})Lŏ;b3k6R~ѱ I&ARSޭ�;Pք@RG� ~uo{"jCڒ^�7�,ڸ۬"tdH$S�g�gEDG�65oSw��;ogxZ��QV93� |Z~tweBA�=�0~ q0vu^6QqL¤4D˵[kz_(,Qӳ�=�2OuE'�*�$�[AR�;w:hw�:X0M68D+wL l W܁͵^=Iý?MiM]b�+:G"�8� �JbXڞLVUw{w��uVQGT'rśwt��<�>E�)[� �?GST�0\oTu0sa)�?R�-Ǭa=īE�%2L�&m�6\#Ysl35w~S|HZr u�&��ƾ�)Z~ZLM�fhi�ۀq؊� zHnԇT́Bs{@�qn�[Z˼`$;pSV�-:u{�g p�+��q`+�>\]o�Z_}|;lP;uy�)� )rKLlzB^��Lv:R:�(i�1NGjSwl� Z6i@]1NrX0֯*>�,E*H%�,<&R�/ .򩛅Mp�+YV|5ެI\�#�#z<�2e*5B �/s/bfV�*]O�|�)3�!s@[�x �"w.�ђBWE0)c !S/T�=ze�$᣹f0Z!&gͶ!͂T/i{�-wɘV� U"��7 ~StO54d C7}#�#-H[�<$KB|ROۦkD�/� g(9l� O��$¨�V%Zc_P Yyy&~cA.%k~ӕU UD}W�?sAH� èlI?NDH>B'vDFYW KkH) UIwn#*iW�/�>9�!U�'�/\ʰ|�8�P�)e�;>Ypʏ@3@_E�T]6)h�#&8؇0�('F#�T:Q_�8A#~UJA~a�ifu8C� ~[KÍhj�*k�'�8W!|XBlFf$2cꂆ*{�Cjbi/İʁUL@fG6P�;eU#P�-n&)Gi@,Iv)I?�6#'dǤ:�4��UU~SAv �)GHGy-4�-|�.�3�@U0Elv|gLj_5+ddF݅ � +oq=@k#!%B�[Z�1yIgrŔu�hl�:ѻͤ�(�&j�0pK[Y.5&[|Crf_P0�8m%/Q;�?|cNk[Ӗ]/DXY�"Y(cP(E|�&SKd� o]R� 6�4S]ܧl1sU[8.mx^z:'�}�N t󙀼�XLg�-|�:όMp`vC�HlQv>!�7�<�0L1=u $�R%�GxA\s�2C�6sS&kc�)8c bWOz Mti� 9 �(*O�5 �@TnOeEWxƔ%YP �#q� ƣF�3fHz�-�vu_�CZc6ij?Ԫ�;S�5w^�!Y�9S�/�6UnФa;kh5Xl,+{�;X`N6v�]Ù J�?Hx~�6=*N>#g�5�:�YWCl�+׌@�0ݤl4`"�/�>txWa�3c{ 4խ9G�/I�=�-0P[ꅭY�OmfJ��!QKL(ؖmc\0ERM"?;XٓckS�)?v/%Kw)JpL4tT+{�?xʘG�)c�|seհ�07!GB�V�-Z�6U9$ "�4˱v4˄GD _(]H.3i) (| @Q%QgK_@C)y(2 !�>�$ٶ�<� !j ;#歱;W|y4Gk�rH >kO*OBs3c�GE�+*1rz߷ [no� ?h|O8h(?Q}ɼ=�k�%_N�XK}K @i�:z԰i^� �BS�1g}TBR$( njcQ`<.e>֥`b�$&Cה5f|�)-b�5Z3l|� [$D�2�=a8O�= ug" NjVޠtsM�'�,�85⊊e tɼ~@J0�v07dx@mwbYV�&)f� Y�7(B CJ΄/<�i)@yk�h>�u\ꩽ�J}p QvRl{kwh2�"P M%�!\bx2@z� � `xH"5Z|<�Σnm�j VY`':���1�%P,߰\BϔJ}tW�-_�)3mznUbfr�&J�bj�5ݔc~'9arx/�6 Q�8[udU96� K:/ITH?c۾́Yl�&Wv}��.,ujj@R.W5"급L`Slb^c�/OD`R��(ՑUk-[$oyg}t-G�3N�"g� � �11r[JRLD|QG~EKa�iqf �N蔶N~DiҲMstpI~uuWg+T`�_��16Xג" @vdtyp ,9kAȥipߣ#ְݕմө<ң=bbwV�&r_;I2JCy�*YՃ�Ƅ�,r.�.&`VRuQ�3BBЊ�-^�9ζXr.畕x"x$ψߙR� @n~};�/�.,-N$9yڛO�ʘ9آe�?2�;;\ݯo}�4G1�{;�*QyxDHr;2* 'ͥ X_qDT"suC2ezSG}\IUBG#�IQ9�A *U�MI:Ʒ])@rr"8?]bSOf�4 c�:m�?lױ ��픱�>DҜ?�7uf�=)ҥϣ;�(UWKS� yKzJ�d� �/i6�3OdfZe{R�-YS-� �$߻sC\6��Zrjr6�1_AC�>�'*�4�ѥ߶mNxS[�5!~U m{ti)aڷI)� vFyٔ{6R(�)?~ܵ}\m�>m�z}�)=t^}_-̧pD'nRUh�}d܇.·��!�:"=>j\HY��'{!b6ᇂ`T�6)3�tlGd�4s/ϔɗՄʼ@3xc՛|ʷ/B�#�Bk�#ys�Uev� JwXM��-&#vp|He�`N\"D9If7�,_G4IOrub ~mES^k׮١U;J�t �����*�4i�0oE@r�8KQoPf*]"ʳ-O贵T,KG̽u)4G=c!ȕ9 /%x8� ޻_I=�☓4Edy4S�G�)pxYi] select filename from sysfiles 1. Verify that each filename exists on a volume separate from the SQL Server executable volume. Management Studio: Repeat the following for each database. -Expand the server group. -Expand Databases. -Right-click the database and click Properties. -Select the obs page. 1. Under "Database files:", check each path in the "Path" column. Verify that each path exists on a volume separate from the SQL Server executable volume.�T-SQL: 1. Each filename exists on a volume separate from the SQL Server executable volume. Enterprise Manager: 1. Each path exists on a volume separate from the SQL Server executable volume.�Verify that user-defined stored procedures are stored in an encrypted format. Custom application and GOTS application software source code objects shall be encrypted within the database, where available as a DBMS feature, in accordance with industry (cissecurity.org) and government (csrc.nist.gov/pcig) best practice recommendations. The DBA shall ensure that custom application and GOTS source code objects are encrypted within the database when possible.xT-SQL: Repeat the following for each database. -Enter the following statement: use select schema_name(o.schema_id) as 'Schema', o.name from sys.objects o, sys.sql_modules s where o.object_id=s.object_id and s.definition is not null 1. If any results are listed that are not installed as part of a COTS application, then this test fails. Management Studio: N/A�T-SQL: 1. If any results are listed that are not installed as part of a COTS application, then this test fails. Management Studio: N/A�Verify that system-defined extended stored procedures are restricted from user access. The DBA shall restrict use of system-defined extended stored procedures to authorized DBAs only unless fully justified and documented with the IT Security Specialist.�T-SQL: 1. For each row returned, the value for name is not "public". Enterprise Manager: 1. If "public" exists. Deny is checked.�Verify that object permissions have not been granted to the public database role or to the guest account. The DBA shall ensure that object privileges are not granted to PUBLIC or GUEST.�T-SQL: Repeat the following for each database. -Enter the following statement. Replace with the name of the database being tested. use select user_name(p.grantee_principal_id) 'User', o.name 'Object', p.permission_name from sys.objects o, sys.database_permissions p where o.object_id = p.major_id and p.grantee_principal_id in (0,2) 1. Verify that no rows are returned. Management Studio: N/A8T-SQL: 1. No rows are returned. Management Studio: N/A�Verify that user access to DBA views and tables is denied. The DBA shall ensure that access to DBA views and tables is restricted to DBAs and batch processing accounts.T-SQL: Repeat the following for each database. -Enter the following statement: select SystemTableOrViewName = sysobjects.name, UserOrGroupName = sysusers.name from sysobjects inner join sysprotects on sysobjects.id = sysprotects.id inner join sysusers on sysprotects.uid = sysusers.uid where (sysobjects.type = 'S' or sysobjects.type = 'V') and (sysprotec< ts.uid > 4) and (sysprotects.protecttype <> 206) 1. If results are returned, then verify that each UserOrGroupName is a DBA or a batch processing account. Management Studio: N/A}T-SQL: 1. If results are returned, then each UserOrGroupName is a DBA or a batch processing account. Management Studio: N/A�Verify that backup files for databases are secure. To ensure backup file protection, access permissions to backup files shall be restricted to SAs. Restore permissions on databases shall be restricted to DBAs and database owners.�T-SQL: Repeat the following for each server. -Enter the following statement: use msdb select physical_drive, physical_name from backupfile -For each file listed in the query results, do the following: a. Open Windows Explorer and browse to the file. b. Right click on the file's container directory. c. Select Properties. d. Select Security tab. 1. Verify that the only permissions are the following or less: - full control - SYSTEM - full control - Administrators - full control - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNER Management Studio: N/A#T-SQL: 1. The only permissions are the following or less: - full control - SYSTEM - full control - Administrators - full control - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNER Enterprise Manager: N/A4Verify that objects are owned only by authorized accounts. The DBA shall ensure that all database objects are owned by the database system, DBAs, or by a separate account created especially for application object ownership. The DBA shall ensure that application user database accounts do not own any database objects. The SecSpec shall ensure that DBA accounts do not own application objects. The DBA shall ensure that default DBMS database accounts other than the default administration account are not used as the owner of an application s objects or schema.�T-SQL: Repeat the following for each database. -Enter the following statement: use select sys.schemas.name as 'Schema Name', sys.database_principals.name as 'Schema Owner' from sys.schemas, sys.database_principals where sys.schemas.principal_id = sys.database_principals.principal_id 1. Verify that all schemas are owned by the database system, DBAs, or by a separate account created especially for application object ownership. 2. Verify that application user database accounts do not own any schemas. 3. Verify that DBA accounts do not own application specific schemas. 4. Verify that default DBMS database accounts other that the default administration account are not used as the owner of application specific schemas. Management Studio: N/A�T-SQL: 1. All schemas are owned by the database system, DBAs, or by a separate account created especially for application object ownership. 2. Application user database accounts do not own any schemas. 3. DBA accounts do not own application specific schemas. 4. Default DBMS database accounts other that the default administration account are not used as the owner of application specific schemas. Management Studio: N/A�Verify that application owner accounts are disabled/locked when not in use. The DBA shall ensure that custom application owner accounts are disabled/locked when not in use.�T-SQL: Repeat the following for each database. -Enter the folliwng statement replacing with the database to test: use select distinct schema_id from sys.objects where is_ms_shipped=0 1. If no rows are returned, then this database passed the test and you should proceed to the next database. -. If rows are returned, then enter the following statement for each row returned. Replace with the SID in the row. select suser_sname(p.sid) from sys.database_principals p, sys.server_principals s where p.principal_id= and p.sid = s.sid and s.is_disabled=0 and p.type not in ('A','R') 2. Verify that no rows are returned. Management Studio: N/A�T-SQL: 1. If no rows are returned, then this database passed the test and you should proceed to the next database (skip test 2 for this database). 