3.10 Ensure Windows local groups are not SQL Logins

Information

Local Windows groups should not be used as logins for SQL Server instances.

Rationale:

Allowing local Windows groups as SQL Logins provides a loophole whereby anyone with OS level administrator rights (and no SQL Server rights) could add users to the local Windows groups and thereby give themselves or others access to the SQL Server instance.

Solution

For each LocalGroupName login, if needed create an equivalent AD group containing only the required user accounts.

Add the AD group or individual Windows accounts as a SQL Server login and grant it the permissions required.

Drop the LocalGroupName login using the syntax below after replacing <name>.

USE [master]
GO
DROP LOGIN [<name>]
GO

Impact:

Before dropping the local group logins, ensure that alternative AD Groups or Windows logins have been added with equivalent permissions. Otherwise, the SQL Server instance may become totally inaccessible.

Default Value:

By default, no local groups are added as SQL logins.

See Also

https://workbench.cisecurity.org/files/2945

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|14.4, CSCv7|14.6

Plugin: MS_SQLDB

Control ID: 318fcae7caa3762a1528c996e648fbb4e69ec344f2b2b4c37787548742f3835f