Default user service account

| 0 comments | 4,244 views
Categories:

VN:F [1.9.17_1161]
Rating: 5.0/5 (4 votes cast)

This metric checks whether SQL Server services are running under any of the default accounts, such as localsystem.

Using a default account for SQL Server services can be a security risk for two reasons. Firstly, it can give the service a higher level of permissions than it needs. Secondly, isolation is compromised by several services running under the same account. It means that, if one of the services is compromised, all the others running under the same account are vulnerable too.

The associated alert will be raised if you’ve used a default user account instead of a domain account.

Default user service account, 5.0 out of 5 based on 4 ratings

Metric definition

Metric Name:
Default user service account
Description:
This metric checks whether SQL Server services are running under any of the default accounts, such as localsystem. Using a default account for SQL Server services can be a security risk for two reasons. Firstly, it can give the service a higher level of permissions than it needs. Secondly, isolation is compromised by several services running under the same account. It means that, if one of the services is compromised, all the others running under the same account are vulnerable too.
Enter the T-SQL query that will collect data:
DECLARE @KeyValue VarChar(500),
        @Data Varchar(255),
        @InstanceName VarChar(200)

SET @InstanceName = CONVERT(VarChar(200), ISNULL(SERVERPROPERTY('InstanceName'), 'MSSQLSERVER'))
SET @KeyValue = 'SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL'
EXEC xp_regread 'HKEY_LOCAL_MACHINE',
                @KeyValue,
                @InstanceName,
                @InstanceName OUTPUT

IF SERVERPROPERTY('InstanceName') IS NULL
  SET @KeyValue = 'SYSTEM\CurrentControlSet\Services\MSSQLSERVER\'
ELSE 
  SET @KeyValue = 'SYSTEM\CurrentControlSet\Services\MSSQL$' + CONVERT(VarChar(200), SERVERPROPERTY('InstanceName')) + '\'
EXEC xp_regread 'HKEY_LOCAL_MACHINE',
                @KeyValue,
                'ObjectName',
                @Data OUTPUT

IF (@Data LIKE '%local%') OR (@Data LIKE '%network%') OR (@Data LIKE '%admini%')
  SELECT 1 AS IsDefaultAccount
ELSE 
  SELECT 0 AS IsDefaultAccount
Select instances to collect from:
Select all
Choose databases to collect from:
Specify databases and type
master
Set collection frequency:
Collect data every day
Use collected or calculated values:
Leave the Use a calculated rate of change between collections check box turned off
Metric collection is:
Enabled

Alert definition

Alert name:
Insecure user account
Description:
This alert will be raised if you’ve used a default user account instead of a domain account. Isolating services reduces the risk that one compromised service could be used to compromise others. Run separate SQL Server services under separate Windows accounts. Whenever possible, use separate, low-rights Windows or Local user accounts for each SQL Server service. For more information, see Configure Windows Service Accounts and Permissions. http://msdn.microsoft.com/en-us/library/ms143504.aspx
Raise an alert when the metric value goes:
Above the defined thresholds
Default threshold values:
Set the thresholds as follows:
High:1
Medium:
Low:
Raise an alert when the threshold is passed for:
Enter 1 collection
This alert is:
Enabled
VN:F [1.9.17_1161]
Rating: 5.0/5 (4 votes cast)