UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Integration Services service account should not be assigned excess host system privileges.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15134 DM0929-SQLServer9 SV-25436r1_rule DCFA-1 Medium
Description
Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the Integration Service is compromised, the attack can lead to use of the privileges assigned to the service account. Administrative and other unnecessary privileges assigned to the service account can be used for an attack on the host system and/or SQL Server database.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-13780r1_chk )
Check User Rights (may be assigned using group privileges):

1. Click Start
2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3)
3. Click Local Security Policy
4. Expand Local Policies
5. Select User Rights Assignment

View the Security Settings to see user rights assigned to the service account or group.

For SQL Server Integration Services service account:

If any user rights are assigned to the service account other than the following, this is a Finding:

1. Log on as a service (SeServiceLogonRight)
2. Permission to write to application event log
3. Bypass traverse checking (SeChangeNotifyPrivilege)
4. Create global objects (SeCreateGlobalPrivilege)
5. Impersonate a client after authentication (SeImpersonatePrivilege)

If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.
Fix Text (F-14801r1_fix)
Assign the Network Services Account the privileges as listed in the Check procedures where authorized by the System Administrator. Confirm that removal of any user rights from the Network Services Account do not conflict with OS or Application STIG requirements or affect operation of the DBMS server.

Document any changes made in the System Security Plan.