UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Only authorized users should be assigned permissions to SQL Server Agent proxies.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15125 DM6045-SQLServer9 SV-23851r2_rule ECAN-1 Medium
Description
Database accounts granted access to SQL Server Agent proxies are granted permissions to create and submit specific function job steps to be executed by SQL Server Agent. Unauthorized users may use access to proxies to execute unauthorized functions against the SQL Server instance or host operating system.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-13789r2_chk )
Note: Access to ActiveScripting and CmdExec proxies is covered in check DM3763

From the query prompt:

USE msdb
EXEC SP_ENUM_PROXY_FOR_SUBSYSTEM

If no records are returned, this is Not a Finding.

For each proxy listed that is not for CmdExec or ActiveScripting subsystems (checked under DM3763):

From the query prompt:

EXEC SP_ENUM_LOGIN_FOR_PROXY @proxy_name = '[proxy name]'

Replace [proxy name] with the proxy name returned above.

Review the names listed in the return.

Verify in the System Security Plan that any accounts or groups listed are authorized to access the proxy listed. If any are not, this is a Finding.
Fix Text (F-14809r1_fix)
Note: SYSADMINs have access to all proxies by default.

For each user or group granted unauthorized access to a proxy (select based on returns from the SP_ENUM_PROXY_FOR_SUBSYSTEM results):

From the query prompt:

EXEC SP_REVOKE_LOGIN_FROM_PROXY '[login name]' @proxy_name = '[proxy name]'

Replace [proxy name] with the name of the proxy and replace [login name] with the name returned in the SP_ENUM_PROXY_FOR_SUBSYSTEM procedure.