3.10 Ensure Windows local groups are not SQL Logins

Information

Local Windows groups should not be used as logins for SQL Server instances.

Rationale:

Allowing local Windows groups as SQL Logins provides a loophole whereby anyone with OS level administrator rights (and no SQL Server rights) could add users to the local Windows groups and thereby give themselves or others access to the SQL Server instance.

Impact:

Before dropping the local group logins, ensure that alternative AD Groups or Windows logins have been added with equivalent permissions. Otherwise, the SQL Server instance may become totally inaccessible.

Solution

For each LocalGroupName login, if needed create an equivalent AD group containing only the required user accounts.

Add the AD group or individual Windows accounts as a SQL Server login and grant it the permissions required.

Drop the LocalGroupName login using the syntax below after replacing <name>.

USE [master]
GO
DROP LOGIN [<name>]
GO

Default Value:

By default, no local groups are added as SQL logins.

See Also

https://workbench.cisecurity.org/benchmarks/7201

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: MS_SQLDB

Control ID: 7d9c2f72d68c322d3eabbb7b9aec87fcf1a95ee798bed7bfe741bb63f757a4f8