Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15169 | DM0928-SQLServer9 | SV-25435r1_rule | DCFA-1 | Medium |
Description |
---|
Excessive or unneeded privileges allow for unauthorized actions. When application vulnerabilities are exploited, excessive privileges assigned to the application can lead to unnecessary risk to the host system and other services. |
STIG | Date |
---|---|
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-04-03 |
Check Text ( C-20378r1_chk ) |
---|
Check User Rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment View the Security Settings to see user rights assigned to the service account or group. If any user rights are assigned to the service account other than the following, this is a Finding. If any services listed below do not exist, then do not include them in the review: 1. Analysis Server: Log on as a service 2. Report Server: Log on as a service 3. Integration Services: a. Log on as a service b. Permission to write to application event log c. Bypass traverse checking d. Create global objects e. Impersonate a client after authentication 4. Full-Text Search: Log on as a Service 5. SQL Server Browser: Log on as a Service If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan. |
Fix Text (F-23511r1_fix) |
---|
Create local custom accounts for the SQL Server Analysis, Reporting, Full Text Search, and Browser service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed. Assign the service account to the SQL Server service group (created at installation for the service accounts for SQL Server 2005/2008) if available. Assign the service account or group the user privileges as listed in the Check procedures. |