V-213980
SV-213980r961359_rule
CAT II
Use of credentials and proxies must be restricted to necessary cases only.
From: MS SQL Server 2016 Instance Security Technical Implementation Guide (V3R6)
Description
<VulnDiscussion>In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.
Privilege elevation must be utilized only where necessary and protected from misuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the server documentation to obtain a listing of accounts used for executing external processes. Execute the following query to obtain a listing of accounts currently configured for use by external processes.
SELECT C.name AS credential_name, C.credential_identity
FROM sys.credentials C
GO
SELECT P.name AS proxy_name, C.name AS credential_name, C.credential_identity
FROM sys.credentials C
JOIN msdb.dbo.sysproxies P ON C.credential_id = P.credential_id
WHERE P.enabled = 1
GO
If any Credentials or SQL Agent Proxy accounts are returned that are not documented and authorized, this is a finding.
Fix Text
Remove any SQL Agent Proxy accounts and credentials that are not authorized.
DROP CREDENTIAL <Credential Name>
GO
USE [msdb]
EXEC sp_delete_proxy @proxy_name = '<Proxy Name>'
GO
CCI Reference
CCI-002233- Created
- 2026-02-12 15:25:32
- Last Updated
- 2026-04-07 20:09:49