Nick Wolf
asked on
How do I correct SQL Server Permissions and Roles that fail MBSA scan?
Using MBSA version: 2.1.2104.0, a scan of a workstation running XP Home resulted in the failures listed below. What are the appropriate actions to rectify the results?
SQL Server Scan Results
Instance MSSMLBIZ
Administrative Vulnerabilities
Issue: SQL Server/MSDE Security Mode
Score: Check passed
Result: SQL Server and/or MSDE authentication mode is set to Windows Only.
Issue: CmdExec role
Score: Check passed
Result: CmdExec is restricted to sysadmin only.
Issue: Registry Permissions
Score: Check passed
Result: The Everyone group does not have more than Read access to the SQL Server and/or MSDE registry keys.
Issue: Folder Permissions
Score: Check failed (critical)
Result: Permissions on the SQL Server and/or MSDE installation folders are not set properly.
Detail:
| Instance | Folder | User |
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | BUILTIN\Users |
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | NMATHIS\SQLServer2005MSSQL User$NMATH IS$MSSMLBI Z |
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | \CREATOR OWNER |
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | NMATHIS\SQLServer2005MSSQL User$NMATH IS$MSSMLBI Z |
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | NMATHIS\SQLServer2005MSSQL User$NMATH IS$MSSMLBI Z |
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | \CREATOR OWNER |
Issue: Sysadmin role members
Score: Best practice
Result: BUILTIN\Administrators group should not be part of sysadmin role.
Issue: Guest Account
Score: Check passed
Result: The Guest account is not enabled in any of the databases.
Issue: Sysadmins
Score: Check failed (non-critical)
Result: More than 2 members of sysadmin role are present.
Issue: Service Accounts
Score: Unable to scan
Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
Detail:
| Instance | Service | Account | Issue |
| MSSMLBIZ | MSSQL$MSSMLBIZ | NT AUTHORITY\NetworkService | This is a Domain Account. Baseline Security Analyzer cannot determine whether it belongs to the Domain Admins group due to the following error: 1212 The format of the specified domain name is invalid.
. |
Issue: Password Policy
Score: Check failed (critical)
Result: Enable password expiration for the SQL server accounts.
Issue: SSIS Roles
Score: Check passed
Result: The BUILTIN Admin does not belong to the SSIS roles.
Issue: Sysdtslog
Score: Best practice
Result: Do not create sysdtslogs90 in the Master or MSDB database.It is recommended to create a seperate logging database.
SQL Server Scan Results
Instance MSSMLBIZ
Administrative Vulnerabilities
Issue: SQL Server/MSDE Security Mode
Score: Check passed
Result: SQL Server and/or MSDE authentication mode is set to Windows Only.
Issue: CmdExec role
Score: Check passed
Result: CmdExec is restricted to sysadmin only.
Issue: Registry Permissions
Score: Check passed
Result: The Everyone group does not have more than Read access to the SQL Server and/or MSDE registry keys.
Issue: Folder Permissions
Score: Check failed (critical)
Result: Permissions on the SQL Server and/or MSDE installation folders are not set properly.
Detail:
| Instance | Folder | User |
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | BUILTIN\Users |
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | NMATHIS\SQLServer2005MSSQL
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | \CREATOR OWNER |
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | NMATHIS\SQLServer2005MSSQL
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | NMATHIS\SQLServer2005MSSQL
| MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | \CREATOR OWNER |
Issue: Sysadmin role members
Score: Best practice
Result: BUILTIN\Administrators group should not be part of sysadmin role.
Issue: Guest Account
Score: Check passed
Result: The Guest account is not enabled in any of the databases.
Issue: Sysadmins
Score: Check failed (non-critical)
Result: More than 2 members of sysadmin role are present.
Issue: Service Accounts
Score: Unable to scan
Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
Detail:
| Instance | Service | Account | Issue |
| MSSMLBIZ | MSSQL$MSSMLBIZ | NT AUTHORITY\NetworkService | This is a Domain Account. Baseline Security Analyzer cannot determine whether it belongs to the Domain Admins group due to the following error: 1212 The format of the specified domain name is invalid.
. |
Issue: Password Policy
Score: Check failed (critical)
Result: Enable password expiration for the SQL server accounts.
Issue: SSIS Roles
Score: Check passed
Result: The BUILTIN Admin does not belong to the SSIS roles.
Issue: Sysdtslog
Score: Best practice
Result: Do not create sysdtslogs90 in the Master or MSDB database.It is recommended to create a seperate logging database.
The utility tells you what action to take for each failed test.
ASKER
While I believe you are correct marques, I am reviewing these results remotely and don't have the program and remote PC available to me. Are there any resources I could be pointed to that could help me understand and correct the specific issues referenced in my question?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.