SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Browser'

Details

Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action.



The concept of separation of duties extends to processes. The DBMS must run under a custom, dedicated OS or domain account. When the DBMS is running under a shared account, users with access to that account could inadvertently or maliciously make changes to the DBMS's settings, files, or permissions. Similarly, related services must run under dedicated accounts where this is possible. The SQL Server Browser and Writer services are exceptions: see http://msdn.microsoft.com/en-us/library/hh510203(v=sql.110).aspx and http://msdn.microsoft.com/en-us/library/ms175536(v=sql.110).aspx.


Solution

Configure the SQL Server services to use a custom, dedicated OS or domain account.


Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Configuration Management.This control applies to the following type of system Windows.


References


Source