2. Verify that no rows are returned. Enterprise Manager: N/A�Verify that when connecting to linked databases, the connection is authenticated using the current user's identification and password. Linked or remote servers shall only be configured to use Windows authentication. The capability to preserve a user s identification, and, therefore, maintain DAC integrity, is currently available only in a Windows 2000 or later environment where the connections can be protected with Kerberos and account delegation can be used. When linking SQL Server databases, the connection shall be authenticated using the current user s identification and passwords or certificates. The DBA shall configure linked servers to use the user s current authentication to access the remote database.�T-SQL: N/A Management Studio: Repeat the following for each server. -Expand the server. -Expand Server Objects. -Expand Linked Servers. -For each linked server, do the following: -Double-click the linked server. -Select the Security page. 1. Verify that the "Be made using the login's current security context" radio button is selected. 2. Under "Local server login to remote server login mappings", verify that there are no mappings.�T-SQL: N/A Enterprise Manager: 1. The "Be made using the login's current security context" radio button is selected. 2. Under "Local server login to remote server login mappings", there are no mappings.�Verify that all databases are located in separate database files. The DBA shall locate the system database MASTER.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the miscellaneous system database MODEL.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the system database MSDB.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the system database TEMPDB.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the application databases in separate databases that reside within their own unique datafile(s).hT-SQL: Repeat the following for each server. -Enter the following statement: use master select name, filename from sysdatabases 1. Verify that there is a database named "master" and that the filename for it is "master.mdf". 2. Verify that there is a database named "model" and that the filename for it is "model.mdf". 3. Verify that there is a database named "msdb" and that the filename for it is "msdb.mdf". 4. Verify that there is a database named "tempdb" and that the filename for it is "tempdb.mdf". 5. Verify that all da< tabases present are located in their own separate database files. Management Studio: N/A�T-SQL: 1. There is a database named "master" and that the filename for it is "master.mdf". 2. There is a database named "model" and that the filename for it is "model.mdf". 3. There is a database named "msdb" and that the filename for it is "msdb.mdf". 4. There is a database named "tempdb" and that the filename for it is "tempdb.mdf". 5. All databases present are located in their own separate database files. Enterprise Manager: N/A�Verify that all databases are named correctly. Databases shall be named in accordance with IRM 2.5.7, Data Name Standards, using a name descriptive enough to identify the function of the data contained within the database.4To locate the database names, do the following (repeat for each server): T-SQL: -Enter the following statement: use master select name from sysdatabases Management Studio: -Expand the server. -Expand Databases. For each database name listed with the exception of master, tempdb, model and msdb, verify the following: 1. Verify that only alphabetic (A-Z), numeric (0-9), and special characters (e.g. hyphen, colon, underscore) which are appropriate to the language are present in the name. 2. Verify that the first character of the name is alphabetic (A-Z). 3. Verify that the name does not start with a verb. 4. Verify that the length of the name is less than 30 characters long. 5. Verify that the name is unique. 6. Verify that the name is clear and accurate to reflect a condensed version of the data description.�Either test method: 1. Only alphabetic (A-Z), numeric (0-9), and special characters (e.g. hyphen, colon, underscore) which are appropriate to the language are present in the name. 2. The first character of the name is alphabetic (A-Z). 3. The name does not start with a verb. 4. The length of the name is less than 30 characters long. 5. The name is unique. 6. The name is clear and accurate to reflect a condensed version of the data description.*Verify that all DBMS administrator passwords are required to be changed every 60 days. The DBA shall ensure that database administrator account passwords are changed every 60 days or more frequently and shall implement scripts, profiles, or other controls as necessary to enforce this requirement.�This procedure should be performed by the system administrator. All database administrator accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Password Policy. 1. Verify that "Maximum password age" is set to 60 days or less (but not 0).?1. "Maximum password age" is set to 60 days or less (but not 0)Verify that all DBMS user passwords are required to be changed every 90 days. The DBA shall ensure that database user account passwords are changed every 90 days or more frequently and shall implement scripts, profiles, or other controls as necessary to enforce this requirement.This procedure should be performed by the system administrator. All database user accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Password Policy. 1. Verify that "Maximum password age" is set to 90 days or less (but not 0).@1. "Maximum password age" is set to 90 days or less (but not 0).�Verify that the password for the SA account is password protected. The default SA password, used to connect as administrator, shall be changed from the default installation value. Leaving the default password unchanged could result in unauthorized accounts accessing the server as sa, which provides them full database administration privileges. The DBA shall password protect the SQL Server sa pseudo database account. The DBA shall change the SQL Server sa pseudo database account default password.�T-SQL: Repeat the following for each server. -Enter the following statement: select count(name) from syslogins where password is null and name = 'sa' 1. Verify that "0" is returned. Management Studio: N/A4T-SQL: 1. "0" is returned. Enterprise Manager: N/A�Verify that all DBMS account passwords are not reused within three password changes. The DBA shall ensure that database account passwords are not reused within three password changes.�Verify that all DBMS accounts are limited to three failed logons before they become locked. Where available, the DBA shall limit database account logons to three failed logons before they become locked.lThis procedure should be performed by the system administrator. All database accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Account Lockout Policy. 1. Verify that "Account lockout threshold" is set to 3.+1. "Account lockout threshold" is set to 3.�Verify that the DBMS is not installed on a Microsoft Windows domain controller or backup domain controller. The installation of a DBMS on a host platform introduces additional vulnerabilities and resource requirements to the host. Additionally, vendor DBMS software distributions frequently offer additional functionality, such as web servers and directory server software, on the same installation media that the DBMS is provided on. Since it is a best security practice to separate or partition services offered to different audiences, any DBMS should be installed on a host system dedicated to its support and offering as few services as possible to other clients. For this reason, a DBMS shall not be installed on a host system that also provides web services, directory services, directory naming services, etc. In particular, DBMS software shall not be installed on Microsoft Windows domain controllers or backup domain controllers under any circumstances.�-Click Start, Run then launch regedt32.exe. -Expand HKEY_LOCAL_MACHINE. -Expand System. -Expand CurrentControlSet. -Expand Control. -Select ProductOptions. 1. Verify that ProductType does not have a value of "LANMANNT" or "LANSECNT".A1. ProductType does not have a value of "LANMANNT" or "LANSECNT".%Verify that statement permissions have been revoked for guest, public and all user accounts in all databases. The DBA shall ensure that SQL Server statement privileges are not granted to PUBLIC or GUEST. Verify that statement permissions have been revoked for user accounts in all databases.tT-SQL: Repeat the following for each database. -Enter the following statement: use select user_name(grantee_principal_id),permission_name from sys.database_permissions where state in ('G','W') 1. Verify that no records are returned for the guest account, the public account or for any user accounts. Management Studio: Repeat the following for each database. -Expand the server. -Expand Databases. -Right-click the database and click Properties. -Select the Permissions page. 1. Verify that no Grant or With Grant permissions are specified for the guest account, the public account or for any user accounts.