Detections
Analytics

SQL2-00-009800 - SQL Server DBA roles must not be assigned excessive or unauthorized privileges.

Information

This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

Audit of privileged activity may require physical separation, employing information systems on which the user does not have privileged access.

To limit exposure and provide forensic history of activity when operating from within a privileged account or role, SQL Server does support organizational requirements that users of information system accounts, or roles, with access to an organization-defined list of security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other (non-security) system functions.

SQL Server provides access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged. DBAs, if assigned excessive privileges, could perform actions that endanger the information system or hide evidence of malicious activity.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remove permissions from DBAs and other administrative users beyond those required for administrative functions.

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'administrator account name'> >> Properties >> User >> Securables.

Remove 'Securables' permissions from DBAs and other administrative users that are beyond what is required.

Navigate from 'Securables' to 'Server Roles'.

Remove 'Server Roles' permissions from DBAs and other administrative users that are beyond what is required.

Navigate from 'Server Roles' to 'Users mapped to the login'.

Remove 'Users mapped to the login' permissions from DBAs and other administrative users that are beyond what is required.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-53416r2_rule, STIG-ID|SQL2-00-009800, Vuln-ID|V-41041

Plugin: MS_SQLDB

Control ID: 6d722a5758d49651ed46d7055049f05b6128452386a4bc1928759b0c86a8f85f