3.12 Ensure the 'SYSADMIN' Role is Limited to Administrative or Built-in Accounts

Information

The SYSADMIN role is the highest privileged server-level role in SQL Server database engine. Moreover, by design built-in accounts by default are granted permission to this server-level role by Microsoft design so database engine works as expected. The following virtual accounts / Service SIDs are default members of SYSADMIN: NT SERVICE\SQLWriter NT SERVICE\Winmgmt NT SERVICE\MSSQLSERVER (Used by the SQL database engine service) NT SERVICE\SQLSERVERAGENT(Used by the SQL Agent service) This means that the service accounts for the SQL Database Engine and SQL Agent does not need to, and should not have , their specific service accounts added to the SYSADMIN group seperately, as it is not needed.

The built-in database sa account and service accounts are automatically created during SQL Server installation are required to be granted SYSADMIN role. DBA's can create accounts with SYSADMIN role for support and administration. Such accounts should be limited as well as protected using strict access and authorization restrictions.

Rationale:

This will greatly reduces attack surface, as only limited and specific accounts will be granted SYSADMIN role. So, attackers can't break into the database system with highly privileged accounts.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remove any un-allowed SQL Server accounts which are granted SYSADMIN role using this query:

ALTER ROLE SYSADMIN DROP MEMBER <account>;

See Also

https://workbench.cisecurity.org/benchmarks/12777

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5)

Plugin: MS_SQLDB

Control ID: e6a0c32c18c70d6ae7dd5b13074db83e986b7b2bc6f3650743bed516789e1c62