SQL Server replications agents should be run under separate and dedicated OS accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15113	DM6065-SQLServer9	SV-23852r2_rule	DCFA-1	Medium

Description
Use of shared accounts used by replication agents require that all permissions required to support each of the separate replication agent roles (snapshot publication, distribution, log reading, merge publication, queue reading, and replication maintenance) be assigned to the shared account. This translates to excess privilege assignment to the account to perform a specific job task and an exploit to the single account means a compromise to all replication elements accessed by the shared account. Separation of duties by use of separate and dedicated accounts reduces the risk to the entire replication implementation.

Description

Use of shared accounts used by replication agents require that all permissions required to support each of the separate replication agent roles (snapshot publication, distribution, log reading, merge publication, queue reading, and replication maintenance) be assigned to the shared account. This translates to excess privilege assignment to the account to perform a specific job task and an exploit to the single account means a compromise to all replication elements accessed by the shared account. Separation of duties by use of separate and dedicated accounts reduces the risk to the entire replication implementation.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-22821r2_chk )
From the query prompt: SELECT c.credential_identity, p.name FROM [master].sys.credentials c, [msdb].dbo.sysproxies p, [msdb].dbo.sysproxysubsystem s WHERE c.credential_id = p.credential_id AND s.proxy_id = p.proxy_id AND s.subsystem_id > 3 AND s.subsystem_id < 9 ORDER BY c.credential_identity, p.name If any proxies are not assigned unique credential identities, this is a Finding.

Fix Text (F-19743r1_fix)
Create individual Windows accounts for each replication agent. Specify the Windows account created for the replication agent, in the Replication Agent Security settings in SQL Server. From the SQL Server Management Studio GUI: 1. Expand instance 2. Expand Replication 3. Expand Local Publications 4. For each Local Publication: a. Right-click on the publication b. Select Properties c. Select Agent Security page d. Click on Security Settings button e. Enter the dedicated Windows account for the Snapshot Agent f. Select Connect to the Publisher - By impersonating the process account g. Click OK h. Click OK

Fix Text (F-19743r1_fix)

Create individual Windows accounts for each replication agent.

Specify the Windows account created for the replication agent, in the Replication Agent Security settings in SQL Server.

From the SQL Server Management Studio GUI:

1. Expand instance
2. Expand Replication
3. Expand Local Publications
4. For each Local Publication:
a. Right-click on the publication
b. Select Properties
c. Select Agent Security page
d. Click on Security Settings button
e. Enter the dedicated Windows account for the Snapshot Agent
f. Select Connect to the Publisher - By impersonating the process account
g. Click OK
h. Click OK