Nessus scaning result on sql server 2005

stavrama used Ask the Experts™
Recently i ran a nessus scaning on  sql server 2005 and one of the high threats i received was the following:

"3.154 DM0630: Application object owner account disabling": [FAILED] Object ownership provides all database object permissions to the owned object. Access to the application object owner accounts requires special protection to prevent unauthorized access and use of the object ownership privileges. In addition to the high privileges to application objects assigned to this account, it is also an account that, by definition, is not accessed interactively except for application installation and maintenance. This reduced access to the account means that unauthorized access to the account could go undetected. To help protect the account, it should be disabled only when access is required. ref. DB SRRChklst SQLServer2005 V8r1-1.doc, 3-175. Database STIG STIG Requirement:(DG0004: CAT II) The DBA will ensure custom application owner accounts are disabled or locked when not in use. Checking whether any custom application owner accounts are enabled for msdb database. Remote value: "sa" Policy value: NULL

Anyone can explain what exactly i need to do in order to stop receiving it? I ve tried to search a bit but didint manage to find anythign useful. Post me if you need any aditional information

Thanx in advance for your help
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

this query will show the users that are enabled and have ownership of the master database.

basicly it will be the sa account and DISA states that accounts that have those ownerships should be disabled when not in use.

use master;select suser_sname(p.sid) from
                  sys.database_principals p, sys.server_principals s where
                  p.principal_id in (select distinct schema_id from
                  sys.objects where is_ms_shipped=0) and p.sid = s.sid and
                  s.is_disabled=0 and p.type not in ('A','R')


When i run the query the only result i get is user "sa"
This means that i dont have to disable anything and the threat shouldnt appeared?
Furthermore could you explain what do you mean by saying "DISA states" ?

Thanx a lot for your help.
The "threat" is relative. the SA is the highest authority in SQLServer and DISA (Defense Information Systems Agency) does not want principals to have ownership of the default Microsoft databases and be enabled at the same time. You can disable the SA login, or you can change ownership of the master database to a disabled user you make.

Personally, i would check if there are valid user accounst part of the admin security group (because you need to administer the box), disable the SA login and the message should go away.   (and also ask yourself why you use mixed mode security, because that enabled the SA in the first place).


Thank you very much for your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial