Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The Access Security Checks available on the Configure the Policy section are the following:



Always Encrypted

Determine whether always encryption is configured for specified columns on SQL Server 2016 or later.
Appropriate cryptographic modules have been used to encrypt data.

Check all databases for appropriate encryption algorithms.

Assembly host policy

Determine whether there are user defined assemblies with host policy other than SAFE.

Backup Encryption (Native)

Determine whether native backup encryption was configured on SQL Server 2014 or later.

Backup Encryption (Non-Native)

Determine whether non-native backups were configured on SQL Server 2008 or later.

Certificate private keys were never exported

Determine whether certificate private keys were not exported.

Contained database authentication type

Determine whether authentication type set to Mixed mode with contained databases exists on instance.

DAC Remote Access

Determine whether the Dedicated Administrator Connection is available remotely.

Dangerous Extended Stored Procedures (XSPs)

Determine whether permissions have been granted on dangerous Extended Stored Procedures (XSPs).

Database Master Key encrypted by Service Master Key

Check for databases where the Database Master Key is encrypted by Service Master Key. The Service Master Key is the root of SQL Server's Encryption Hierarchy. As such, there can only be one service master key per SQL Server instance. The service master key is used to protect (encrypt) other keys, mainly the database master keys. It cannot be used directly to encrypt data.

Database Master Keys Encrypted by Password

Returns Database Master Keys passwords that are stored in credentials within the database. This is simply a count of Database Master Keys, use the family_guid value for each credential to check against the backup file to identify the database the credential is associated with.

Database roles and members

Shows information about database roles and their members.

Dynamic Data Masking

Determine whether dynamic data masking is configured for specified columns on SQL Server 2016 or later.

Encryption Methods

Determine whether there are encryption keys with algorithms other than supported.

Files On Drives Not Using NTFS

Determine whether all SQL Server files are stored on drives that use NTFS.

Fixed Roles Assigned To public Or guest

Determine whether public or guest are members of any fixed database roles.

Guest User Enabled

Determine whether Guest user access is available on the SQL Server.

Linked server is running as a member of sysadmin group

Determine whether linked servers are running as a member of sysadmin group.

NTFS Folder Level Encryption

Determine whether NTFS folder level encryption is configured for Windows folders.

Operating System Version

Determine whether the Operating System version is at an acceptable level.

Public role permissions

Determine whether the public roles have permissions to user defined objects.

Remote Access

Determine whether Remote Access is enabled on the SQL Server.

Required Administrative Accounts Do Not Exist

Determine whether the required administrative accounts exist on the SQL Server.

Row-Level Security

Determine whether row-level security is configured for specified tables on SQL Server 2016 or later.

Server roles and members

Shows information about server roles and their members.

Signed Objects

Determine whether a digital signature has been added to sepcified stored procedure, function, assembly or trigger on SQL Server 2008 or later.

SQL Job permissions

Determine whether SQL Server Agent account or job proxies are members of local Administrators group.

SQL Jobs and Agent

Determine whether job steps are running on behalf of proxy account.

SQL Server Browser Running

Determine whether the SQL Server Browser is running on the SQL Server.

SQL Server database level encryption

Determine the encryption status of all databases in the instance.

Startup Stored Procedures

Determine whether there are unapproved stored procedures set to run at startup on the SQL Server.

Startup Stored Procedures Enabled

Determine whether the "Scan for startup stored procedures" configuration option has been enabled on the SQL Server.

Startup Stored Procedures permissions

Determine whether startup stored procedures can be run or are owned by accounts without sysadmin permissions.

Stored Procedures Encrypted

Determine whether user stored procedures are encrypted on the SQL Server.

Symmetric key

Determine whether master, msdb, model or tempdb have user-created symmetric keys.

Symmetric Keys Not Encrypted with a Certificate

Lists all symmetric keys in a database that are not the database master key and are encrypted by either password or another symmetric key.

Sysadmins Own Trustworthy Databases

Determine whether any trustworthy databases are owned by system administrators on SQL Server 2005 or later.

Transparent Data Encryption

Determine whether transparent data encryption is configured for any databases on SQL Server 2008 or later.

Unacceptable Database Ownership

Determine whether if a database is found with an unacceptable owner.

User Defined Extended Stored Procedures (XSPs)

Determine whether unapproved user-defined Extended Stored Procedures (XSPs) exist.