Windows OS DBA group should contain only authorized users.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3833 | DM0921-SQLServer9 | SV-25426r1_rule | ECPA-1 | Medium |
| Description |
|---|
| The host DBA group is assigned permissions to the DBMS system libraries and may also be used to assign DBA privileges within the database. Unauthorized DBA privilege assignment leaves the DBMS data and operations vulnerable to complete compromise. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-20415r1_chk ) |
|---|
| For Windows 2000: 1. Right click on My Computer 2. Select Manage 3. Expand Local Users 4. Expand Groups 5. Select the OS DBA Group 6. Right click on the OS DBA Group 7. Select Properties For Windows 2003: 1. Click Start 2. Select All Programs 3. Select Administrative Tools 4. Click Computer Management 5. Expand System Tools 6. Expand Local Users and Groups 7. Select Groups 8. Select the OS DBA Group 9. Right click on the OS DBA Group 10. Select Properties Review the list of accounts assigned to the OS DBA group. Review the list of accounts assigned to the SYSADMIN role: For SQL Server: From the query prompt: exec sp_helpsrvrolemember 'sysadmin' If any accounts assigned OS DBA group membership or SYSADMIN privileges that are not DBAs as authorized and documented in the System Security Plan, this is a Finding. If the OS DBA group is not defined, this is a Finding. |
| Fix Text (F-23508r1_fix) |
|---|
| Remove any OS DBA group membership assignments and assignments to the SYSADMIN role from accounts not authorized and documented in the System Security Plan by the IAO. Authorize and document in the System Security Plan all DBA accounts and assignments to the SYSADMIN role prior to assigning DBA group membership and privileges. |