The SQL Server services should not be assigned excessive user rights.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15169	DM0928-SQLServer9	SV-25435r1_rule	DCFA-1	Medium

Description
Excessive or unneeded privileges allow for unauthorized actions. When application vulnerabilities are exploited, excessive privileges assigned to the application can lead to unnecessary risk to the host system and other services.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-20378r1_chk )
Check User Rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment View the Security Settings to see user rights assigned to the service account or group. If any user rights are assigned to the service account other than the following, this is a Finding. If any services listed below do not exist, then do not include them in the review: 1. Analysis Server: Log on as a service 2. Report Server: Log on as a service 3. Integration Services: a. Log on as a service b. Permission to write to application event log c. Bypass traverse checking d. Create global objects e. Impersonate a client after authentication 4. Full-Text Search: Log on as a Service 5. SQL Server Browser: Log on as a Service If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.

Check Text ( C-20378r1_chk )

Check User Rights (may be assigned using group privileges):

1. Click Start
2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3)
3. Click Local Security Policy
4. Expand Local Policies
5. Select User Rights Assignment

View the Security Settings to see user rights assigned to the service account or group.

If any user rights are assigned to the service account other than the following, this is a Finding.

If any services listed below do not exist, then do not include them in the review:

1. Analysis Server: Log on as a service
2. Report Server: Log on as a service
3. Integration Services:
a. Log on as a service
b. Permission to write to application event log
c. Bypass traverse checking
d. Create global objects
e. Impersonate a client after authentication
4. Full-Text Search: Log on as a Service
5. SQL Server Browser: Log on as a Service

If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.

Fix Text (F-23511r1_fix)
Create local custom accounts for the SQL Server Analysis, Reporting, Full Text Search, and Browser service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed. Assign the service account to the SQL Server service group (created at installation for the service accounts for SQL Server 2005/2008) if available. Assign the service account or group the user privileges as listed in the Check procedures.

Fix Text (F-23511r1_fix)

Create local custom accounts for the SQL Server Analysis, Reporting, Full Text Search, and Browser service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed.

Assign the service account to the SQL Server service group (created at installation for the service accounts for SQL Server 2005/2008) if available.

Assign the service account or group the user privileges as listed in the Check procedures.