Friday, December 06, 2002
BUILTIN\Administrators in Sysadmin Role
Issue
Local administrators should not also be database administrators. These roles are very different
and are typically performed by different people.
Solution
Remove BUILTIN\Administrators from the sysadmin role.
Note: There are special circumstances that require Administrators to belong to the
Sysadmin role. These circumstances are outlined in the following Microsoft Knowledge Base
articles:
SQL
Server Agent Does Not Start and Displays Error 18456 (Q237604)
How to
Prevent Windows NT Administrators from Administering a Clustered SQL Server (Q263712)
IsAlive Check Does Not Run Under the Context of the BUILTIN\Administrators
Account (Q291255)
Microsoft Search Service May Cause 100% CPU Usage if BUILTIN\Administrators
Login is Removed (Q295034)
Instructions
- Click Start,
point to Programs, point to Microsoft SQL Server, and then click Enterprise Manager. - In SQL Server Enterprise Manager, double-click SQL Server Group, and then double-click the SQL Server that you want
to secure. - Click the Security folder, click Server Roles, and then double-click System
Administrators in the right pane. - In the Server Role Properties dialog box, click BUILTIN\Administrators, and then click
Remove.
Additional Information
Service Accounts on SQL Server
Issue
All services log on under an account, with some services running as LocalSystem.
This can be a potential security vulnerability because a bug in the service code
could be exploited by a malicious user to gain system-level access, which is possible because the
service runs in the context of the local computer. It is recommended that you run
services that do not require full system access under a lesser-privileged account,
and that this account is not a member of the Local Administrators group.
Solution
Ensure that the SQL service accounts are not running as LocalSystem and are not
running under accounts that are a member of the Local or Domain Administrators group.
It is recommended that you run these service accounts under a domain user account.
Windows XP introduces two new service accounts: LocalService and
NetworkService. Services running under the LocalService account have minimum
privileges on the local computer, and they present anonymous credentials on the
network. Services running under the NetworkService account have minimum
privileges on the local computer, and they act as the computer on the network. For
more information, see Additional Resources.
Instructions
To ensure that services are not running as Local System Accounts in Windows 2000
- Click Start, point to Settings, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Computer Management.
- Under the Services and Applications node,
click Services. - Double-click the service that was flagged in the security report.
- In the dialog box that appears, click the Log On tab.
- Under
Log On As, select the This account radio button and specify a
local account under which the service should run.
To ensure that services are not running as Local System Accounts in Windows NT 4.0
- Click Start, point to Settings, and
then click Control Panel. - Click Services.
- Double-click the service that was flagged in the security report.
- Under Log On As in
the dialog box that appears, select the This account radio button and
specify a local account under which the service should run.
Additional Resources
MS Security Baseline Analyzer Results:
Windows Scan Results Vulnerabilities Check failed (critical) Windows Hotfixes 5 hotfixes are missing or could not be confirmed.
Windows Scan Results Vulnerabilities Check failed (critical) Password Expiration Some user accounts (19 of 31) have non-expiring passwords.
Windows Scan Results Vulnerabilities Check failed (critical) File System All hard drives (6) are using the NTFS file system.
Windows Scan Results Vulnerabilities Check failed (critical) Local Account Password Test Some user accounts (1 of 31) have blank or simple passwords, or could not be analyzed.
Windows Scan Results Vulnerabilities Check failed (critical) Guest Account The Guest account is disabled on this computer.
Windows Scan Results Vulnerabilities Check failed (critical) Autologon Autologon is not configured on this computer.
Windows Scan Results Vulnerabilities Check failed (critical) Restrict Anonymous Computer is running with RestrictAnonymous = 2. This level prevents access to any resources that do not have explicit permissions set for the Anonymous account.
Windows Scan Results Vulnerabilities Check failed (critical) Administrators No more than 2 Administrators were found on this computer.
Windows Scan Results Additional System Information Check failed (critical) Auditing Logon Failure auditing is enabled, however Logon Success auditing should also be enabled.
Windows Scan Results Additional System Information Additional information Shares 8 share(s) are present on your computer.
Windows Scan Results Additional System Information Check failed (critical) Services Some potentially unnecessary services are installed.
Windows Scan Results Additional System Information Additional information Windows Version Computer is running Windows 2000 or greater.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) Parent Paths Parent paths are enabled in some web sites and/or virtual directories.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) Sample Applications IIS sample applications are not installed.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) IIS Admin Virtual Directory IISADMPWD virtual directory is not present.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) Msadc and Scripts Virtual Directories The MSADC and Scripts virtual directories are not present under the default web site.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) IIS Lockdown Tool The IIS Lockdown tool has been run on the machine.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) IIS Hotfixes No missing hotfixes were found.
Internet Information Services (IIS) Scan Results Additional System Information Best practice IIS Logging Enabled Some web or FTP sites are not using the recommended logging options.
Internet Information Services (IIS) Scan Results Additional System Information Best practice Domain Controller Test IIS is not running on a domain controller.
SQL Server Scan Results Vulnerabilities Check failed (critical) Exposed sa Password The 'sa' password may be exposed in clear text.
SQL Server Scan Results Vulnerabilities Check failed (critical) SQL Account Password Test Some SQL user accounts (1 of 5) have blank or simple passwords.
SQL Server Scan Results Vulnerabilities Check failed (critical) SQL Server Security Mode SQL Server authentication mode is set to SQL Server and Windows (Mixed Mode).
SQL Server Scan Results Vulnerabilities Check failed (critical) SQL Server Hotfixes 3 hotfixes could not be confirmed.
SQL Server Scan Results Vulnerabilities Check failed (critical) Sysadmin role members BUILTIN\Administrators group is part of sysadmin role.
