An error occurred:

Check: SCOM-AC-000008

Microsoft SCOM STIG: SCOM-AC-000008 (in version v1 r1)

Title

SCOM SQL Management must be configured to use least privileges. (Cat I impact)

Discussion

Microsoft SCOM's SQL management requires a Run as solution because the local system account will not have the required permissions to monitor SQL. If the Run As account is created with elevated database privileges on the SQL endpoint, this can be used to modify SQL databases, breach security boundaries, or otherwise compromise the endpoint.

Check Content

If the Microsoft SQL management packs for SCOM are not imported, this check is Not Applicable. Determine which SQL Servers are managed by SCOM: From the Operations Console, click on the Monitoring workspace. In the left pane, expand the "Microsoft SQL Servers folder" and click on the Computers icon (note older versions of this management pack may be version specific). Make note of the servers listed. Log on to SQL Server Management Studio and connect to servers being managed in SCOM. Expand the Security Tab and select Logins. Verify that NT System\Authority, NT Service\HealthService, or the SQL Run As account has not been granted System Admin privileges (SA rights). If the any of these accounts have been granted SA privileges, this is a finding.

Fix Text

Configure the NT System\Authority or SCOM Run As accounts for least privileges as described in the documentation for the SCOM SQL management pack. The documentation can be found with the management pack download, and permissions may vary depending on the version of the SQL management pack being used. Generally speaking, the account used for monitoring will need to view server state, view any definition, and view any database. Additional information on this topic can be found at this location along with a management pack that can automate this process: https://kevinholman.com/2016/08/25/sql-mp-run-as-accounts-no-longer-required/

Additional Identifiers

Rule ID: SV-237430r643936_rule

Vulnerability ID: V-237430

Group Title: SRG-APP-000033-NDM-000212

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000213

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-3

Access Enforcement