3.10 Ensure Windows local groups are not SQL Logins

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Local Windows groups should not be used as logins for SQL Server instances.

Rationale:

Allowing local Windows groups as SQL Logins provides a loophole whereby anyone with OS level administrator rights (and no SQL Server rights) could add users to the local Windows groups and thereby give themselves or others access to the SQL Server instance.

Impact:

Before dropping the local group logins, ensure that alternative AD Groups or Windows logins have been added with equivalent permissions. Otherwise, the SQL Server instance may become totally inaccessible.

Solution

For each LocalGroupName login, if needed create an equivalent AD group containing only the required user accounts.

Add the AD group or individual Windows accounts as a SQL Server login and grant it the permissions required.

Drop the LocalGroupName login using the syntax below after replacing <name>.

USE [master]
GO
DROP LOGIN [<name>]
GO

Default Value:

By default, no local groups are added as SQL logins.

See Also

https://workbench.cisecurity.org/files/3312