DBMS processes or services should run under custom, dedicated OS accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15141 | DG0102-SQLServer9 | SV-24263r1_rule | DCFA-1 | Medium |
| Description |
|---|
| Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-23574r1_chk ) |
|---|
| Note: The SQL Server Service is covered in Check DG0101. View the service account properties for the SQL Server services. 1. Select Start / Administrative Tools / Services 2. View Properties / Log On for the following services: a. SQL Server Agent ([Instance Name]) b. SQL Server Analysis Services ([Instance Name]) c. SQL Server Browser ([Instance Name]) d. SQL Server FullText Search ([Instance Name]) e. SQL Server Reporting Services ([Instance Name]) 3. View Properties / Log on for the following services: a. SQL Server Active Directory Helper (Log On As Network Service) b. SQL Server Integration Services (Log On As Network Service) c. SQL Server VSS Writer (Log On As Local System) Not all of these services may exist. If some services do not exist, checks for these services are Not a Finding. If the listed services do not use a custom account (with exception to 3a – 3c above), this is a Finding. If any of the services uses a domain user account, then review the requirement for the domain user account. If the service does not require interaction with network or domain resources, this is a Finding. Note: Use of a local user account is recommended unless domain or network resources are accessed by the service. Review user rights assigned to the SQL Server service accounts. User rights may also be assigned to the service accounts via Windows groups and group policies: 1. Select Start / Run 2. Type: gpedit.msc (enter) 3. Under Group Policy Editor: a. Expand Local Computer Policy b. Expand Computer Configuration c. Expand Windows Settings d. Expand Security Settings e. Expand Local Properties f. Select User Rights Assignment g. Locate the Policies under each listed service h. Confirm the Security Setting for each policy contains the custom account assigned to the service i. Log on as a service 1. SQL Server Agent 2. SQL Server Analysis Services 3. SQL Server Browser 4. SQL Server FullText Search 5. SQL Server Reporting Services 6. SQL Server Active Directory Helper 7. SQL Server Integration Services 8. SQL Server VSS Writer ii. Act as part of the Operating System 1. SQL Server Agent iii. Log on as a batch job 1. SQL Server Agent iv. Bypass traverse checking 1. SQL Server Agent 2. SQL Server Integration Services v. Replace a process-level token 1. SQL Server Agent vi. Adjust memory quotas for a process 1. SQL Server Agent vii. Create global objects 1. SQL Server Integration Services viii. Impersonate a client after authentication 1. SQL Server Integration Services i. Exit Group Policy Editor If any user rights other than those listed above are assigned to the service accounts, this is a Finding. |
| Fix Text (F-25727r1_fix) |
|---|
| Create and assign custom local or domain user accounts to the SQL Server service accounts. Disable any services and service accounts not required for operation. Assign only required user rights to the custom service accounts. Document in the System Security Plan. |