SQL Server Scan Results Vulnerabilities Check failed (critical) Sysadmins More than 2 members of sysadmin role are present.
SQL Server Scan Results Vulnerabilities Check failed (critical) Service Accounts SQL Server and/or SQL Server Agent Services accounts are members of the local Administrators group or run as LocalSystem.
SQL Server Scan Results Vulnerabilities Check failed (critical) Domain Controller Test SQL Server is not running on a domain controller.
SQL Server Scan Results Vulnerabilities Check failed (critical) CmdExec role CmdExec is restricted to sysadmin only.
SQL Server Scan Results Vulnerabilities Check failed (critical) Registry Permissions The Everyone group does not have more than Read access to the SQL Server registry keys.
SQL Server Scan Results Vulnerabilities Check failed (critical) Folder Permissions Permissions on the SQL Server installation folders are set properly.
SQL Server Scan Results Vulnerabilities Check failed (critical) Guest Account The Guest account is not enabled in any of the databases.
Desktop Application Scan Results Vulnerabilities Check failed (critical) IE Zones Internet Explorer zones do not have secure settings for some users.
Desktop Application Scan Results Vulnerabilities Check failed (critical) Outlook Zones No Microsoft Office products are installed
Desktop Application Scan Results Vulnerabilities Check failed (critical) Macro Security No Microsoft Office products are installed
Windows Scan Results Vulnerabilities Check failed (critical) Windows Hotfixes 5 hotfixes are missing or could not be confirmed.
Windows Scan Results Vulnerabilities Check failed (critical) Password Expiration Some user accounts (19 of 31) have non-expiring passwords.
Windows Scan Results Vulnerabilities Check failed (critical) File System All hard drives (6) are using the NTFS file system.
Windows Scan Results Vulnerabilities Check failed (critical) Local Account Password Test Some user accounts (1 of 31) have blank or simple passwords, or could not be analyzed.
Windows Scan Results Vulnerabilities Check failed (critical) Guest Account The Guest account is disabled on this computer.
Windows Scan Results Vulnerabilities Check failed (critical) Autologon Autologon is not configured on this computer.
Windows Scan Results Vulnerabilities Check failed (critical) Restrict Anonymous Computer is running with RestrictAnonymous = 2. This level prevents access to any resources that do not have explicit permissions set for the Anonymous account.
Windows Scan Results Vulnerabilities Check failed (critical) Administrators No more than 2 Administrators were found on this computer.
Windows Scan Results Additional System Information Check failed (critical) Auditing Logon Failure auditing is enabled, however Logon Success auditing should also be enabled.
Windows Scan Results Additional System Information Additional information Shares 8 share(s) are present on your computer.
Windows Scan Results Additional System Information Check failed (critical) Services Some potentially unnecessary services are installed.
Windows Scan Results Additional System Information Additional information Windows Version Computer is running Windows 2000 or greater.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) Parent Paths Parent paths are enabled in some web sites and/or virtual directories.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) Sample Applications IIS sample applications are not installed.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) IIS Admin Virtual Directory IISADMPWD virtual directory is not present.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) Msadc and Scripts Virtual Directories The MSADC and Scripts virtual directories are not present under the default web site.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) IIS Lockdown Tool The IIS Lockdown tool has been run on the machine.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) IIS Hotfixes No missing hotfixes were found.
Internet Information Services (IIS) Scan Results Additional System Information Best practice IIS Logging Enabled Some web or FTP sites are not using the recommended logging options.
Internet Information Services (IIS) Scan Results Additional System Information Best practice Domain Controller Test IIS is not running on a domain controller.
SQL Server Scan Results Vulnerabilities Check failed (critical) Exposed sa Password The 'sa' password may be exposed in clear text.
SQL Server Scan Results Vulnerabilities Check failed (critical) SQL Account Password Test Some SQL user accounts (1 of 5) have blank or simple passwords.
SQL Server Scan Results Vulnerabilities Check failed (critical) SQL Server Security Mode SQL Server authentication mode is set to SQL Server and Windows (Mixed Mode).
SQL Server Scan Results Vulnerabilities Check failed (critical) SQL Server Hotfixes 3 hotfixes could not be confirmed.
SQL Server Scan Results Vulnerabilities Check failed (critical) Sysadmin role members BUILTIN\Administrators group is part of sysadmin role.
SQL Server Scan Results Vulnerabilities Check failed (critical) Sysadmins More than 2 members of sysadmin role are present.
SQL Server Scan Results Vulnerabilities Check failed (critical) Service Accounts SQL Server and/or SQL Server Agent Services accounts are members of the local Administrators group or run as LocalSystem.
SQL Server Scan Results Vulnerabilities Check failed (critical) Domain Controller Test SQL Server is not running on a domain controller.
SQL Server Scan Results Vulnerabilities Check failed (critical) CmdExec role CmdExec is restricted to sysadmin only.
SQL Server Scan Results Vulnerabilities Check failed (critical) Registry Permissions The Everyone group does not have more than Read access to the SQL Server registry keys.
SQL Server Scan Results Vulnerabilities Check failed (critical) Folder Permissions Permissions on the SQL Server installation folders are set properly.
SQL Server Scan Results Vulnerabilities Check failed (critical) Guest Account The Guest account is not enabled in any of the databases.
Desktop Application Scan Results Vulnerabilities Check failed (critical) IE Zones Internet Explorer zones do not have secure settings for some users.
Desktop Application Scan Results Vulnerabilities Check failed (critical) Outlook Zones No Microsoft Office products are installed
Desktop Application Scan Results Vulnerabilities Check failed (critical) Macro Security No Microsoft Office products are installed
Subscribe to:
Posts (Atom)