The SQL Server service should use a least-privileged local or domain user account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3835	DM0924-SQLServer9	SV-25429r1_rule	DCFA-1	Medium

Description
The Windows builtin Administrators group and LocalSystem account are assigned full privileges to the Windows operating system. These privileges are not required by the SQL Server service accounts for operation and, if assigned, could allow a successful attack of the SQL Server service to lead to a full compromise of the host system.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-20490r1_chk )
Check for Service Account used: For Windows 2003 (Windows 2000 is similar): 1. Click Start 2. Right click on My Computer 3. Click on Manage, 4. Expand Services and Applications 5. Select Services 6. Locate the SQL Server ([instance name]) services 7. Examine the account listed in the ‘Log On As’ column If the account listed is a builtin account (LocalSystem, Local Service, Network Service, etc.), this is a Finding. Exceptions are: 1. SQL Server Active Directory Helper (Network Service) 2. SQL Server Integration Services (Network Service) 3. SQL Server VSS Writer (Local System) If the account listed is a domain user account (does not begin with ".\" or the host computer name), then confirm that the service requires access to remote systems including for the provision of email services as documented in the System Security Plan. If network resource access is not required, use of domain account is a Finding. If the account listed is a local or domain user account, then review group membership privileges. See below for Administrator group privilege check. Note any other group membership assignments for future check analysis. For Windows 2000: 1. Right click on My Computer 2. Select Manage 3. Expand Local Users 4. Expand Groups 5. Select the Administrators Group 6. Right click on the Administrators Group 7. Select Properties For Windows 2003: 1. Click Start 2. Select All Programs 3. Select Administrative Tools 4. Click Computer Management 5. Expand System Tools 6. Expand Local Users and Groups 7. Select Groups 8. Select the Administrators Group 9. Right click on the Administrators Group 10. Select Properties If the service account is listed as a member of the Administrators group, this is a Finding. Note: SQL Server Agent cannot be configured for autorestart without assignment to the Administrator Group. SQL Server Agent must be manually restarted after the service has been interrupted. If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.

Check Text ( C-20490r1_chk )

Check for Service Account used:

For Windows 2003 (Windows 2000 is similar):
1. Click Start
2. Right click on My Computer
3. Click on Manage,
4. Expand Services and Applications
5. Select Services
6. Locate the SQL Server ([instance name]) services
7. Examine the account listed in the ‘Log On As’ column

If the account listed is a builtin account (LocalSystem, Local Service, Network Service, etc.), this is a Finding.

Exceptions are:

1. SQL Server Active Directory Helper (Network Service)
2. SQL Server Integration Services (Network Service)
3. SQL Server VSS Writer (Local System)

If the account listed is a domain user account (does not begin with ".\" or the host computer name), then confirm that the service requires access to remote systems including for the provision of email services as documented in the System Security Plan.

If network resource access is not required, use of domain account is a Finding.

If the account listed is a local or domain user account, then review group membership privileges. See below for Administrator group privilege check. Note any other group membership assignments for future check analysis.

For Windows 2000:

1. Right click on My Computer
2. Select Manage
3. Expand Local Users
4. Expand Groups
5. Select the Administrators Group
6. Right click on the Administrators Group
7. Select Properties

For Windows 2003:

1. Click Start
2. Select All Programs
3. Select Administrative Tools
4. Click Computer Management
5. Expand System Tools
6. Expand Local Users and Groups
7. Select Groups
8. Select the Administrators Group
9. Right click on the Administrators Group
10. Select Properties

If the service account is listed as a member of the Administrators group, this is a Finding.

Note: SQL Server Agent cannot be configured for autorestart without assignment to the Administrator Group. SQL Server Agent must be manually restarted after the service has been interrupted.

If clustering is being used, assignment of "Debug Programs" user right to the account either directly or through an assigned group may be required and is authorized. Ensure this is documented in the System Security Plan.

Fix Text (F-14804r1_fix)
Create a local custom account for the SQL Server service accounts. A domain account may be used where network resources are required. Please see SQL Server Books Online for information that is more detailed. Assign the service accounts to the SQL Server groups created at installation (SQL Server 2005) if available. Assign the SQL Server accounts to the appropriate OS SQL Service group. Do not assign the SQL Server accounts to the OS DBA group. Note: Each service identified with an ([Instance Name]) should have its own, separate local user/domain user account. Do not add the SQL Server Agent user/domain account to the local or domain Administrators groups.

Fix Text (F-14804r1_fix)

Create a local custom account for the SQL Server service accounts. A domain account may be used where network resources are required.

Please see SQL Server Books Online for information that is more detailed.

Assign the service accounts to the SQL Server groups created at installation (SQL Server 2005) if available.

Assign the SQL Server accounts to the appropriate OS SQL Service group. Do not assign the SQL Server accounts to the OS DBA group.

Note: Each service identified with an ([Instance Name]) should have its own, separate local user/domain user account. Do not add the SQL Server Agent user/domain account to the local or domain Administrators groups.