Only necessary privileges to the host system should be granted to DBA OS accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6756 | DG0005-SQLServer9 | SV-24119r1_rule | ECLP-1 | Medium |
| Description |
|---|
| Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-1422r1_chk ) |
|---|
| Review host system privileges assigned to the DBA accounts. If any are granted host system administrator privileges or other system privileges not required for DBMS administration, this is a Finding. The DBA should have only the OS Users group, custom SQLServer DBA group, SQL Server service groups and custom SQL Server Users groups assigned. The custom SQL Server groups should have only the Log on Locally user right assigned. |
| Fix Text (F-20097r1_fix) |
|---|
| Revoke any host system privileges from DBA accounts not required DBMS administration. Revoke any OS group memberships that assign excess privileges to DBA accounts. Remove any directly applied permissions or user rights from the DBA account. |