STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.

DISA Rule

SV-213934r617437_rule

Vulnerability Number

V-213934

Group Title

SRG-APP-000080-DB-000063

Rule Version

SQL6-D0-004100

Severity

CAT I

CCI(s)

• CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

Weight

10

Fix Recommendation

Remove permissions that were identified as not allowed in the check content.

USE Master;

REVOKE <Permission> TO [NT AUTHORITY\SYSTEM]

GO


To grant permissions to services or applications, utilize the Service SID of the service or a domain service account.

Check Contents

Execute the following queries. The first query checks for Clustering and Availability Groups being provisioned in the Database Engine. The second query lists permissions granted to the Local System account.

SELECT
SERVERPROPERTY('IsClustered') AS [IsClustered],
SERVERPROPERTY('IsHadrEnabled') AS [IsHadrEnabled]

EXECUTE AS LOGIN = 'NT AUTHORITY\SYSTEM'

SELECT * FROM fn_my_permissions(NULL, 'server')

REVERT

GO


If IsClustered returns 1, IsHadrEnabled returns 0, and any permissions have been granted to the Local System account beyond "CONNECT SQL", "VIEW SERVER STATE", and "VIEW ANY DATABASE", this is a finding.

If IsHadrEnabled returns 1 and any permissions have been granted to the Local System account beyond "CONNECT SQL", "CREATE AVAILABILITY GROUP", "ALTER ANY AVAILABILITY GROUP", "VIEW SERVER STATE", and "VIEW ANY DATABASE", this is a finding.

If both IsClustered and IsHadrEnabled return 0 and any permissions have been granted to the Local System account beyond "CONNECT SQL" and "VIEW ANY DATABASE", this is a finding.

Vulnerability Number

V-213934

Documentable

False

Rule Version

SQL6-D0-004100

Severity Override Guidance

Execute the following queries. The first query checks for Clustering and Availability Groups being provisioned in the Database Engine. The second query lists permissions granted to the Local System account.

SELECT
SERVERPROPERTY('IsClustered') AS [IsClustered],
SERVERPROPERTY('IsHadrEnabled') AS [IsHadrEnabled]

EXECUTE AS LOGIN = 'NT AUTHORITY\SYSTEM'

SELECT * FROM fn_my_permissions(NULL, 'server')

REVERT

GO


If IsClustered returns 1, IsHadrEnabled returns 0, and any permissions have been granted to the Local System account beyond "CONNECT SQL", "VIEW SERVER STATE", and "VIEW ANY DATABASE", this is a finding.

If IsHadrEnabled returns 1 and any permissions have been granted to the Local System account beyond "CONNECT SQL", "CREATE AVAILABILITY GROUP", "ALTER ANY AVAILABILITY GROUP", "VIEW SERVER STATE", and "VIEW ANY DATABASE", this is a finding.

If both IsClustered and IsHadrEnabled return 0 and any permissions have been granted to the Local System account beyond "CONNECT SQL" and "VIEW ANY DATABASE", this is a finding.

Check Content Reference

M

Target Key

3993

Comments