SQL Server services must be configured to run under unique dedicated user accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-271358 | SQLI-22-012400 | SV-271358r1109129_rule | Medium |
| Description |
| Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. |
| STIG | Date |
| Microsoft SQL Server 2022 Instance Security Technical Implementation Guide | 2025-05-30 |
Details
| Check Text (C-75401r1109039_chk) |
| Review the server documentation to obtain a listing of required service accounts. Review the accounts configured for all SQL Server services installed on the server. Run the following query in SSMS: SELECT servicename,service_account FROM sys.dm_server_services Review the returned results. If any services are configured with the same service account or with an account that is not documented and authorized, this is a finding. |
| Fix Text (F-75308r1109040_fix) |
| Configure SQL Server services to have a documented, dedicated account. For nondomain servers, consider using virtual service accounts (VSAs). For more information, refer to: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions? For standalone domain-joined servers, consider using managed service accounts. For more information, refer to: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions? For clustered instances, consider using group managed service accounts. For more information, refer to: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions? or https://learn.microsoft.com/en-us/archive/blogs/markweberblog/group-managed-service-accounts-gmsa-and-sql-server-2016 |