A Windows OS DBA group should exist.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3832	DM0920-SQLServer9	SV-25423r1_rule	ECPA-1	Medium

Description
The DBA job function differs from the host system administrator job function. Without a separate host OS group to assign necessary privileges on the operating system, separation of duties is not achieved and excess privileges for the job function are assigned.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-17013r1_chk )
For Windows 2000: 1. Right click on My Computer 2. Select Manage 3. Expand Local Users 4. Expand Groups For Windows 2003: 1. Click Start 2. Select All Programs 3. Select Administrative Tools 4. Click Computer Management 5. Expand System Tools 6. Expand Local Users and Groups 7. Select Groups View the list of groups defined. Verify the OS DBA group as specified in the System Security Plan exists. If the OS DBA windows group specified in the System Security Plan does not exist, this is a Finding.

Check Text ( C-17013r1_chk )

For Windows 2000:

1. Right click on My Computer
2. Select Manage
3. Expand Local Users
4. Expand Groups

For Windows 2003:

1. Click Start
2. Select All Programs
3. Select Administrative Tools
4. Click Computer Management
5. Expand System Tools
6. Expand Local Users and Groups
7. Select Groups

View the list of groups defined. Verify the OS DBA group as specified in the System Security Plan exists.

If the OS DBA windows group specified in the System Security Plan does not exist, this is a Finding.

Fix Text (F-23506r1_fix)
Follow the steps outlined in the Check procedure above. Create a Windows OS group to use for SQL Server DBA privilege and permission assignment as documented in the System Security Plan.