UCF STIG Viewer Logo

SQL Server Agent CmdExec or ActiveScripting jobs should be restricted to sysadmins.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2488 DM3763-SQLServer9 SV-25451r1_rule DCFA-1 ECLP-1 Medium
Description
SQL Server Agent CmdExec and ActiveScripting subsystems allow the execution of code by the host operating system under the security context. Allow use of these features only to SYSADMINs and use only where necessary to limit risk of database exploit to the host operating system. Members of the SYSADMIN group have access to all proxies and subsystems by default. Additional assignments are not necessary and would be considered suspect.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-23822r1_chk )
From the query prompt:

USE msdb
EXEC SP_ENUM_PROXY_FOR_SUBSYSTEM @subsystem_name = 'ActiveScripting'
EXEC SP_ENUM_PROXY_FOR_SUBSYSTEM @subsystem_name = 'CmdExec'

If no records are returned, this is Not a Finding.

For each proxy listed:

EXEC SP_ENUM_LOGIN_FOR_PROXY @proxy_name = '[proxy name]'

Replace [proxy name] with the proxy names returned above.

Review the names listed in the return. If any names include users that are not SYSADMINs or list groups that contain members other than SYSADMIN, this is a Finding.
Fix Text (F-2516r1_fix)
Members of the SYSADMIN role have access to all proxies by default. For any proxies defined for Active Scripting or CmdExec subsystems, remove all additional access privileges.

Select based on returns from the SP_ENUM_PROXY_SUBSYSTEM results:

From the query prompt:

EXEC SP_REVOKE_LOGIN_FROM_PROXY '[login name]' @proxy_name = 'ActiveScripting'
EXEC SP_REVOKE_LOGIN_FROM_PROXY '[login name]' @proxy_name = 'CmdExec'

Replace [login name] with the name returned in the SP_ENUM_PROXY_FOR_SUBSYSTEM procedure.