Information
SQL Server DBAs, if assigned excessive OS privileges, could perform actions that could endanger the information system or hide evidence of malicious activity.
This requirement is intended to limit exposure due to operating from within a privileged account or role. The check and fix are based on the assumption that Role-Based Access Control (RBAC) is in effect, as mandated by other STIG requirements. They further assume that, as mandated elsewhere, the privileged accounts discussed here are distinct from the accounts used by the same people when not performing privileged functions.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Remove any unnecessary privileges and any unauthorized members from the Group(s) representing DBAs.
Remove any unnecessary Group memberships from the user accounts representing DBAs.