The SQL Server Agent service account should not be assigned excess user rights.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15155	DM0933-SQLServer9	SV-25439r1_rule	DCFA-1	Medium

Description
Excess privileges can unnecessarily increase the vulnerabilities to a successful attack. If the SQL Server Agent service is compromised, the attack can lead to use of the privileges assigned to the service account. Administrative and other unnecessary privileges assigned to the service account can be used for an attack on the host system and/or SQL Server database.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-23664r1_chk )
Check User Rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment View the Security Settings to see user rights assigned to the service account or group. For SQL Server Agent service account: If any user rights are assigned to the service account other than the following, this is a Finding: 1. Log on as a service (SeServiceLogonRight) 2. Act as part of the operating system (SeTcbPrivilege) (Win2K only) 3. Log on as a batch job (SeBatchLogonRight) 4. Replace a process-level token (SeAssignPrimaryTokenPrivilege) 5. Bypass traverse checking (SeChangeNotifyPrivilege) 6. Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.

Check Text ( C-23664r1_chk )

Check User Rights (may be assigned using group privileges):

1. Click Start
2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3)
3. Click Local Security Policy
4. Expand Local Policies
5. Select User Rights Assignment

View the Security Settings to see user rights assigned to the service account or group.

For SQL Server Agent service account:

If any user rights are assigned to the service account other than the following, this is a Finding:

1. Log on as a service (SeServiceLogonRight)
2. Act as part of the operating system (SeTcbPrivilege) (Win2K only)
3. Log on as a batch job (SeBatchLogonRight)
4. Replace a process-level token (SeAssignPrimaryTokenPrivilege)
5. Bypass traverse checking (SeChangeNotifyPrivilege)
6. Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.

Fix Text (F-23515r1_fix)
Create a local custom account for the SQL Server Agent service account. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed. Assign the account to the SQL Server Agent (group created at installation for SQL Server 2005) if available. Assign the SQL Server Agent account or group the user privileges as listed in the Check procedures.

Fix Text (F-23515r1_fix)

Create a local custom account for the SQL Server Agent service account. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed.

Assign the account to the SQL Server Agent (group created at installation for SQL Server 2005) if available.

Assign the SQL Server Agent account or group the user privileges as listed in the Check procedures.