Hi Gordon,
It is required on MSSQL version 2005/2008 in order to run a test that determines if SQL OLEDB is disabled. If you are running the IBM provided script on a server that's not those versions, it will skip applying the role. It will also only display the property and a list of providers where DissallowAdhocAccess is not defined (so you can remediate them or add exceptions), no changes will be made.
Test 205 - Checks that SQL OLEDB is disabled (DisallowAdhocAccess registry subkey = 1). Enabling SQL OLEDB enables desktop clients (e.g., Excel, Access) to make direct ad hoc connections, and may compromise the security of your database.
STIG Reference: DM6155
STIG Severity: CAT II
STIG Iacontrols: DCFA
If you are deploying it to those versions and don't want to allow setupadmin you can exclude this test.
------------------------------
Wendy Zemba
Sr. Consultant, Data Protection
Converge Technology Solutions
wendy.zemba@convergetp.comNeed help with your Guardium deployment? Contact me directly to discuss engagement opportunities. Currently serving North America.
------------------------------
Original Message:
Sent: Fri May 30, 2025 07:21 AM
From: Gordon Foley
Subject: Guardium VA Setup Scripts
Hi All,
A DBA has asked me a question about the rationale for certain grants in the MSSQL setup script for the vulnerability assessment.
Does any know why Guardium needs the server role "setupadmin" as this grants permission to add and remove linked servers, which should not be required.
Regards
Gordon
------------------------------
Gordon Foley
------------------------------