�T-SQL: 1. No records are returned for the guest account, the public account or for any user accounts. Enterprise Manager: 1. No Grant or With Grant permissions are specified for the guest account, the public account or for any user accounts.�Verify that statement permissions are not granted to any application user, application administrator, application developer, or application role. The following list of SQL Server statement privileges shall not be granted, directly or indirectly through the use of roles, to any application user, application administrator, application developer, or application role. CREATE TABLE CREATE VIEW CREATE SP CREATE DEFAULT CREATE RULE CREATE FUNCTION BACKUP DB BACKUP LOG CREATE DATABASE�T-SQL: Repeat the following for each database. -Enter the following statement: use select user_name(grantee_principal_id),permission_name from sys.database_permi< ssions where (type like 'CR%' or type like 'BA%' or type='CL') and state in ('G','W') 1. Verify that no records are returned for application users, application administrators, application developers, or a member of an application role. Management Studio: Repeat the following for each database. -Expand the server. -Expand Databases. -Right-click the database and click Properties. -Select the Permissions page. 1. Verify that Grant or With Grant is not checked for application users, application administrators, application developers, or a member of an application role for the following permissions: CREATE TABLE CREATE VIEW CREATE SP CREATE DEFAULT CREATE RULE CREATE FUNCTION BACKUP DB BACKUP LOG CREATE DATABASE�T-SQL: 1. No records are returned for application users, application administrators, application developers, or a member of an application role. Management Studio: 1. Grant or With Grant is not checked for application users, application administrators, application developers, or a member of an application role for the following permissions: CREATE TABLE CREATE VIEW CREATE SP CREATE DEFAULT CREATE RULE CREATE FUNCTION BACKUP DB BACKUP LOG CREATE DATABASE�Verify that the guest account does not have any role assignments granted. The DBA shall not grant SQL Server predefined roles to PUBLIC or GUEST.�T-SQL: -Enter the following statement for each server and verify that no results are returned: select suser_sname(role_principal_id) 'Role' from sys.server_role_members where member_principal_id = 2 -Enter the following statement for each database use select user_name(role_principal_id) 'Role' from sys.database_role_members where member_principal_id =2 1. Verify that no results are returned: Management Studio: N/A=T-SQL: 1. No results are returned: Enterprise Manager: N/A�Verify that only DBAs are granted server role memberships. The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�T-SQL: Repeat the following for each server. -Enter the following statement which displays all users who are granted server role memberships: exec sp_helpsrvrolemember 1. Verify that only DBAs are granted server role memberships. Management Studio: Repeat the following for each server. -Expand the server. -Expand Security. -Expand Server Roles. -For each server role, do the following: -Double-click the server role. 1. Verify that only DBAs are granted membership to the server role.�T-SQL: 1. Only DBAs are granted server role memberships. Enterprise Manager: 1. Only DBAs are granted membership to the server role.�Verify that only DBAs are granted database role memberships. The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�T-SQL: Repeat the following for each database -Enter the following statement which displays all users who are granted database role memberships: exec sp_helprolemember 1. Verify that only DBAs are granted database role memberships (memberships beginning with "db_"). Management Studio: Repeat the following for each database. -Expand the server. -Expand Databases. -Expand the database. -Expand Security. -Expand Roles. -Expand Database Roles. -For each database role that begins with "db_", do the following: -Double-click the database role. -Select the General page. -Under "Members of this role:", 1. Verify that only DBAs are granted membership to the database role.�T-SQL: 1. Only DBAs are granted database role memberships (memberships beginning with "db_"). Enterprise Manager: 1. Only DBAs are granted membership to the database role.�Verify that only authorized DBAs are assigned the SYSADMIN role. The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�T-SQL: Repeat the following for each server. -Enter the following statement: exec sp_helpsrvrolemember  sysadmin 1. Verify that only authorized logins are members of the System Administrators server role. Management Studio: Repeat the following for each server. -Expand the server. -Expand Security. -Select Server Roles. -Right-click the System Administrators (sysadmin) server role and click Properties. 1. Verify that only authorized logins are members of the System Administrators server role.�T-SQL: 1. Only authorized logins are members of the System Administrators server role. Enterprise Manager: 1. Only authorized logins are members of the System Administrators server role.�Verify that the BUILTIN\Administrators group is not assigned the SYSADMIN role. The DBA shall deny the Windows BUILTIN\Administrators group the assignment to SYSADMIN role.�T-SQL: Repeat the following for each server. -Enter the following statement: exec sp_helpsrvrolemember  sysadmin 1. Verify that BUILTIN\Administrators is not a member of the System Administrators server role. Management Studio: Repeat the following for each server. -Expand the server. -Expand Security. -Select Server Roles. -Right-click the System Administrators (sysadmin) server role and click Properties. 1. Verify that BUILTIN\Administrators is not a member of the System Administrators server role.�T-SQL: 1. BUILTIN\Administrators is not a member of the System Administrators server role. Enterprise Manager: 1. BUILTIN\Administrators is not a member of the System Administrators server role._Verify that users do not have administrative privileges. The DBA shall ensure that application user database accounts, application administrator accounts, application developer accounts, and application roles do not have the administration option of any object privilege. The DBA shall deny PUBLIC and GUEST the grant option of any object privilege.sT-SQL: Repeat the following for each database. -Enter the following statement: use select USER_NAME(p.grantee_principal_id) 'DB User', o.name 'Object', p.permission_name from sys.database_permissions p, sys.objects o where p.state='W' 1. All privileges returned have the "GRANT WITH GRANT" option enabled. Verify that all accounts returned are authorized to have "GRANT WITH GRANT" enabled. Application user database accounts, application administrator accounts, application developer accounts, and application roles should not be listed. PUBLIC and GUEST should have this option DENIED. Management Studio: N/AiT-SQL: 1. All privileges returned have the "GRANT WITH GRANT" option enabled. All accounts returned are authorized to have "GRANT WITH GRANT" enabled. Application user database accounts, application administrator accounts, application developer accounts, and application roles are not listed. PUBLIC and GUEST have this option DENIED. Enterprise Manager: N/AkVerify that object privileges are not assigned directly to individual application user database accounts. The DBA shall ensure that all object privileges granted to application users are granted through the use of application specific roles. The DBA shall ensure that object privileges are not assigned directly to individual application user database accounts.�T-SQL: Repeat the following for each database. -Enter the foll< owing statement: use select u.name, o.name, p.permission_name from sys.objects o, sys.database_principals u, sys.database_permissions p where o.object_id=p.major_id and p.grantee_principal_id=u.principal_id and p.state in ('G','W') and u.type in ('S','U') 1. Verify that there are no rows returned. Management Studio: N/A9T-SQL: 1. No rows are returned. Enterprise Manager: N/AVerify that application users, application administrators, and application roles are not granted the references object privilege. The DBA shall ensure that application users, application administrators, and application roles are not granted the references object privilege.8T-SQL: Repeat the following for each database. -Enter the following statement: exec sp_helprotect NULL, NULL, NULL, 'o' 1. For each row where Grantee is an application administrator or an application user AND Action is "References", verify that ProtectType is not "Grant" or "Grant_WGO". Management Studio: N/A�T-SQL: 1. For each row where Grantee is an application administrator or an application user AND Action is "References", ProtectType is not "Grant" or "Grant_WGO". Enterprise Manager: N/A�Verify that the BUILTIN/Administrators group is not a valid SQL Server logon. Verify that the BUILTIN/Administrators group is not a valid SQL Server logon.oT-SQL: Repeat the following for each server. -Enter the following statement: use master select name from syslogins where (loginname = 'BUILTIN\Administrators') 1. Verify that nothing is returned. Management Studio: Repeat the following for each server. -Expand the server. -Expand Security. -Select Logins. 1. Verify that BUILTIN\Administrators is not a valid login.dT-SQL: 1. Nothing is returned. Enterprise Manager: 1. BUILTIN\Administrators is not a valid login.BVerify that inactive database accounts are disabled/removed. The DBA shall monitor database account expiration and inactivity and remove expired and inactive accounts in accordance with IRS requirements, which requires disabling of accounts after 45 days of inactivity and removal of accounts after 90 days of inactivity.�T-SQL: Repeat the following for each server. -Enter the following statement: select name, type from sys.server_principals where type <> 'R' and is_disabled <> '1' 1. Verify that all accounts listed are actually in use. Management Studio: N/ALT-SQL: 1. All accounts listed are actually in use. Enterprise Manager: N/A�Verify that restore permissions on databases are restricted to DBAs and/or the database owners. The DBA shall restrict restore permissions on databases to DBAs and/or the database owners.�T-SQL: -Enter the following statement for each server. Note that the statement checking for the "CREATE DATABASE" statement will return an error if CREATE DATABASE is not assigned. exec sp_helpsrvrolemember 'sysadmin' exec sp_helpsrvrolemember 'dbcreator' exec sp_helprotect 'CREATE DATABASE' 1. Verify that only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). -Enter the following statement for each database. Replace with the name of the database being tested. use exec sp_helprolemember 'db_owner' 2. Verify that only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). Management Studio: N/AT-SQL: 1. Only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). 2. Only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). Enterprise Manager: N/A�Verify that when sensitive data is sent over the network that it is encrypted. When a database connection is requested via the network to a database server, the client shall provide an individual account name and authentication credentials to access the database. The database account name and any password transmission from a client to a database server over a network shall be protected.*1. The value for ForceEncryption is "Yes".Verify that a DBA Windows OS group exists. Verify that only authorized DBA Windows accounts exist within the DBA Windows OS group. The SA/DBA shall create a DBA Windows OS group. The SA/DBA shall assign only SecSpec-authorized DBA Windows accounts to the DBA OS group.i-Open Computer Management. Click Start, Control Panel, Administrative Tools, Computer Management. -In Computer Management, expand System Tools, expand Local Users and Groups, and select Groups. -View the list of groups defined. 1. Verify that a DBA Windows OS group exists and that only authorized DBA accounts exist within that group. -In Management Studio, expand the server -expand Security -expand Logins 2. Verify that the group exists as a login. -Double click the group -click the Server Roles page 3. Verify that sysadmin is checked. 4. Verify that the DBA Windows OS group exists as a SQL Server Login. �T-SQL: 1. A DBA Windows OS group exists and that only authorized DBA accounts exist within that group. 2. The group exists as a login. 3. Sysadmin is checked. 4.The DBA Windows OS group exists as a SQL Server Login. Enterprise Manager: N/A7Out of Scope Controls - Unselected NIST 800-53 Controls�% NIST Control Name&Full name which describes the NIST ID.NIST Control NameAccount Management%Audit Review, Analysis, and ReportingNetwork DisconnectSeparation of DutiesProtection of Audit Information Time StampsLeast FunctionalityFlaw RemediationAudit GenerationAuditable EventsAuthenticator ManagementAccess EnforcementApplication PartitioningLeast Privilege�Run the following command: SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'ad hoc distributed queries';Both value columns must show 0.FVerify that the 'CLR Enabled' Server Configuration Option is set to 0.�Run the following command: SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'clr enabled'; Verify that the 'Cross DB Ownership Chaining' Server Configuration option is set to 0. This option allows a member of the db_owner role in a database to gain access to objects owned by a login in any other database, causing an unnecessary information disclosure.�Run the following command: SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Cross db ownership chaining';�Run the following command: SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Database Mail XPs';�Run the following command: SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ole Automation Procedures';�Run the following command: SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Remote access';<Both value columns must show 0. ("Remote access", "0", "0")aBoth value columns must show 1 on clustered installations. ("Remote admin connections", "0", "0")EBoth value columns must show 0. ("Scan for startup procs", "0", "0");Both value columns must show 0. ("SQL Mail XPs", "0", "0")-The SQL command should return a "Null" value.�Open SQL Server Configuration Manager; go to the SQL Server Network Configuration. Ensure that only required protocols are enabled.+Only required protocols should be enabled. ?Verify that SQL Server is configured to use non-standard ports.�Open a powershell window or dos prompt and run the following command: Powershell - PS C:\>netstat -ano|select-string 1433.+listening Dos - netstat.SQL Server should not be running on port 1433.CM-6Configuration Settingsv�% NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Informati< on Systems and Organizations (April 2013)jVerify that the SQL Server Hide Instance optino is set to yes: 1. In SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for , and then select Properties. 2. On the Flags tab, in the 'Hide Instance' box, view that the hide instance box is selected Yes, and then click cancel to close the dialog box. 1The 'Hide Instance' box should be selected 'Yes'.!Disable the 'sa' Login Account. �Use the following syntax to determine if the sa account is disabled.: SELECT name, is_disabled FROM sys.server_principals WHERE sid = 0x01; RAn is_disabled value of 1 indicates the account is currently disabled. ("sa", "1")�Rename the 'sa' Login Account. The 'sa' account is a widely known and often widely used SQL Server account with sysadmin privileges.AC-2 8SELECT name FROM sys.server_principals WHERE sid = 0x01;iThe SQL command should return a "Null" value. A name of 'sa' indicates the account has not been renamed.�Verify that the 'xp_cmdshell' option to disabled. The xp_cmdshell procedure allows an authenticated SQL Server user to execute operating-system command shell commands and return results as rows within the SQL client.CA run value of 0 indicates that the xp_cmdshell option is disabled.�Run the following command to verify that 'xp_cmdshell' is disabled: EXECUTE sp_configure 'show advanced options',1; RECONFIGURE WITH OVERRIDE; EXECUTE sp_configure 'xp_cmdshell';Verify that orphaned users from SQL Server databases do not exist. A database user for which the corresponding SQL Server login is undefined or is incorrectly defined on a server instance cannot log in to the instance and is referred to as orphaned and should be removed.sRun the following command to potentially identify any orphaned users: EXEC sp_change_users_login @Action='Report';WVerify the 'MUST_CHANGE' option ON setting is enabled for all SQL Authenticated Logins. 1. Open SQL Server Management Studio. 2. Open Object Explorer and connect to the target instance. 3. Navigate to the Logins tab in Object Explorer and expand. Right click on the desired login and select Properties. 4. Verify the User must change password at next login checkbox is checked@The user must change password at next login checbox is selected.Expected result is "Null".GRun the following command to verify the password expiration age is synced with Windows Server policy: SELECT SQLLoginName = sp.name, PasswordExpirationEnforced = CAST(sl.is_expiration_checked AS BIT) FROM sys.server_principals sp JOIN sys.sql_logins AS sl ON sl.principal_id = sp.principal_id WHERE sp.type_desc = 'SQL_LOGIN';�Verify the 'CHECK_POLICY' option ON setting is enabled for all SQL Authenticated Logins. Applies the same password complexity policy used in Windows to passwords used inside SQL Server.�Verify the 'CHECK_EXPIRATION' option to ON setting is enabled for all SQL Authenticated Logins Within the Sysadmin Role. Applies the same password expiration policy used in Windows to passwords used inside SQL Server.HRun the following command to verify the password complexity policy used is in sync with Windows Server Policy: SELECT SQLLoginName = sp.name, PasswordPolicyEnforced = CAST(sl.is_policy_checked AS BIT) FROM sys.server_principals sp JOIN sys.sql_logins AS sl ON sl.principal_id = sp.principal_id WHERE sp.type_desc = 'SQL_LOGIN';�The SQL authenticated logins with Sysadmin roles adhere to Windows password expiration policy. A PasswordExpirationEnforced value of 0 indicates that the 'Check_Expiration' option is OFF.