SQL6-D0-012400 - SQL Server services must be configured to run under unique dedicated user accounts.

Information

Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure SQL Server services to have a documented, dedicated account.

For non-domain servers, consider using virtual service accounts (VSA). See https://msdn.microsoft.com/en-us/library/ms143504.aspx#VA_Desc for more information.

For standalone, domain-joined servers, consider using managed service accounts. See https://msdn.microsoft.com/en-us/library/ms143504.aspx#MSA for more information.

For clustered instances, consider using group managed service accounts. See https://msdn.microsoft.com/en-us/library/ms143504.aspx#GMSA or https://blogs.msdn.microsoft.com/markweberblog/2016/05/25/group-managed-service-accounts-gmsa-and-sql-server-2016/ for more information.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2016_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-39, CAT|II, CCI|CCI-002530, Rule-ID|SV-213992r961608_rule, STIG-ID|SQL6-D0-012400, STIG-Legacy|SV-93951, STIG-Legacy|V-79245, Vuln-ID|V-213992

Plugin: MS_SQLDB

Control ID: ec8f0ba362066fb635703402a972caa40cd07882ae2854a5a86ada124f187542