2.8 Ensure Dbcreator and Securityadmin roles are only used as needed

Information

In certain situations, database administrators (DBAs) may want to operate independently
from SharePoint 2016 administrators and create and manage all the databases. This is
typical in IT environments where security requirements and company policies require a
separation of administrator roles. The farm administrator provides SharePoint 2016
database requirements to the DBA, who then creates the necessary databases and sets up
the logins that are required for the farm.

Rationale:

The ability to grant access to the database engine and to configure user permissions allows
the securityadmin to assign most server permissions. You should treat the securityadmin
role as equal to the sysadmin role.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Using SQL Server Management Studio access Object Explorer.

1. Expand the server in which you want to view a fixed server role.
2. Expand the Security folder.
3. Expand the Server Roles folder.
4. Right-click the dbcreator or securityadmin role and select Properties.
5. In the dbcreator or securityadmin dialog box, on the Members page click the list of
members.
6. Remove the members from the list.

See Also

https://workbench.cisecurity.org/files/2395

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(1), CSCv6|5.1

Plugin: MS_SQLDB

Control ID: e1b8ec2c8ee6cbc18a89d24b2604dda434b3f9147384cd26bd99d607ff2cbd79