UCF STIG Viewer Logo

Dedicated accounts should be designated for SQL Server Agent proxies.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15197 DM6140-SQLServer9 SV-23858r2_rule ECAN-1 Medium
Description
SQL Server proxies use to execute specific job functions defined for SQL Server Agent. If proxies share a single account for multiple job functions, least privileges cannot be assigned based on the particular job function. This can compromise the security of the shared functions should a compromise of the SQL Server Agent job occur.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-13814r2_chk )
From the query prompt:

SELECT c.name AS [Credential], c.credential_identity AS [Identity], p.name AS [Proxy], b.subsystem AS [Subsystem]
FROM [master].sys.credentials c
JOIN [msdb].dbo.sysproxies p ON c.credential_id = p.credential_id
JOIN [msdb].dbo.sysproxysubsystem s ON s.proxy_id = p.proxy_id
JOIN [msdb].dbo.syssubsystems b ON s.subsystem_id = b.subsystem_id
JOIN (SELECT w.credential_identity
FROM [master].sys.credentials w
JOIN [msdb].dbo.sysproxies x ON w.credential_id = x.credential_id
JOIN [msdb].dbo.sysproxysubsystem y ON x.proxy_id = y.proxy_id
WHERE (y.subsystem_id < 4 OR y.subsystem_id > 8)
GROUP BY w.credential_identity HAVING COUNT(*) > 1) d
ON c.credential_identity = d.credential_identity
WHERE (s.subsystem_id < 4 OR s.subsystem_id > 8)
ORDER BY c.name, p.name, b.subsystem

Review the list of proxies and assigned logins.

If any Identity/Login names are listed more than once, this is a Finding.
Fix Text (F-14834r1_fix)
Create Windows accounts for each proxy defined.

Assign only the file permissions, subsystem access and other privileges required to run the SQL Server Agent job.

Document proxy accounts in the System Security Plan and authorize with the IAO.