• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3942
  • Last Modified:

How do I correct SQL Server Permissions and Roles that fail MBSA scan?

Using MBSA version: 2.1.2104.0, a scan of a workstation running XP Home resulted in the failures listed below. What are the appropriate actions to rectify the results?

  SQL Server Scan Results

   Instance MSSMLBIZ

    Administrative Vulnerabilities
                               
                   Issue:  SQL Server/MSDE Security Mode
                   Score:  Check passed
                   Result: SQL Server and/or MSDE authentication mode is set to Windows Only.

                   Issue:  CmdExec role
                   Score:  Check passed
                   Result: CmdExec is restricted to sysadmin only.

                   Issue:  Registry Permissions
                   Score:  Check passed
                   Result: The Everyone group does not have more than Read access to the SQL Server and/or MSDE registry keys.

                   Issue:  Folder Permissions
                   Score:  Check failed (critical)
                   Result: Permissions on the SQL Server and/or MSDE installation folders are not set properly.
                   Detail:
                                                | Instance | Folder | User |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | BUILTIN\Users |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | NMATHIS\SQLServer2005MSSQLUser$NMATHIS$MSSMLBIZ |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn | \CREATOR OWNER |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | NMATHIS\SQLServer2005MSSQLUser$NMATHIS$MSSMLBIZ |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | NMATHIS\SQLServer2005MSSQLUser$NMATHIS$MSSMLBIZ |
                                                | MSSMLBIZ | c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data | \CREATOR OWNER |

                   Issue:  Sysadmin role members
                   Score:  Best practice
                   Result: BUILTIN\Administrators group should not be part of sysadmin role.

                   Issue:  Guest Account
                   Score:  Check passed
                   Result: The Guest account is not enabled in any of the databases.

                   Issue:  Sysadmins
                   Score:  Check failed (non-critical)
                   Result: More than 2 members of sysadmin role are present.

                   Issue:  Service Accounts
                   Score:  Unable to scan
                   Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
                   Detail:
                                                | Instance | Service | Account | Issue |
                                                | MSSMLBIZ | MSSQL$MSSMLBIZ | NT AUTHORITY\NetworkService | This is a Domain Account. Baseline Security Analyzer cannot determine whether it belongs to the Domain Admins group due to the following error:  1212 The format of the specified domain name is invalid.
. |

                   Issue:  Password Policy
                   Score:  Check failed (critical)
                   Result: Enable password expiration for the SQL server accounts.

                   Issue:  SSIS Roles
                   Score:  Check passed
                   Result: The BUILTIN Admin does not belong to the SSIS roles.

                   Issue:  Sysdtslog
                   Score:  Best practice
                   Result: Do not create sysdtslogs90 in the Master or MSDB database.It is recommended to create a seperate logging database.
0
nicholasjwolf
Asked:
nicholasjwolf
  • 2
1 Solution
 
marques_salazarCommented:
The utility tells you what action to take for each failed test.
0
 
nicholasjwolfAuthor Commented:
While I believe you are correct marques, I am reviewing these results remotely and don't have the program and remote PC available to me. Are there any resources I could be pointed to that could help me understand and correct the specific issues referenced in my question?
0
 
marques_salazarCommented:
See attached....
result.txt
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now