�The SQL authenticated logins should adhere to Windows password complexity policy. A PasswordPolicyEnforced value of 0 indicates that the 'Check_Policy' option is OFF.�Verify that the 'Maximum number of error log files' setting is greater than or equal to 12. SQL Server errorlog files must be protected from loss. The log files must be backed up before they are overwritten.�Verify the 'Default Trace Enabled' Server Configuration Option is set to 1. The default trace provides audit logging of database activity including account creations, privilege elevation and execution of DBCC commands.KThe Maximum number of error log files should be greater than or equal to 12PVerify that ''Login Auditing' to both failed and successful logins is enabled. A config_value of 'all' indicates a server login auditing setting of 'Both failed and successful logins'. ("audit level", "all")DBoth value columns should show 1. ("Default trace enabled","1","1")�Run the following command to verify that "Login Auditing" is enabled for successful and failed attempts: XP_loginconfig 'audit level'; Via Management Studio: 1. Open SQL Server Management Studio. 2. Right click the target instance and select Properties and navigate to the Security tab. 3. View the option Both failed and successful logins under the "Login Auditing" section and click OK. Audit Events(Interview the DBA and application developers and inquire whether or not they sanitizatize database and application user input. Always validate user input received from a database client or application by testing type, length, format, and range prior to transmitting it to the database server.. fCheck with the application teams to ensure any database interaction is through the use of stored procedures and not dynamic SQL. Verify they Revoke any INSERT, UPDATE, or DELETE privileges to users so that modifications to data must be done through stored procedures. Verify that there's no SQL query in the application code produced by string concatenation.�The DBA and application developers should indicate that they perform the following before major code promotions: " Review TSQL and application code for SQL Injection " Only permit minimally privileged accounts to send user input to the server " Minimize the risk of SQL injection attack by using parameterized commands and stored procedures " Reject user input containing binary data, escape sequences, and comment characters " Always validate user input and do not use it directly to build SQL statements VAll the returned assemblies should show SAFE_ACCESS in the permission_set_desc column.�Run the following command to verify that "CLR Assembly Permission Set' is cnfigured to SAFE_ACCESS for all CLR assemblies: SELECT name, permission_set_desc FROM sys.assemblies where is_user_defined = 1;Verify the 'CLR Assembly Permission Set' is configured to SAFE_ACCESS for all CLR assemblies. Setting CLR Assembly Permission Sets to SAFE_ACCESS will prevent assemblies from accessing external system resources such as files, the network, environment variables, or the registry.UVerify the agency has implemented an account management process for the SQL Server. �Verify that the 'Set the 'Ad Hoc Distributed Queries' Server Configuration Option is set to 0. Ad Hoc Distributed Queries Allow users to query data and execute statements on external data sources. This functionality should be disabled. TVerify that the 'Ole Automation Procedures' Server Configuration Option is set to 0.�Verify the 'Database Mail XPs' server configuration option is set to 0. Disabling Database Mail reduces the SQL Server surface, eliminates a DOS attack vector and channel to exfiltrate data from the database server to a remote host.�Verify the 'Remote Access' server configuration option is set to 0. Functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target.�Verify the 'Remote Admin Connections' server configuration option is set to 0. The Dedic< ated Admin Connection is a powerful database feature that allows connected users to circumvent the SQL Server abstraction layer and have direct access to several system tables which can be used to conduct malicious activities. This feature should be restricted to local administration only to reduce exposure.�Verify that the 'Scan For Startup Procs' server configuration optionn setting to 0. This option causes SQL Server to scan for and automatically run all stored procedures that are set to execute upon service startup.Verify the 'SQL Mail XPs' server configuration option is set to 0. SQL Mail, which is deprecated in favor of Database Mail and if disabled reduces the SQL Server surface, eliminates a DOS attack vector and channel to exfiltrate data from the database server to a remote host.�Verify that the 'Trustworthy' database property is set to off. Provides protection from malicious CLR assemblies or extended procedures.�Verify that the SQL Server DBA has disabled unnecessary SQL Server protocols. Using fewer protocols minimizes the attack surface of SQL Server and in some cases can protect it from remote attacks.�Verify that the the 'Hide Instance' option is set to 'Yes' for production SQL Server instances. SQL Server instances within production environments should be designated as hidden to prevent advertisement by the SQL Server Browser service. �Verify that SQL Server utilizes FIPS 140-2 approved cryptography when passing authentication data for remote access sessions. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.q1. The value for the ForceEncryption is "Yes 2. The encryption On the Flags tab is FIPS 140-2 / Agency approved.SC-8*Transmission Confidentiality and Integrity�Perform the following to determine if SQL Server is configured to accept remote connections. Open SQL Server Configuration Manager - Expand SQL Server Network Configuration. -Right click on Protocols for , where is a placeholder for the SQL Server instance name, and click on Properties. 1. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is an approved organization defined Certificate, this is not a finding.|SQL Server must ensure that remote sessions that access an organization defined list of security functions and security-relevant information are audited. Remote access to security functions (e.g., user management, audit log management, etc.) and security relevant information requires the activity be audited by the organization. Any application providing remote access must support organizational requirements to audit access or organizational defined security functions and security- relevant information. SQL Server security features accessed through remote methods must be audited to ensure the access is authorized and appropriate.vAll currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.�Check to see that all required events are being audited. 1. Open a query prompt SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0') SQL Server must automatically audit account modification. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account.,Check to see that all required events are being audited. 1. Open a query prompt SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0') (All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding) 2. For each traceid listed, replacing # with a traceid. SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO('#') The required evetnids 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, and 130 should be listed. If any of the audit events or evetnids required above are not listed, this is finding. �The required evetnids 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, and 130 should be listed. If any of the audit events or evetnids required above are not listed, this is finding. `SQL Server must enforce access control policies to restrict the 'Authenticate server' permission to only authorized roles. The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. Organizations consider the creation of additional processes, roles, and SQL Server accounts as necessary to achieve least privilege. Organizations also apply least privilege concepts to the design, development, implementation, and operations of SQL Server and the OS.MObtain the list of roles that are authorized for the SQL Server 'Authenticate server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query from a query prompt: 1. Select * from sys.server_permissions where permission_name = 'Authenticate server' If any rows are returned, run the following query, substituting the with those returned in the previous query. 2. Select * from sys.server_principals where type = 'R' and principal_id = �If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Authenticate server' permission and the user is not authorized to have the permission, this is a finding.�SQL Server when providing remote access capabilities must utilize organization defined cryptography to protect the confidentiality of data passing over remote access sessions.YPerform the following to determine whether SQL Server is configured to accept remote connections. 