3.11 Ensure the public role in the msdb database is not granted access to SQL Agent proxies

Information

The public database role contains every user in the msdb database. SQL Agent proxies define a security context in which a job step can run.

Rationale:

Granting access to SQL Agent proxies for the public role would allow all users to utilize the proxy which may have high privileges. This would likely break the principle of least privileges.

Solution

Ensure the required security principals are explicitly granted access to the proxy (use sp_grant_login_to_proxy).

Revoke access to the <proxyname> from the public role.

USE [msdb]
GO
EXEC dbo.sp_revoke_login_from_proxy @name = N'public', @proxy_name = N'<proxyname>';
GO

Impact:

Before revoking the public role from the proxy, ensure that alternative logins or appropriate user-defined database roles have been added with equivalent permissions. Otherwise, SQL Agent job steps dependent upon this access will fail.

Default Value:

By default, the msdb public database role does not have access to any proxy.

References:

https://support.microsoft.com/en-us/help/2160741/best-practices-in-configuring-sql-server-agent-proxy-account

See Also

https://workbench.cisecurity.org/files/2837

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|14.4, CSCv7|14.6

Plugin: MS_SQLDB

Control ID: 1bca9e6c3de34a625ead3ba18c40da48e7dcef489d86679d339506ce80f6f33c