OS accounts used to execute external procedures should be assigned minimum privileges.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15620	DG0101-SQLServer9	SV-24260r1_rule	DCFA-1	Medium

Description
External applications spawned by the DBMS process may be executed under OS accounts assigned unnecessary privileges that can lead to unauthorized access to OS resources. Unauthorized access to OS resources can lead to the compromise of the OS, the DBMS, and any other service provided by the host platform.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13791r1_chk )
View the Security Settings of the SQL Server service account to see user rights assigned to the service account or group. To view assigned user rights (may be assigned using group privileges): 1. Click Start 2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3) 3. Click Local Security Policy 4. Expand Local Policies 5. Select User Rights Assignment For SQL Server Service account: If any user rights are assigned to the service account other than the following, this is a Finding: 1. Log on as a service (SeServiceLogonRight) 2. Act as part of the operating system (SeTcbPrivilege) (Win2K only) 3. Log on as a batch job (SeBatchLogonRight) 4. Replace a process-level token (SeAssignPrimaryTokenPrivilege) 5. Bypass traverse checking (SeChangeNotifyPrivilege) 6. Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) The following user rights are applicable for SQL Server 2005 only: 1. Permission to start SQL Server Active Directory Helper 2. Permission to Start SQL Write

Check Text ( C-13791r1_chk )

View the Security Settings of the SQL Server service account to see user rights assigned to the service account or group.

To view assigned user rights (may be assigned using group privileges):

1. Click Start
2. Select Control Panel \ Administrative Tools (Win2K) or Select Administrative Tools (Win2K3)
3. Click Local Security Policy
4. Expand Local Policies
5. Select User Rights Assignment

For SQL Server Service account:

If any user rights are assigned to the service account other than the following, this is a Finding:

1. Log on as a service (SeServiceLogonRight)
2. Act as part of the operating system (SeTcbPrivilege) (Win2K only)
3. Log on as a batch job (SeBatchLogonRight)
4. Replace a process-level token (SeAssignPrimaryTokenPrivilege)
5. Bypass traverse checking (SeChangeNotifyPrivilege)
6. Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

The following user rights are applicable for SQL Server 2005 only:
1. Permission to start SQL Server Active Directory Helper
2. Permission to Start SQL Write

Fix Text (F-25726r1_fix)
Create a local custom account for the SQL Server service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for detailed information. Assign the account to the SQL Server group (created at installation for SQL Server 2005) if available. Assign the SQL Server account or group the user privileges as listed in the Check procedures.