1 SELECT value_in_use from [MASTER].sys.configurations where name = 'remote access'; If value_in_use equals 0, remote access is disabled and this check is NA. 2. From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER] 3. Navigate to SQL Server Configuration Manager SQL Server Network Configuration. Right click on Protocols for , where is a placeholder for the SQL Server instance name, and click on Properties. �1. If value_in_use equals 0, remote access is disabled and this check is NA. 2. If Force Encryption is set to NO, or an approved organizationally defined Certificate is not utilized, this is a finding.�Obtain list of roles with that permission by running the following query: 1. Select * from sys.server_permissions where permission_name = 'Alter server state' If any rows are returned, run the following query substituting the with those returned in the previous query. 2. Select * from sys.server_principals where type = 'R' and principal_id = �1. If any rows are returned, run the following query substituting the with those returned in the previous query. 2. AC-6 �SQL Server must enforce access control policies to restrict 'Alter server state' permissions to only authorized roles. The concept of least privilege must be applied to SQL Server processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or functions. SQL Server's 'Alter server state' permission is a high server level privilege that must only be granted to individual administration accounts through roles and users who have access must required this privilege to accomplish the organizational missions and/or functions. If the 'Alter server state' permissions are granted to roles that are unauthorized to have this privilege, then this access must be removed.�SQL Server must enforce access control policies to restrict the 'Alter any event session' permission to only authorized roles. SQL Server's 'Alter any event sessio< n' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any event session' permissions is granted to roles that are unauthorized to have this privilege, then this access must be removed.�Obtain the list of roles that are authorized for the SQL Server 'Alter any event session' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: 1. Select * from sys.server_permissions where permission_name = 'Alter any event session' If any rows are returned, run the following query, substituting the with those returned in the previous query. 2.Select * from sys.server_principals where type = 'R' and principal_id = . If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any event session' permission and the user is not authorized to have the permission, this is a finding.�SQL Server must enforce access control policies to restrict the 'Alter any event notification' permission to only authorized roles. SQL Server's 'Alter any event notification' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any event notification' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.HObtain the list of roles that are authorized for the SQL Server 'Alter any event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: 1. Select * from sys.server_permissions where permission_name = 'Alter any event notification' If any rows are returned, run the following query, substituting the with those returned in the previous query. 2.. Select * from sys.server_principals where type = 'R' and principal_id = C1. If any rows are returned, run the following query, substituting the with those returned in the previous query. 2. If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any event notification' permission and the user is not authorized to have the permission, this is a finding.>1. If any rows are returned, run the following query, substituting the with those returned in the previous query. 2. If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any event session' permission and the user is not authorized to have the permission, this is a finding.�SQL Server must enforce access control policies to restrict the 'Alter any endpoint' permission to only authorized roles. SQL Server's 'Alter any endpoint' permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If the 'Alter any endpoint' permission is granted to roles that are unauthorized to have this privilege, then this access must be removed.�Obtain the list of roles that are authorized for the SQL Server 'Alter any endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: 1. Select * from sys.server_permissions where permission_name = 'Alter any endpoint' If any rows are returned, run the following query, substituting the with those returned in the previous query. 2. Select * from sys.server_principals where type = 'R' and principal_id = If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any endpoint' permission and the user is not authorized to have the permission, this is a finding.81. If any rows are returned, run the following query, substituting the with those returned in the previous query. 2. If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any endpoint' permission and the user is not authorized to have the permission, this is a finding.|SQL Server must enforce access control policies to restrict the 'Alter any server role' permission to only authorized roles.�Obtain the list of roles that are authorized for the SQL Server 'Alter any server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: 1. Select * from sys.server_permissions where permission_name = 'Alter any server role' 2. Select * from sys.server_principals where type = 'R' and principal_id = ;1. If any rows are returned, run the following query, substituting the with those returned in the previous query 2. If any role has 'Grant', 'With Grant', or 'Deny' privileges to the 'Alter any server role' permission and the user is not authorized to have the permission, this is a finding. �Run the following command: SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Remote admin connections';�Run the following command: SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Scan for startup procs';�Run the following command: SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'SQL Mail XPs';xRun the following command: SELECT name FROM sys.databases WHERE is_trustworthy_on = 1 AND name != 'msdb' AND state = 0; Verify that SQL Server processes or services run under custom, dedicated OS accounts. Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. The DBMS must run under a custom, dedicated OS account. When the DBMS is running under a shared account, users with access to that account could inadvertently or maliciously make changes to the DBMS's settings, files, or permissions. 1. UNIQUE CUSTOM ACCOUNT refers to an account with which no other service listed in the services.msc window is assigned. If any account requiring a unique custom account uses an account that any other service utilizes (regardless of service status), this is a finding.�Check OS settings to determine whether SQL Server processes are running under a dedicated OS account. If the SQL Server processes are running under shared accounts, this is a finding. 1. From a Command Prompt, type services.msc, and press [ENTER]. Scroll down to the SQL Server Services. SQL Server Services begin with SQL Verify that all SQL related services have their own UNIQUE CUSTOM ACCOUNT. tInterview the DBA and ask them to verify that SQL Server is monitored to discover unauthorized changes to functions.tInterview the DBA and asky them to verify that SQL Server is monitored to discover unauthorized changes to triggers.xIf a timed job or some other method is not implemented to check for Stored Procedures being modified, this is a finding.oIf a timed job or some other method is not implemented to check for triggers being modified, this is a finding.pIf a timed job or some other method is not implemented to check for Functions being modified, this is a finding.SI-4Information System Monitoring �Verify that SQL Server is monitored to discover unauthorized changes to functions. When dealing with change control issues, it should be noted any changes to the hardware, software, anQVerify that SQL Server is monitored to discover unauthorized changes to triggers.