Rule ID
SV-271358r1137659_rule
Version
V1R4
CCIs
Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces.
Review the server documentation to obtain a listing of required service accounts. Review the accounts configured for all SQL Server services installed on the server. Run the following query in SSMS: SELECT servicename,service_account FROM sys.dm_server_services Review the returned results. If any services are configured with the same service account or with an account that is not documented and authorized, this is a finding.
Configure SQL Server services to have a documented, dedicated account. For nondomain servers, consider using virtual service accounts (VSAs). For more information, refer to: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions? For standalone domain-joined servers, consider using managed service accounts. For more information, refer to: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions? For clustered instances, consider using group managed service accounts. For more information, refer to: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions? or https://learn.microsoft.com/en-us/archive/blogs/markweberblog/group-managed-service-accounts-gmsa-and-sql-server-2016