STIGQter STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

SQL Server services must be configured to run under unique dedicated user accounts.

DISA Rule

SV-213992r617437_rule

Vulnerability Number

V-213992

Group Title

SRG-APP-000431-DB-000388

Rule Version

SQL6-D0-012400

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure SQL Server services to have a documented, dedicated account.

For non-domain servers, consider using virtual service accounts (VSA). See https://msdn.microsoft.com/en-us/library/ms143504.aspx#VA_Desc for more information.

For standalone, domain-joined servers, consider using managed service accounts. See https://msdn.microsoft.com/en-us/library/ms143504.aspx#MSA for more information.

For clustered instances, consider using group managed service accounts. See https://msdn.microsoft.com/en-us/library/ms143504.aspx#GMSA or https://blogs.msdn.microsoft.com/markweberblog/2016/05/25/group-managed-service-accounts-gmsa-and-sql-server-2016/ for more information.

Check Contents

Review the server documentation to obtain a listing of required service accounts. Review the accounts configured for all SQL Server services installed on the server.

Click Start >> Type "SQL Server Configuration Manager" >> Launch the program >> Click SQL Server Services tree node. Review the "Log On As" column for each service.

If any services are configured with the same service account or are configured with an account that is not documented and authorized, this is a finding.

Vulnerability Number

V-213992

Documentable

False

Rule Version

SQL6-D0-012400

Severity Override Guidance

Review the server documentation to obtain a listing of required service accounts. Review the accounts configured for all SQL Server services installed on the server.

Click Start >> Type "SQL Server Configuration Manager" >> Launch the program >> Click SQL Server Services tree node. Review the "Log On As" column for each service.

If any services are configured with the same service account or are configured with an account that is not documented and authorized, this is a finding.

Check Content Reference

M

Target Key

3993

Comments