[Verify that SQL Server is monitored to discover unauthorized changes to stored procedures.ZServer 2012 database to rece< ive, store, process or transmit Federal Tax Information (FTI). First DraftI�% DISA Microsoft SQL Server 2012 Database STIG v0.2.0 Draft (August 2013)J�% DISA Microsoft SQL Server 2012 Instance STIG v.0.2.0 Draft (August 2013)SQL12-01SQL12-04SQL12-05SQL12-06SQL12-07SQL12-08SQL12-09SQL12-10SQL12-11SQL12-12SQL12-13SQL12-14SQL12-15SQL12-16SQL12-17SQL12-18SQL12-19SQL12-20SQL12-21SQL12-22SQL12-23SQL12-24SQL12-25SQL12-26SQL12-27SQL12-28SQL12-29SQL12-30SQL12-31SQL12-32SQL12-33SQL12-34SQL12-37SQL12-38SQL12-40SQL12-41SQL12-42SQL12-43SQL12-44SQL12-45SQL12-46SQL12-47SQL12-48SQL12-49SQL12-50SQL12-51SQL12-52SQL12-53SQL12-54SQL12-55SQL12-56SQL12-57SQL12-59SQL12-60SQL12-61SQL12-62SQL12-63SQL12-64SQL12-65SQL12-66SQL12-67SQL12-68SQL12-69SQL12-70SQL12-74SQL12-79SQL12-80SQL12-81SQL12-82SQL12-83SQL12-84SQL12-85SQL12-86SQL12-87SQL12-88SQL12-89SQL12-90SQL12-91SQL12-92SQL12-93SQL12-94+ �% SCSEM Subject: Microsoft SQL Server 2012HPlease submit SCSEM feedback and suggestions to SafeguardReports@IRS.govHObtain SCSEM updates online at http://www.irs.gov/uac/Safeguards-Program�Interview the DBA and ask them to verify that SQL Server is monitored to discover unauthorized changes to stored procedures. This requirement is contingent upon the language in which the application is programmed, as many application architectures in use today incorporate their software libraries into, and make them inseparable from, their compiled distributions, rendering them static and version dependent. However, this requirement does apply to applications with software libraries accessible and configurable as in the case of interpreted languages. Accordingly, only qualified and authorized individuals shall be allowed to obtain access to SQL Server components for purposes of initiating changes, including upgrades and modifications.p�% IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (January 2014)�1. Interview the DB administrator and review DB configurations to determine if there is a session termination after no more than 30 minutes of inactivity.e1. The DB system terminates a session if there is a period of inactivity of no more than 30 minutes.q1. Personnel who review and clear audit logs are separate from personnel that perform non-audit administration. �Verify that audit trails are reviewed at a minimum weekly for anomalies (i.e. standard operations, unauthorized access attempts, etc.). Exceptions and violations are properly analyzed and appropriate actions are taken. 1. Interview DBA and ask for the system documentation that states how often audit logs are reviewed. Also, determine when the last audit logs were reviewed. 2. Examine reports that demonstrate monitoring of security violations, such as unauthorized user access. /1. The DB Administrator can provide system documentation identifying how often the auditing logs are reviewed. 2. The audit trail is reviewed weekly or more frequently at the discretion of the information system owner for indications of unusual activity related to potential unauthorized FTI access. 31. "Enfore password history" is set to 24 or more.mThis procedure should be performed by the system administrator. All database accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Password Policy. 1. Verify that "Enfore password history" is set to 24 or more. Agency Code: Closing Date:Shared Agencies: DB Version:SA-22Unsupported System Components �% SCSEM Version: 1.1�Verify that support for the installed version has not expired. Each organization responsible for the management of a database shall ensure that unsupported DBMS software is removed or upgraded to a supported version prior to a vendor dropping support. The DBA shall request upgrade, through procurement, immediately upon notification of a MS SQL Server expiration date that is within the six-month window.�-Visit the link below: http://support.microsoft.com/lifecycle/search/ 1. Search for the appropriate version of SQL Server and verify that support for it will not expire within six months. T-SQL:. 1. Enter the following statement: select serverproperty( ProductVersion ) -Verify that the version is supported. Enterprise Manager: 1. Right-click the server, and then click Properties. -Click the General tab. -Verify that the version is supported.�1. Support for the installed version has not expired. Note: If this is a fail then the remainder of the SCSEM does not need to be populated. NVerify that system patch levels are up-to-date to address new vulnerabilities.L1. Refer to the vendors support website and cross reference the latest security patch update with the systems current patch level. T-SQL: Enter the following statement: SELECT SERVERPROPERTY('ProductLevel') as SP_installed, SERVERPROPERTY('ProductVersion') as Version; First column returns the installed Service Pack level, the second is the exact build number. Note: This test requires the tester to research the current vendor supplied patch level. The most recent SQL Server patches can be found here: Hotfixes and Cumulative updates: http://blogs.msdn.com/b/sqlreleaseservices/*The latest security patches are installed.�Run the following command to verity that 'Default Trace Enabled' configuration is enabled: SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Default trace enabled';�1. Open SQL Server Management Studio. 2. Open Object Explorer and connect to the target instance. 3. Navigate to the Management tab in Object Explorer and expand. Right click on the SQL Server Logs file and select Configure. 4. Verify the Limit the number of error log files before they are recycled checkbox is checked 5. Verify the Maximum number of error log files is greater than or equal to 12. Both value columns must show 0. !Both value columns must show 0. �Verify that SQL Server uses Windows Authentication to validate attempted connections. Windows provides a more robust authentication mechanism than SQL Server authentication.;T-SQL: xp_loginconfig 'login mode'; Management Studio: N/A�T-SQL: A config_value of Windows NT Authentication indicates the Server Authentication property is set to Windows Authentication mode. Enterprise Manager: N/A4Note: Default Value is : Windows Authentication Mode�T-SQL: Repeat the following for each server. -Enter the following statement: use master select sysobjects.name, sysusers.name, sysprotects.action from sysprotects inner join sysobjects on sysobjects.id = sysprotects.id inner join sysusers on sysusers.uid = sysprotects.uid where (sysobjects.type = 'X') and (sysobjects.uid < 5) and (sysprotects.protecttype <> 206) 1. For each row returned, verify that the value for name is not "public". Management Studio: Repeat the following for each server. -Expand the server. -Expand Databases. -Expand the master database. -Expand Programmability. -Expand Extended Stored Procedures. -Expand System Ext<� ended Stored Procedures. -For each procedure, verify the following: -Right-click on the procedure name and click Properties. -Select the Permissions page. -Under "Users or roles:", see if "public" exists. If it does, verify that Deny is checked.Interview Examine;CIS Microsoft SQL Server 2012 Database v1.1.0 - 09-07-2014=�% CIS Microsoft SQL Server 2012 Database v1.1.0 - 09-07-2014CSTIG ID: SQL2-00-001600 Rule ID: SV-53789r2_rule Vuln ID: V-41307CSTIG ID: SQL2-00-003400 Rule ID: SV-53774r1_rule Vuln ID: V-41292AC-17 Remote AccessCSTIG ID: SQL2-00-001900 Rule ID: SV-53788r2_rule Vuln ID: V-41306CSTIG ID: SQL2-00-001300 Rule ID: SV-53791r1_rule Vuln ID: V-41309SQL12-02SQL12-03SQL12-35SQL12-36SQL12-39SQL12-58SQL12-71SQL12-72:Verify that the sample databases have been removed. Microsoft SQL Server ships with sample databases. These databases contain many default permissions that do not conform to policy. Additionally, sample items can be used as an entry point into systems. The DBA shall ensure that the sample databases are removed.�T-SQL: Repeat the following for each server. -Enter the following statement: use master SELECT name from sysdatabases where name like "AdventureWorks%" SELECT name from sysdatabases where name like "Northwind%" 1. Verify that none of the following databases exist: - Northwind - AdventureWorks Management Studio: Repeat the following for each server. -Expand the server. -Expand Databases. 1. Verify that none of the following databases exist: - Northwind - AdventureWorks �T-SQL: 1. None of the following databases exist: - Northwind - AdventureWorks Enterprise Manager: 1. None of the following databases exist: - Northwind - AdventureWorks �From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. 1. Verify that on the Flags tab the value for ForceEncryption is "Yes".SQL12-73SQL12-75SQL12-76SQL12-77SQL12-78 Second Draft( �% SCSEM Release Date: September 8, 2014MP-3 Media MarkingAU-5%Response To Audit Processing Failures�Bh� �#��G��f��\���I�� 66����X�(��u�I� �*b�y� 0g =\D�dS�fq� w��� @�0��d ���q��g�3�g�2 ����f�t, ��g �.�� "�#SW&��&�'C_'��'�(Kg(��(�)So)�*Q�0 �40�=�)BeNGf!H9M�~N� cc��B����� g2� /V"]h_  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M6Microsoft XPS Document Writer�X�� odXXLetter����DINU"L r SMTJMicrosoft XPS Document WriterInputBinFORMSOURCERESDLLUniresDLLInterleavingOFFImageTypeJPEGMedOrientationPORTRAITCollateOFFResolutionOption1PaperSizeLETTERColorMode24bpp MXDW�"d���?�?�&�U} $ �} i�} $ �} $ �/;;�����h@�@ � � � � �������������������@�@� j� ��'�  i� ��(� ��)�  �� ��*�   � ��*�  5� ��*����+� �� ��,� �k� ��-� �l� ��-� �m� ��-� �n� ��-� �o� ��-� ���.� /0� �� ��1� �� �92� �� �92� �� �3� �� �92� �� �92� �� �92� �� �92� �h� �92� �� �94� /0� �A� ��1������ � � ��� � � ��� � � ��� � � ���D�l �!�"�#�$�%�&�(�)�*�,�`-�`.�`� �� ���!����� "� � "��� #� � #��� $� � $��� %� � %��� &�� &��� (&B� )&�� *&�*���������( � �� �� � �A�:?��?�:�The official logo of the IRSPicture 1The official logo of the IRS"�PK!�9^�[Content_Types].xmlAN�0EH�%NY tA�*T0�'E2�� JMN� vi{ɖz$cȢ*%�2�-uAg�>zӶ/�3[0߀:r5�a8�>GT�8W�r>wOo?aΫ�Uv_��PK!K�5��drs/picturexml.xmlUQo�0~�`b(!J�4$Ӥl�`�5c#MRM;iuCS;�3WV�-ӆ+`d�*.79qBI'f㇫}�3*Fi!�.}S6BuLVzW x+7f�2 c��Ъg�� !d 3�9�q<��#�+�#[x$(-� GPQL չoRuKNj`�,?