Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15197 | DM6140-SQLServer9 | SV-23858r2_rule | ECAN-1 | Medium |
Description |
---|
SQL Server proxies use to execute specific job functions defined for SQL Server Agent. If proxies share a single account for multiple job functions, least privileges cannot be assigned based on the particular job function. This can compromise the security of the shared functions should a compromise of the SQL Server Agent job occur. |
STIG | Date |
---|---|
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Check Text ( C-13814r2_chk ) |
---|
From the query prompt: SELECT c.name AS [Credential], c.credential_identity AS [Identity], p.name AS [Proxy], b.subsystem AS [Subsystem] FROM [master].sys.credentials c JOIN [msdb].dbo.sysproxies p ON c.credential_id = p.credential_id JOIN [msdb].dbo.sysproxysubsystem s ON s.proxy_id = p.proxy_id JOIN [msdb].dbo.syssubsystems b ON s.subsystem_id = b.subsystem_id JOIN (SELECT w.credential_identity FROM [master].sys.credentials w JOIN [msdb].dbo.sysproxies x ON w.credential_id = x.credential_id JOIN [msdb].dbo.sysproxysubsystem y ON x.proxy_id = y.proxy_id WHERE (y.subsystem_id < 4 OR y.subsystem_id > 8) GROUP BY w.credential_identity HAVING COUNT(*) > 1) d ON c.credential_identity = d.credential_identity WHERE (s.subsystem_id < 4 OR s.subsystem_id > 8) ORDER BY c.name, p.name, b.subsystem Review the list of proxies and assigned logins. If any Identity/Login names are listed more than once, this is a Finding. |
Fix Text (F-14834r1_fix) |
---|
Create Windows accounts for each proxy defined. Assign only the file permissions, subsystem access and other privileges required to run the SQL Server Agent job. Document proxy accounts in the System Security Plan and authorize with the IAO. |