18 December 2013

Default user service account

by Fabiano Amorim

18,632 0 Security

This metric checks whether SQL Server services are running under any of the default accounts, such as localsystem. Using a default account for SQL Server services can be a security risk.

Install metric...

Metrics install automatically if you have Redgate Monitor installed.

If you are using Redgate’s SQL Server monitoring tool, Redgate Monitor, you can instantly install and run this metric on your servers.

This metric checks whether SQL Server services are running under any of the default accounts, such as localsystem.

Using a default account for SQL Server services can be a security risk for two reasons. Firstly, it can give the service a higher level of permissions than it needs. Secondly, isolation is compromised by several services running under the same account. It means that, if one of the services is compromised, all the others running under the same account are vulnerable too.

The associated alert will be raised if you’ve used a default user account instead of a domain account.

Metric definition

Name

Default user service account

Description

This metric checks whether SQL Server services are running under any of the default accounts, such as localsystem. Using a default account for SQL Server services can be a security risk for two reasons. Firstly, it can give the service a higher level of permissions than it needs. Secondly, isolation is compromised by several services running under the same account. It means that, if one of the services is compromised, all the others running under the same account are vulnerable too.

The T-SQL query that will collect data


		
			
			
Transact-SQL
			
			DECLARE @KeyValue VarChar(500),
        @Data Varchar(255),
        @InstanceName VarChar(200)

SET @InstanceName = CONVERT(VarChar(200), ISNULL(SERVERPROPERTY('InstanceName'), 'MSSQLSERVER'))
SET @KeyValue = 'SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL'
EXEC xp_regread 'HKEY_LOCAL_MACHINE',
                @KeyValue,
                @InstanceName,
                @InstanceName OUTPUT

IF SERVERPROPERTY('InstanceName') IS NULL
  SET @KeyValue = 'SYSTEM\CurrentControlSet\Services\MSSQLSERVER\'
ELSE 
  SET @KeyValue = 'SYSTEM\CurrentControlSet\Services\MSSQL$' + CONVERT(VarChar(200), SERVERPROPERTY('InstanceName')) + '\'
EXEC xp_regread 'HKEY_LOCAL_MACHINE',
                @KeyValue,
                'ObjectName',
                @Data OUTPUT

IF (@Data LIKE '%local%') OR (@Data LIKE '%network%') OR (@Data LIKE '%admini%')
  SELECT 1 AS IsDefaultAccount
ELSE 
  SELECT 0 AS IsDefaultAccount
			
				
					
				
					1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
				
						DECLARE @KeyValue VarChar(500),
        @Data Varchar(255),
        @InstanceName VarChar(200)
 
SET @InstanceName = CONVERT(VarChar(200), ISNULL(SERVERPROPERTY('InstanceName'), 'MSSQLSERVER'))
SET @KeyValue = 'SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL'
EXEC xp_regread 'HKEY_LOCAL_MACHINE',
                @KeyValue,
                @InstanceName,
                @InstanceName OUTPUT
 
IF SERVERPROPERTY('InstanceName') IS NULL
  SET @KeyValue = 'SYSTEM\CurrentControlSet\Services\MSSQLSERVER\'
ELSE 
  SET @KeyValue = 'SYSTEM\CurrentControlSet\Services\MSSQL$' + CONVERT(VarChar(200), SERVERPROPERTY('InstanceName')) + '\'
EXEC xp_regread 'HKEY_LOCAL_MACHINE',
                @KeyValue,
                'ObjectName',
                @Data OUTPUT
 
IF (@Data LIKE '%local%') OR (@Data LIKE '%network%') OR (@Data LIKE '%admini%')
  SELECT 1 AS IsDefaultAccount
ELSE 
  SELECT 0 AS IsDefaultAccount

Instances to collect from

Select all

Databases to collect from

master

Collection frequency

86400

Use collected or calculated values

Leave the Use a calculated rate of change between collections check box unchecked

Metric collection

Enabled

Alert definition

Alert name

Insecure user account

Description

This alert will be raised if you’ve used a default user account instead of a domain account. Isolating services reduces the risk that one compromised service could be used to compromise others. Run separate SQL Server services under separate Windows accounts. Whenever possible, use separate, low-rights Windows or Local user accounts for each SQL Server service. For more information, see Configure Windows Service Accounts and Permissions. http://msdn.microsoft.com/en-us/library/ms143504.aspx

Raise an alert when the metric value goes

Above the defined threshholds

Default threshold values

High:	0
Medium:
Low:

Raise an alert when the threshold is passed for

1 collection

Alert is

Enabled

18,632 Rate

Click to rate this post!

[Total: 4 Average: 5]

Default user service account

Metric definition

Name

Description

The T-SQL query that will collect data

Instances to collect from

Databases to collect from

Collection frequency

Use collected or calculated values

Metric collection

Alert definition

Alert name

Description

Raise an alert when the metric value goes

Default threshold values

Raise an alert when the threshold is passed for

Alert is

What are custom metrics?

What is Redgate Monitor?

Featured custom metrics

Total database file size

Number of active backups and restores

Full backup to odd path

Find metrics