Rule ID
SV-237430r960792_rule
Version
V1R2
CCIs
Microsoft SCOM's SQL management requires a Run as solution because the local system account will not have the required permissions to monitor SQL. If the Run As account is created with elevated database privileges on the SQL endpoint, this can be used to modify SQL databases, breach security boundaries, or otherwise compromise the endpoint.
If the Microsoft SQL management packs for SCOM are not imported, this check is Not Applicable. Determine which SQL Servers are managed by SCOM: From the Operations Console, click on the Monitoring workspace. In the left pane, expand the "Microsoft SQL Servers folder" and click on the Computers icon (note older versions of this management pack may be version specific). Make note of the servers listed. Log on to SQL Server Management Studio and connect to servers being managed in SCOM. Expand the Security Tab and select Logins. Verify that NT System\Authority, NT Service\HealthService, or the SQL Run As account has not been granted System Admin privileges (SA rights). If the any of these accounts have been granted SA privileges, this is a finding.
Configure the NT System\Authority or SCOM Run As accounts for least privileges as described in the documentation for the SCOM SQL management pack. The documentation can be found with the management pack download, and permissions may vary depending on the version of the SQL management pack being used. Generally speaking, the account used for monitoring will need to view server state, view any definition, and view any database. Additional information on this topic can be found at this location along with a management pack that can automate this process: https://kevinholman.com/2016/08/25/sql-mp-run-as-accounts-no-longer-required/