Skip to main content
CUI

STIG Rule - V-271358

Back to STIG Browser

V-271358

SV-271358r1137659_rule

CAT II

SQL Server services must be configured to run under unique dedicated user accounts.

From: Microsoft SQL Server 2022 Instance Security Technical Implementation Guide (V1R4)

Description

<VulnDiscussion>Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

Review the server documentation to obtain a listing of required service accounts. Review the accounts configured for all SQL Server services installed on the server. Run the following query in SSMS: SELECT servicename,service_account FROM sys.dm_server_services Review the returned results. If any services are configured with the same service account or with an account that is not documented and authorized, this is a finding.

Fix Text

Configure SQL Server services to have a documented, dedicated account. For nondomain servers, consider using virtual service accounts (VSAs). For more information, refer to: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions? For standalone domain-joined servers, consider using managed service accounts. For more information, refer to: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions? For clustered instances, consider using group managed service accounts. For more information, refer to: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions? or https://learn.microsoft.com/en-us/archive/blogs/markweberblog/group-managed-service-accounts-gmsa-and-sql-server-2016

CCI Reference

CCI-002530
Created
2026-04-07 20:08:24
Last Updated
2026-04-07 20:08:24
Back to Browse
CUI