Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sp_Blitz: New security-related checks for SQL Server and Agent running as privileged accounts #3481

Closed
VladDBA opened this issue Mar 30, 2024 · 2 comments · Fixed by #3482 or #3496
Closed

Comments

@VladDBA
Copy link
Contributor

VladDBA commented Mar 30, 2024

Is your feature request related to a problem? Please describe.
In attempts to fix permission related issues, people might end up adding the SQL Server and/or SQL Server Agent service account(s) to the local Administrators group or, even worse, set them to run as Local System or NT AUTHORITY\SYSTEM.
These types of shortcuts lead to news articles such as this one.

Describe the solution you'd like
Adding the following 4 checks:

  • CheckId 258 Check if SQL Server is running as Local System or NT AUTHORITY\SYSTEM
  • CheckId 259 Check if SQL Server Agent is running as Local System or NT AUTHORITY\SYSTEM
  • CheckID 260 Check if SQL Server service account is a member of the local Administrators group - only done when sp_Blitz is executed with @CheckServerInfo = 1
  • CheckID 261 Check if SQL Server Agent service account is a member of the local Administrators group - only done when sp_Blitz is executed with @CheckServerInfo = 1

These result in Priority 1 findings letting users know that SQL Server services are running under accounts with unreasonably high privileges.
The URL used is https://www.brentozar.com/go/setup , but if you you think some more practical example is good to drive the point home, I've set this up https://vladdba.com/SQLServerSvcAccount

Output example for CheckID 258 and CheckID 259.
image

Output example for CheckID 260 and CheckID 261.
image

Debug messages

Running CheckId [258].
Running CheckId [259].
[...]
Running CheckId [260].
Running CheckId [261].
CheckId [261] - found #localadmins table from CheckID 260 - no need to call xp_cmdshell again

If CheckID 260 was not skipped and ran successfully, CheckID 261 reuses the same output temp table to not have to call xp_cmdshell more times than needed

All these 4 checks are added to the checks to skip on Azure SQL MI.

Describe alternatives you've considered
Eye twitching when seeing some sp_Blitz results.

Are you ready to build the code for the feature?
Yup, pull request incoming right after I submit the issue.

@BrentOzar
Copy link
Member

I'm really hesitant to add security checks, but these seem pretty straightforward. Thanks!

@BrentOzar
Copy link
Member

Thanks for the pull request! Looks good, merging into the dev branch, will be in the next release with credit to you in the release notes.

BrentOzar added a commit that referenced this issue Apr 19, 2024
Updated links on new alerts, added documentation. Closes #3481.
BrentOzar added a commit that referenced this issue Apr 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment