Only authorized SQL Server proxies should be assigned access to subsystems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15196	DM6145-SQLServer9	SV-23859r2_rule	ECAN-1	Medium

Description
SQL Server subsystems define a set of functionality available for assignment to a SQL Server Agent proxy. These act as privileges to perform certain job tasks. Excess privilege assignment or subsystem assignment can lead to unauthorized access to the SQL Server instance or host operating system.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13815r2_chk )
From the query prompt: SELECT p.name, sp.subsystem FROM [msdb].dbo.sysproxies p, [msdb].dbo.sysproxysubsystem s, [msdb].dbo.syssubsystems sp WHERE p.proxy_id = s.proxy_id AND s.subsystem_id = sp.subsystem_id ORDER BY p.name, sp.subsystem Review the list of subsystem assignments to proxies against the authorized list in the System Security Plan document. If unauthorized subsystems are assigned to any proxy or is not documented, this is a Finding.

Check Text ( C-13815r2_chk )

From the query prompt:

SELECT p.name, sp.subsystem
FROM [msdb].dbo.sysproxies p, [msdb].dbo.sysproxysubsystem s, [msdb].dbo.syssubsystems sp
WHERE p.proxy_id = s.proxy_id
AND s.subsystem_id = sp.subsystem_id
ORDER BY p.name, sp.subsystem

Review the list of subsystem assignments to proxies against the authorized list in the System Security Plan document. If unauthorized subsystems are assigned to any proxy or is not documented, this is a Finding.

Fix Text (F-14835r1_fix)
Define and document in the System Security Plan the minimum subsystem assignments required by individual proxies. Assign to each proxy only those subsystems required to complete the SQL Server Agent job.