Use of DBA accounts should be restricted to administrative activities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15632 | DG0124-SQLServer9 | SV-24312r1_rule | ECLP-1 | Medium |
| Description |
|---|
| Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification or exposure. In particular, DBA accounts if used for non-administration application development or application maintenance can lead to miss-assignment of privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in and provided by applications. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-23586r1_chk ) |
|---|
| Review accounts assigned fixed server roles and fixed database roles with the DBA/IAO and as documented in the System Security Plan. Review other database or application roles assigned to the accounts assigned fixed roles as documented in the System Security Plan. If any accounts assigned fixed roles are also assigned application roles or other application object privilege roles or own application objects used for other than DBA functions, this is a Finding. |
| Fix Text (F-20455r1_fix) |
|---|
| Create separate accounts for administration activities. Develop, document and implement policy and procedures that require separate, unprivileged or less-privileged accounts for development, testing and application users. |