SQL2-00-010000 - DBA OS or domain accounts must be granted only those host system privileges necessary for the administration of SQL Server.

Information

SQL Server DBAs, if assigned excessive OS privileges, could perform actions that could endanger the information system or hide evidence of malicious activity.

This requirement is intended to limit exposure due to operating from within a privileged account or role. The check and fix are based on the assumption that Role-Based Access Control (RBAC) is in effect, as mandated by other STIG requirements. They further assume that, as mandated elsewhere, the privileged accounts discussed here are distinct from the accounts used by the same people when not performing privileged functions.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remove any unnecessary privileges and any unauthorized members from the Group(s) representing DBAs.

Remove any unnecessary Group memberships from the user accounts representing DBAs.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-53414r4_rule, STIG-ID|SQL2-00-010000, Vuln-ID|V-41039

Plugin: Windows

Control ID: 6cff9d0ffb3f9255ea228b23573aa0cc3203a4c97f9ec839f69e9075f21cf4a4