We have a stage cluster we are going through with a fine tooth comb in order to prepare for PCI compliance. One of the audits flagged the existence of NT AUTHORITY\SYSTEM. We disabled it, but lo and behold, our cluster failed to come up. I was able to bring SQL up standalone, re-enable NT AUTHORITY\SYSTEM, shut down sql, and bring up back the SQL cluster.
NT AUTHORITY\SYSTEM only seems to be running 'select @@servername' periodically, so I'm assuming the cluster is using this to verify the server is still up. We have stripped it of it's sysadmin privileges for now and there seem to be no issues. I'd like a second opinion to see if we approached this the correct way, and why the audit would have flagged this in the first place.
"In theory, theory and practice are the same. In practice, they are not."
- Albert Einstein