3.11 Ensure the public role in the msdb database is not granted access to SQL Agent proxies

Information

The public database role contains every user in the msdb database. SQL Agent proxies define a security context in which a job step can run.

Granting access to SQL Agent proxies for the public role would allow all users to utilize the proxy which may have high privileges. This would likely break the principle of least privileges.

Solution

- Ensure the required security principals are explicitly granted access to the proxy (use sp_grant_login_to_proxy ).
- Revoke access to the

<proxyname>

from the public role. USE [msdb]GOEXEC dbo.sp_revoke_login_from_proxy @name = N'public', @proxy_name = N'<proxyname>';GO

Impact:

Before revoking the public role from the proxy, ensure that alternative logins or appropriate user-defined database roles have been added with equivalent permissions. Otherwise, SQL Agent job steps dependent upon this access will fail.

See Also

https://workbench.cisecurity.org/benchmarks/14058