How do I correct SQL Server Permissions and Roles that fail MBSA scan?

Posted on 2008-11-13
Last Modified: 2012-05-05
Using MBSA version: 2.1.2104.0, a scan of a workstation running XP Home resulted in the failures listed below. What are the appropriate actions to rectify the results?

  SQL Server Scan Results

   Instance MSSMLBIZ

    Administrative Vulnerabilities
                   Issue:  SQL Server/MSDE Security Mode
                   Score:  Check passed
                   Result: SQL Server and/or MSDE authentication mode is set to Windows Only.

                   Issue:  CmdExec role
                   Score:  Check passed
                   Result: CmdExec is restricted to sysadmin only.

                   Issue:  Registry Permissions
                   Score:  Check passed
                   Result: The Everyone group does not have more than Read access to the SQL Server and/or MSDE registry keys.

                   Issue:  Folder Permissions
                   Score:  Check failed (critical)
                   Result: Permissions on the SQL Server and/or MSDE installation folders are not set properly.
                                                | Instance | Folder | User |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | BUILTIN\Users |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | NMATHIS\SQLServer2005MSSQLUser$NMATHIS$MSSMLBIZ |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | \CREATOR OWNER |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | NMATHIS\SQLServer2005MSSQLUser$NMATHIS$MSSMLBIZ |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | NMATHIS\SQLServer2005MSSQLUser$NMATHIS$MSSMLBIZ |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | \CREATOR OWNER |

                   Issue:  Sysadmin role members
                   Score:  Best practice
                   Result: BUILTIN\Administrators group should not be part of sysadmin role.

                   Issue:  Guest Account
                   Score:  Check passed
                   Result: The Guest account is not enabled in any of the databases.

                   Issue:  Sysadmins
                   Score:  Check failed (non-critical)
                   Result: More than 2 members of sysadmin role are present.

                   Issue:  Service Accounts
                   Score:  Unable to scan
                   Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
                                                | Instance | Service | Account | Issue |
                                                | MSSMLBIZ | MSSQL$MSSMLBIZ | NT AUTHORITY\NetworkService | This is a Domain Account. Baseline Security Analyzer cannot determine whether it belongs to the Domain Admins group due to the following error:  1212 The format of the specified domain name is invalid.
. |

                   Issue:  Password Policy
                   Score:  Check failed (critical)
                   Result: Enable password expiration for the SQL server accounts.

                   Issue:  SSIS Roles
                   Score:  Check passed
                   Result: The BUILTIN Admin does not belong to the SSIS roles.

                   Issue:  Sysdtslog
                   Score:  Best practice
                   Result: Do not create sysdtslogs90 in the Master or MSDB database.It is recommended to create a seperate logging database.
Question by:nicholasjwolf
    LVL 5

    Expert Comment

    The utility tells you what action to take for each failed test.

    Author Comment

    While I believe you are correct marques, I am reviewing these results remotely and don't have the program and remote PC available to me. Are there any resources I could be pointed to that could help me understand and correct the specific issues referenced in my question?
    LVL 5

    Accepted Solution

    See attached....

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
    Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now