SCOM SQL Management must be configured to use least privileges.
An XCCDF Rule
Description
<VulnDiscussion>Microsoft SCOM's SQL management requires a Run as solution because the local system account will not have the required permissions to monitor SQL. If the Run As account is created with elevated database privileges on the SQL endpoint, this can be used to modify SQL databases, breach security boundaries, or otherwise compromise the endpoint.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-237430r643936_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Configure the NT System\Authority or SCOM Run As accounts for least privileges as described in the documentation for the SCOM SQL management pack. The documentation can be found with the management pack download, and permissions may vary depending on the version of the SQL management pack being used. Generally speaking, the account used for monitoring will need to view server state, view any definition, and view any database.
Additional information on this topic can be found at this location along with a management pack that can automate this process: https://kevinholman.com/2016/08/25/sql-mp-run-as-accounts-no-longer-required/