SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Distributed Replay Client'

Information

Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action.

The concept of separation of duties extends to processes. The DBMS must run under a custom, dedicated OS or domain account. When the DBMS is running under a shared account, users with access to that account could inadvertently or maliciously make changes to the DBMS's settings, files, or permissions. Similarly, related services must run under dedicated accounts where this is possible. The SQL Server Browser and Writer services are exceptions: see http://msdn.microsoft.com/en-us/library/hh510203(v=sql.110).aspx and http://msdn.microsoft.com/en-us/library/ms175536(v=sql.110).aspx.

Solution

Configure the SQL Server services to use a custom, dedicated OS or domain account.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-5c., 800-53|CM-6b., CAT|II, CCI|CCI-000366, CCI|CCI-002220, Rule-ID|SV-53422r4_rule, STIG-ID|SQL2-00-008900, Vuln-ID|V-41047

Plugin: Windows

Control ID: 73b58981db74bc8bbe60b0adf1ba42ea37b3cfc880a1069eb5f731231b4ba12a