Use of credentials and proxies must be restricted to necessary cases only.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-213980 | SQL6-D0-010500 | SV-213980r855964_rule | Medium |
| Description |
|---|
| In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. Privilege elevation must be utilized only where necessary and protected from misuse. |
| STIG | Date |
|---|---|
| MS SQL Server 2016 Instance Security Technical Implementation Guide | 2022-09-12 |
Details
| Check Text ( C-15197r313723_chk ) |
|---|
| Review the server documentation to obtain a listing of accounts used for executing external processes. Execute the following query to obtain a listing of accounts currently configured for use by external processes. SELECT C.name AS credential_name, C.credential_identity FROM sys.credentials C GO SELECT P.name AS proxy_name, C.name AS credential_name, C.credential_identity FROM sys.credentials C JOIN msdb.dbo.sysproxies P ON C.credential_id = P.credential_id WHERE P.enabled = 1 GO If any Credentials or SQL Agent Proxy accounts are returned that are not documented and authorized, this is a finding. |
| Fix Text (F-15195r313724_fix) |
|---|
| Remove any SQL Agent Proxy accounts and credentials that are not authorized. DROP CREDENTIAL GO USE [msdb] EXEC sp_delete_proxy @proxy_name = ' GO |