Problem with Microsoft Data Protection Manager, Microsoft SQL, NTAUTHORITY\System, and STIG V-213934

ME 311 Reputation points
2023-07-13T12:58:11.7033333+00:00

I have a requirement to implement V-213934:

https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2020-12-16/finding/V-213934

This basically means that SYSTEM can't have the 'sysadmin' role. In our current configuration, SYSTEM does have SysAdmin. I can revoke this without breaking the database and its related application (thus resolving the finding), but I discovered that in order to do database level backups with Microsoft DPM, SYSTEM needs that sysadmin role:

https://learn.microsoft.com/en-us/system-center/dpm/back-up-sql-server?view=sc-dpm-2019

If I don't give SYSTEM that sysadmin role, the backups of the specific databases simply do not happen in DPM - they will always fail. The error given is:

Error: Unable to configure protection

  • This error occurs when the Data Protection Manager server can't contact the protected server.
  • To resolve this issue, perform the following actions:
  • Ensure that you're using the latest version of the Azure Backup agent.
  • Ensure that there's connectivity (network/firewall/proxy) between your Data Protection Manager server and the protected server.
  • If you're protecting a SQL server, ensure that the Login Properties > NT AUTHORITY\SYSTEM property shows the sysadmin setting enabled.

As you can see, the error message explicitly calls out the setting I need to reconfigure.

This is unfortunately a big deal finding that needs to be remediated, so I can't just ignore it. Near as can be figured out from above, we can't actually fix the issue - the article explicitly states that SYSTEM needs 'sysadmin' and that's that. How accurate is this, though? Is there a way to sidestep this - by say, allowing some other account to have sysadmin - either during the configuration of DPM or SQL that we may have somehow missed?

Worst case scenario we can stop having backups at the database level and just capture the dbs via the entire VM's backup (since they're on the VHDs) but that is not desirable.

Is there a solution that would allow us to have both the backups and revoking sysadmin from SYSTEM?

Microsoft System Center
Microsoft System Center
A suite of Microsoft systems management products that offer solutions for managing datacenter resources, private clouds, and client devices.
1,073 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,470 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. XinGuo-MSFT 20,971 Reputation points
    2023-07-17T09:37:40.02+00:00

    Hi,

    The situation you described highlights a common challenge in balancing security requirements (STIG V-213934) with the operational needs of a system (Microsoft DPM backups). Let's explore the options and potential solutions:

    1. Revoking sysadmin role from NT AUTHORITY\SYSTEM: As per the STIG requirement (V-213934), the sysadmin role should not be assigned to the NT AUTHORITY\SYSTEM account. However, as you mentioned, this prevents DPM from performing database-level backups.
    2. Creating a new account with sysadmin role: One possible approach is to create a new SQL Server login with sysadmin privileges and use this account for DPM backups instead of NT AUTHORITY\SYSTEM. This should allow you to revoke sysadmin role from NT AUTHORITY\SYSTEM while still enabling backups through DPM. Ensure that the new account has the necessary permissions to perform backups.
    3. Using a service account for backups: Instead of using NT AUTHORITY\SYSTEM or creating a new login, you can use a dedicated service account with the sysadmin role for DPM backups. This service account should only be used for backup purposes, reducing the risk associated with having the sysadmin role granted to a widely used account like NT AUTHORITY\SYSTEM.
    4. Custom backup solution: If none of the above options work, you might consider building a custom backup solution that handles database backups outside of the sysadmin role context. This solution could use a combination of SQL Server permissions and other mechanisms to perform backups without relying on the sysadmin role.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.