• jasona.work (5/5/2015)


    Bloody heck I hate dealing with DISA STIGs!

    I'm also surprised that (in my quick Googleing) there aren't more discussions / blog post / articles around the web on applying and interprepting them. And frankly, that's what it comes down to, the intrerpretation of the wording of the STIG.

    Some are fairly straight-forward to understand (no login should have the "CONNECT SQL" privilege directly granted," or "no privileges with GRANT WITH GRANT") others, well, not so clear.

    Making it worse, of course, is you have multiple, competing interpretations:

    1. The DBA trying to apply the STIG

    2. The security teams interpretation

    3. DISAs interpretation

    Quite often with #2 and #3 being done by non-technical people.

    Anyone want to see if we can get Steve to spin up a sub-forum just for discussing SQL STIGs?

    😉

    And unfortunately the interpretation by #1 is overruled by the interpretation made by #2 and #3. Leave it to #2 and #3 to fight it out amongst themselves.