SQL Server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-40923	SQL2-00-018500	SV-53277r1_rule		Medium

Description
To ensure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. An example of a group authenticator is the UNIX OS 'root' user account, a Windows 'administrator' account, an 'sa' account, or a 'helpdesk' account.

Description

To ensure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. An example of a group authenticator is the UNIX OS 'root' user account, a Windows 'administrator' account, an 'sa' account, or a 'helpdesk' account.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2014-06-23

Details

Check Text ( C-47578r2_chk )
Review SQL Server users to determine whether group accounts exist. Select uid, name, roles from sys.sysusers where uid > 16000 and name not in ('db_owner', 'db_accessadmin', 'db_securityadmin', 'db_ddladmin', 'db_backupoperator', 'db_datareader', 'db_datawriter', 'db_denydatareader','db_denydatawriter') If accounts returned are determined to be group accounts, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the group account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding.

Check Text ( C-47578r2_chk )

Review SQL Server users to determine whether group accounts exist.

Select uid, name, roles from sys.sysusers
where uid > 16000
and name not in
('db_owner', 'db_accessadmin',
'db_securityadmin', 'db_ddladmin',
'db_backupoperator', 'db_datareader',
'db_datawriter', 'db_denydatareader','db_denydatawriter')

If accounts returned are determined to be group accounts, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the group account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding.

Fix Text (F-46205r3_fix)
Configure SQL Server settings to require individual authentication prior to authentication for group account access. Review SQL Server users to determine whether group accounts exist. Select uid, name, roles from sys.sysusers where uid > 16000 and name not in ('db_owner', 'db_accessadmin', 'db_securityadmin', 'db_ddladmin', 'db_backupoperator', 'db_datareader', 'db_datawriter', 'db_denydatareader', 'db_denydatawriter');Remove group accounts and use individual userids.

Fix Text (F-46205r3_fix)

Configure SQL Server settings to require individual authentication prior to authentication for group account access.

Review SQL Server users to determine whether group accounts exist.

Select uid, name, roles from sys.sysusers
where uid > 16000
and name not in
('db_owner', 'db_accessadmin',
'db_securityadmin', 'db_ddladmin',
'db_backupoperator', 'db_datareader',
'db_datawriter', 'db_denydatareader',
'db_denydatawriter');Remove group accounts and use individual userids.