Title: DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
Vulnerability ID: V-32244
STIG ID: SRG-APP-000063-DB-000021
IA Controls: None
Description: This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. DBAs, if assigned excessive OS privileges, could perform actions that could endanger the information system or hide evidence of malicious activity.
Check Text: Review OS privileges for DBA and other database administrative accounts. If DBA or administrative accounts have unauthorized roles or permissions beyond those needed for database administration, this is a finding.
Fix Text: Remove OS permissions from DBAs and other administrative users beyond those required for database administrative functions.[divider]
It is a common practice to give the DBA god like rights over a SQL Server instance. This is done because usually the server is just a SQL Server. There are also times a DBA may need to reboot a server or reconfigure the services. This is usually because of a requirement, planned or not, to perform multiple duties. This STIG is here to help enforce the concept of separation of duties. The DBA’s duties are to work in the database itself and ensure its proper function. This does not require excessive rights to the server itself. Even int he case of a restart or service reconfiguration being required it is not necessarily the DBA’s job to make those adjustments. Not to say it is easier to do the job of a DBA with full access, but when regarding proper security practices, it is not a best practice.
The operating system level access required by a DBA to perform their day to day tasks are quite minimal.
The DBA requires the following access on a Windows Server running SQL Server:
[list_check] [li]Profile System Performance – This allows the DBA to sample the performance of computer system processes, such as SQL Server. This right is required if the Sytem Monitor is going to be configured to collect data through WMI.[/li] [li]Use System Monitor – This allows the DBA to use the System Monitor, which uses remote procedure calls, to collect real-time performance information in the form of counters, for server reources such as processor and memory use, and for many SQl Server resources such as locks and transactions. This is more commonly known as the Perfmon, or performance monitor.[/li] [/list_check]