Windows OS DBA group should contain only authorized users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3833	DM0921-SQLServer9	SV-25426r1_rule	ECPA-1	Medium

Description
The host DBA group is assigned permissions to the DBMS system libraries and may also be used to assign DBA privileges within the database. Unauthorized DBA privilege assignment leaves the DBMS data and operations vulnerable to complete compromise.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-20415r1_chk )
For Windows 2000: 1. Right click on My Computer 2. Select Manage 3. Expand Local Users 4. Expand Groups 5. Select the OS DBA Group 6. Right click on the OS DBA Group 7. Select Properties For Windows 2003: 1. Click Start 2. Select All Programs 3. Select Administrative Tools 4. Click Computer Management 5. Expand System Tools 6. Expand Local Users and Groups 7. Select Groups 8. Select the OS DBA Group 9. Right click on the OS DBA Group 10. Select Properties Review the list of accounts assigned to the OS DBA group. Review the list of accounts assigned to the SYSADMIN role: For SQL Server: From the query prompt: exec sp_helpsrvrolemember 'sysadmin' If any accounts assigned OS DBA group membership or SYSADMIN privileges that are not DBAs as authorized and documented in the System Security Plan, this is a Finding. If the OS DBA group is not defined, this is a Finding.

Check Text ( C-20415r1_chk )

For Windows 2000:

1. Right click on My Computer
2. Select Manage
3. Expand Local Users
4. Expand Groups
5. Select the OS DBA Group
6. Right click on the OS DBA Group
7. Select Properties

For Windows 2003:

1. Click Start
2. Select All Programs
3. Select Administrative Tools
4. Click Computer Management
5. Expand System Tools
6. Expand Local Users and Groups
7. Select Groups
8. Select the OS DBA Group
9. Right click on the OS DBA Group
10. Select Properties

Review the list of accounts assigned to the OS DBA group.

Review the list of accounts assigned to the SYSADMIN role:

For SQL Server:

From the query prompt:

exec sp_helpsrvrolemember 'sysadmin'

If any accounts assigned OS DBA group membership or SYSADMIN privileges that are not DBAs as authorized and documented in the System Security Plan, this is a Finding.

If the OS DBA group is not defined, this is a Finding.

Fix Text (F-23508r1_fix)
Remove any OS DBA group membership assignments and assignments to the SYSADMIN role from accounts not authorized and documented in the System Security Plan by the IAO. Authorize and document in the System Security Plan all DBA accounts and assignments to the SYSADMIN role prior to assigning DBA group membership and privileges.