SQL Server services should be assigned least privileges on the SQL Server Windows host.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15170	DM0919-SQLServer9	SV-25420r1_rule	ECPA-1	Medium

Description
Exploits to SQL Server services may provide access to the host system resources within the security context of the service. Excess privileges assigned to the SQL Services can increase the threat to the host system.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-1362r1_chk )
View the Windows group memberships assigned to the SQL Server service accounts: List of services: 1. SQL Server Database 2. SQL Server Agent 3. Analysis Services 4. Integration Services 5. Reporting Services 6. Notification Services 7. Full Text Search 8. SQL Server Browser 9. SQL Server Active Directory Helper 10. SQL Writer Group Membership: The service account and groups should be local unless the services access other domain or remote services. 1. Service-specific groups (e.g. SQLServer2005MSSQLUser$[host name]$[instance name]) 2. SQL Server services Users Groups - custom name, used to replace Users group permissions to SQL Server directories and files 3. Performance Monitor - for SQL Server Database service if Replication is in use and performance is monitored 4. Windows Users group If any services are assigned group membership to any groups other than: 1. A custom SQL Server service group 2. A custom SQL Server service users group, 3. Windows Users group this is a Finding. User rights and file permissions are reviewed under separate checks.

Check Text ( C-1362r1_chk )

View the Windows group memberships assigned to the SQL Server service accounts:

List of services:

1. SQL Server Database
2. SQL Server Agent
3. Analysis Services
4. Integration Services
5. Reporting Services
6. Notification Services
7. Full Text Search
8. SQL Server Browser
9. SQL Server Active Directory Helper
10. SQL Writer

Group Membership:

The service account and groups should be local unless the services access other domain or remote services.

1. Service-specific groups (e.g. SQLServer2005MSSQLUser$[host name]$[instance name])
2. SQL Server services Users Groups - custom name, used to replace Users group permissions to SQL Server directories and files
3. Performance Monitor - for SQL Server Database service if Replication is in use and performance is monitored
4. Windows Users group

If any services are assigned group membership to any groups other than:

1. A custom SQL Server service group
2. A custom SQL Server service users group,
3. Windows Users group

this is a Finding.

User rights and file permissions are reviewed under separate checks.

Fix Text (F-14803r1_fix)
Remove unnecessary group membership from SQL Server service accounts. Review any group membership assignments other than the: 1. SQL Server service group 2. SQL Server service users group 3. Windows Users group For SQL Server Database service, Performance Monitor group membership if replication and monitoring are operationally required.