Only authorized users should be assigned permissions to SQL Server Agent proxies.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15125 | DM6045-SQLServer9 | SV-23851r2_rule | ECAN-1 | Medium |
| Description |
|---|
| Database accounts granted access to SQL Server Agent proxies are granted permissions to create and submit specific function job steps to be executed by SQL Server Agent. Unauthorized users may use access to proxies to execute unauthorized functions against the SQL Server instance or host operating system. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13789r2_chk ) |
|---|
| Note: Access to ActiveScripting and CmdExec proxies is covered in check DM3763 From the query prompt: USE msdb EXEC SP_ENUM_PROXY_FOR_SUBSYSTEM If no records are returned, this is Not a Finding. For each proxy listed that is not for CmdExec or ActiveScripting subsystems (checked under DM3763): From the query prompt: EXEC SP_ENUM_LOGIN_FOR_PROXY @proxy_name = '[proxy name]' Replace [proxy name] with the proxy name returned above. Review the names listed in the return. Verify in the System Security Plan that any accounts or groups listed are authorized to access the proxy listed. If any are not, this is a Finding. |
| Fix Text (F-14809r1_fix) |
|---|
| Note: SYSADMINs have access to all proxies by default. For each user or group granted unauthorized access to a proxy (select based on returns from the SP_ENUM_PROXY_FOR_SUBSYSTEM results): From the query prompt: EXEC SP_REVOKE_LOGIN_FROM_PROXY '[login name]' @proxy_name = '[proxy name]' Replace [proxy name] with the name of the proxy and replace [login name] with the name returned in the SP_ENUM_PROXY_FOR_SUBSYSTEM procedure. |