}r+�|�?hkU�4c R.Z4Tnt� \~{݊ �/͌.LbYlٜ˅y�@d���w������d ?Identify OS or App Version and include Service Packs and Builds���X 3Insert unique identifier for the computer or deviceBuds�H #Insert tester name and organization ode�O *Insert City, State and address or building� Sheet1gg����D g2� rz  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV� ''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} $ �h�q��q�q�q�q�q��q ��q �@  �@ �@ �@�@�@�@ �@ �@��`�`�`� �D� ������������� � �� ������������� � �c� ������������� �"�������������� � �d� ������������� � �e� ������������� �"�������������� � �a�������w� �b� ���� � �C� ������x�� � �� �� �� uvvvvvzw� � �% ��;�B�! �W@� D D �% �W@ �;�B�� �F� ��� |� ~zw����� � �E� ��� }� tzw����� � ����� �� �� zw� yyyyy � ���� �+��;��PassAZM��7%��P D�%��B�zw������ � ���� � +��;��FailAZM� �7%��F D�%��B�zw������ � ���� �+��;��InfoAZM� �7%��I D�%��B�zw������ � ���� �*��;��N/AAZ��zw������ �"rsssss{w������ �yyyyy � � � �0�222&22&FT�FFP���h&>�@dy��z�w�  ����;� ������ �N/AAZAZAZD�%����������� ���������;������� �N/AAZAZAZD�%����������� �����  ����;� ������ �N/AAZAZAZD�%����������� ����{+{ {+{{+{ � Sheet4gg����D g2� %҅  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV�0''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} $ �} $ �} $ �%������������������� �� �� �@ �@��@�@�@��@�@�����@��@�@��@��� �"� ������������� � �G� ������������� � ��� ������������� � ��� ������������� �"�������������� � �p� ������������� � �q� ������������� � �r� ������������� �"�������������� � �s� ������������� �" �������������� � �#� ������������� � �7� ��� �H� ���������� � ���� �I����������� � �8� ��� �2����������� � �� ��� ������������ � �3� ��� �J����������� � �� �K����������� � ���� �L����������� � �4� ��� �M����������� � ���� �N����������� � �9� ��� �O����������� � ���� �P����������� � �:� ��� �Q����������� � ���� �R����������� � �f� ��� �;����������� � �g� ��� �S����������� � ���� �T����������� � �6� ��� �U����������� � �� �V����������� � �� �Y����������� �B� X2222&222&2&2H<HHH<<H<H<H<HH<H< �!�"�@#�$�@� �� �W� ���������� � !���� !�X�!���������� � "�=� "��� "�Z�"���������� � #���� #�[�#���������� � $�<� $��� $�5�$���������� ��P<<H<�PH ��0�( � �>�d��A �w� Sheet6gg����D g2�  jחE�w�  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Send To OneNote 2010� /� od��Letter����DINU"� ¬Q�SMTJ�Send To Microsoft OneNote 2010 DriverRESDLLUniresDLLPaperSizeLETTEROrientationPORTRAITResolutionDPI600ColorMode24bpp�"N��333333�?333333�?�&�43U} $ �} ��} ��} $�} �)�} �+�} ��} �} $ �} �} � �} $ �tt � j  � @ �8 �8 � � � � � � � �  � � � � � � � �  � � �  � �  � � �  �  �  �  �� �0����������� � �  � � � >� �� � � �  $�  ?� 5�� �  � ��  �  �  �677 � 5#� |� "� � � � � 67 �  "� 5$� �  � �� u� w� v� 6 �  � 5�� }� &� �� {� |� }� 6 �  � 5�� u� � �� x� y� z� 6 �  !� 5�� r� s� �� ~� � � 6 �  "� 5�� �� (� �� �� �� ��6 � 5�� �� (� �� �� �� �� 6 � 5�� ~� (� �� �� �� �� 6 � 5�� ~� (� �� �� �� �� 6 � 5�� ~� (� �� �� �� �� 6 � 5�� x� � �� �� �� �� 6 � 5�� �� �� t� �� �� ��6 � 5�� �� �� t� �� �� ��6 � 5�� �� �� t� �� �� ��6 � 5�� r� s� t� �� �� ��6   � 5�� u� � t� e� �� ��6   � 5�� v� � t� �� �� ��6   � 5�� w� � t� �� �� ��6   � 5�� x� � t� �� �� ��6   � 5�� y� � � �� �� ��6   � 5�� z�  � � �� �� ��6   � 5�� {� !� � �� �� ��6   � 5�� |� "� t� �� �� ��6   � 5�� � #� t� �� �� ��6   � 5�� v� � t� �� � �6   � 5�� � $� �� �� �� ��6   � 5�� �� %� �� �� �� ��6## � 5�� 8� 9� �� �� �� ��6## � 5�� �� %� �� �� �� ��6## �Dl,�tttttttttttttttttttttttt �! �" �# �$ � % �& �' �( �) �* �+ �, �- �. � / � 0 �1 � 2 � 3 �4 �5 �6 �7 �8 �9 �: �; �< �= [@> �? �� 5�� �� %� �� �� �� �� 6## � !5�� !@{� !@!� !�� !�� !�� !��!6## � "5�� "}� "&� "�� "�� "�� "��"6## � #5�� #�� #'� #�� #�� #�� #��#6## � $5%� $}� $&� $�� $�� $�� $��$6## � %5&� %}� %&� %�� %�� %� %��%6## � &5�� &�� &%� &�� &�� &�� &��&6## � '5�� 'r� 's� '�� '�� '�� '��'6## � (5'� (>~� ((� (�� (�� (�� (��(6## � )5�� )�� )%� )�� )�� )�� )��)6## � *5�� *u� *� *�� *�� *�� *��*6## � +5�� +u� +� +�� +�� +�� +��+6## � ,5�� ,u� ,� ,�� ,�� ,�� ,��,6## � -5�� ->6� -7� -�� -�� -�� -��-6## � .5�� .�� .%� .�� .�� .�� .��.6## � /5�� /�� /%� /�� /�� /�� /��/6## � 05�� 0�� 0%� 0�� 0�� 0�� 0��06## � 15�� 1�� 1%� 1�� 1�� 1� 1�16## � 25�� 2�� 2%� 2�� 2�� 2�� 2��26## � 35�� 3�� 3'� 3�� 3�� 3�� 3��36## � 45�� 4>u� 4� 4�� 4�� 4�� 4��46## � 55�� 5>~� 5(� 5�� 5�� 5�� 5��56## � 65�� 6>~� 6(� 6�� 6�� 6�� 6��66## � 75�� 7u� 7� 7�� 7�� 7�� 7��76## � 85�� 8u� 8� 8�� 8�� 8�� 8��86## � 95�� 9u� 9� 9�� 9�� 9�� 9��96## � :5�� :u� :� :�� :�� :�� :��:6## � ;5(� ;u� ;� ;�� ;� ;� ;�;6## � <5�� <~� <(� <�� <� <� <�<6## � =5�� =u� =� =�� =� =� =�=6## � >5�� >u� >� >�� > � > � > �>6## � ?5�� ?:u� ?:� ?:�� ?;� ?;� ?:� ?6� ? <� ? "�Dlttttttttttttttttttttttttttttttt@ �A � B �C � D �@E �F �G �H �I �J �K �L �M �N �O �P �Q �R �S �T �U �V �W �X �Y � Z � [ � \ �] � ^ �_ �� @5�� @>u� @� @�� @�� @�� @�� @6= � @ "� A5�� Au� A� A�� A � A � A�A6## � B5�� B>~� B(� B�� B� B� B�B6## � C5�� Cr� Cs� C�� Cp� Ct� Cq�C6## � D5�� Du� D� D�� D� D.� D�D6## � E5�� E>x� E� E�� E� E� E�E6## � F5�� F{� F!� F�� F+� F,� F-� F6# � F � G5�� G{� G!� G�� G!f� G!)� G!*� G!6! � G "� H5)� H!{� H!!� H�� H!+� H!,� H!*� H!6! � H "� I5*� I!{� I!!� I�� I!-� I!.� I"� I!6! � I "� J5/� J!{� J!!� J�� J!h� J!/� J"� J!6! � J "� K5�� K!{� K!!� K�� K!g� K!0� K"� K!6! � K "� L50� L!{� L!!� L�� L!i� L!1� L!2� L!6! � L "� M51� M!{� M!!� M�� M!j� M!�� M!3� M!6! � M "� N52� N!{� N!!� N�� N!k� N!�� N!4� N!6! � N "� O53� O!{� O!!� O�� O!l� O!�� O!5� O!6! � O "� P5�� P!{� P!!� P�� P"m� P!�� P!6� P!6! � P "� Q5�� Q!{� Q!!� Q�� Q!n� Q!7� Q!8� Q!6! � Q "� R5�� R!<� R!=� R�� R!9� R!:� R!;� R!6! � R "� S5�� S!<� S!=� S�� S!o� S$?� S!@� S!6! � S "� T5�� T!u� T!� T�� T!A� T!B� T!C� T!6! � T "� U5�� U!E� U!� U�� U!D� U!F� U!G� U!6! � U "� V5�� V!{� V!!� V�� V"H� V"J� V"I� V!6! � V "� W5�� W!u� W!� W�� W!K� W!L� W!P� W!6" � W "� X5�� X�� X%� X�� X!M� X!N� X!O� X!6" � X "� Y5�� Y�� Y%� Y�� Y!S� Y!Q� Y!U� Y!6" � Y "� Z5�� Z�� Z%� Z�� Z!R� Z!T� Z!V� Z!6" � Z "� [5�� [>y� [� [�� ["W� ["� ["Y� [!6" � [ "� \5�� \>� \^� \�� \"X� \"� \"\� \!6" � \ "� ]5�� ]� ]^� ]�� ]"Z� ]"]� ]"[� ]!6" � ] "� ^5�� ^"|� ^""� ^� ^"_� ^"`� ^"a� ^!6" � ^ "� _5�� _!}� _!&� _�� _%d� _"c� _"b� _!6" � _ "�DDlttttt` �a � b � c � d � e � f � g � h � i � `� `1�` � c�!� d�� e� � f�� g�� h� i�^�4���&0� O��( � �R� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� �  C ����� �]F ! d ��ZR� �  C �����  �]F ! d ��ZR� �  C �����  �]F ! d �>�<P���A �w�6_   AF > _����;�  AF > _ ���������*����Pass����;�  AF > _ ���������?���@Fail����;�  AF > _ �������������Info�?@ ?@ ����;�?@  AF > _ ���������*����Pass����;�?@  AF > _ ���������?���@Fail����;�?@  AF > _ �������������Info{+{_ {+{_ {+{_  {+{?@ {+{?@ {+{?@ ������/  %dg_� Sheet2gg����D g2� y�  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV�0''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} $ �} $ �} $ �������������������� �� �� �@ �@�@���@�@�@�����@�@�@��� �%� ������������� � �&� ������������� � �\� ������������� � ��� ������������� � �>� ������������� � ��� ������������� � ��� ������������� � ��� ������������� � ��� ������������� � �� ������������� �" ?������������� � �� ������������� � �+� ������������� � ��� ������������� � ��� ������������� �"�������������� � �*� ������������� � �)� ������������� � �]� ������������� � �^� ������������� � �_� ������������� � �`� ������������� �"�������������� � �'� ������������� � �(� ������������� � ��� ������������� � ��� ������������� �"�������������� �<x2222222222&2222&222222&2222�PH@��0�( � �>�d��A �w� Sheet7gg����D g2� N�  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S� od��LetterPRIV�0''''��0\KhCFF���SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d���?�?�&�U} $ } mT} m���q������� � � � � ���������� �/� ���� �,� �-� �.� �@� �? a@� ��  � �?~  @t@� 4�  ���� ��������������������� ����� ����� ����� ����� �������������0�82< �PHP� �0�( � � >�d��A �w� Sheet8gg����D �Oh+'0� hp����� � � ��� IRS Office of Safeguards SCSEM$IT Security Compliance EvaluationBooz Allen Hamiltonusgcb, stig, pub1075�The IRS strongly recommends agencies test all SCSEM settings in a development or test environment prior to deployment in production. In some cases a security setting may impact a systems functionality and usability. Consequently, it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration should match the production system configuration. Prior to making changes to the production system, agencies should back up all critical data files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.Christa BatorMicrosoft Excel@D^0;@s@:M�՜.+,D՜.+,�@ `h|�� ���� � � securityOffice of SafeguardsInternal Revenue Service  DashboardResults Instructions Test Cases Appendix Change LogAppendix!Print_Area'Change Log'!Print_AreaDashboard!Print_AreaInstructions!Print_AreaResults!Print_Area'Test Cases'!Print_Area'Test Cases'!Print_Titles  Worksheets Named Ranges�(Zb�_PID_LINKBASE_NewReviewCycle�AThttp://www.irs.gov/uac/Safeguards-Program  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~�������������������������������������������������������������������������������������������������������������������������������      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Root Entry�������� �F���Workbook������������j�SummaryInformation(����~DocumentSummaryInformation8�������������