[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


How do I correct SQL Server Permissions and Roles that fail MBSA scan?

Posted on 2008-11-13
Medium Priority
Last Modified: 2012-05-05
Using MBSA version: 2.1.2104.0, a scan of a workstation running XP Home resulted in the failures listed below. What are the appropriate actions to rectify the results?

  SQL Server Scan Results

   Instance MSSMLBIZ

    Administrative Vulnerabilities
                   Issue:  SQL Server/MSDE Security Mode
                   Score:  Check passed
                   Result: SQL Server and/or MSDE authentication mode is set to Windows Only.

                   Issue:  CmdExec role
                   Score:  Check passed
                   Result: CmdExec is restricted to sysadmin only.

                   Issue:  Registry Permissions
                   Score:  Check passed
                   Result: The Everyone group does not have more than Read access to the SQL Server and/or MSDE registry keys.

                   Issue:  Folder Permissions
                   Score:  Check failed (critical)
                   Result: Permissions on the SQL Server and/or MSDE installation folders are not set properly.
                                                | Instance | Folder | User |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | BUILTIN\Users |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | NMATHIS\SQLServer2005MSSQLUser$NMATHIS$MSSMLBIZ |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | \CREATOR OWNER |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | NMATHIS\SQLServer2005MSSQLUser$NMATHIS$MSSMLBIZ |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | NMATHIS\SQLServer2005MSSQLUser$NMATHIS$MSSMLBIZ |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | \CREATOR OWNER |

                   Issue:  Sysadmin role members
                   Score:  Best practice
                   Result: BUILTIN\Administrators group should not be part of sysadmin role.

                   Issue:  Guest Account
                   Score:  Check passed
                   Result: The Guest account is not enabled in any of the databases.

                   Issue:  Sysadmins
                   Score:  Check failed (non-critical)
                   Result: More than 2 members of sysadmin role are present.

                   Issue:  Service Accounts
                   Score:  Unable to scan
                   Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
                                                | Instance | Service | Account | Issue |
                                                | MSSMLBIZ | MSSQL$MSSMLBIZ | NT AUTHORITY\NetworkService | This is a Domain Account. Baseline Security Analyzer cannot determine whether it belongs to the Domain Admins group due to the following error:  1212 The format of the specified domain name is invalid.
. |

                   Issue:  Password Policy
                   Score:  Check failed (critical)
                   Result: Enable password expiration for the SQL server accounts.

                   Issue:  SSIS Roles
                   Score:  Check passed
                   Result: The BUILTIN Admin does not belong to the SSIS roles.

                   Issue:  Sysdtslog
                   Score:  Best practice
                   Result: Do not create sysdtslogs90 in the Master or MSDB database.It is recommended to create a seperate logging database.
Question by:nicholasjwolf
  • 2

Expert Comment

ID: 22953896
The utility tells you what action to take for each failed test.

Author Comment

ID: 22955453
While I believe you are correct marques, I am reviewing these results remotely and don't have the program and remote PC available to me. Are there any resources I could be pointed to that could help me understand and correct the specific issues referenced in my question?

Accepted Solution

marques_salazar earned 2000 total points
ID: 22955591
See attached....

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question