| Name | Description |
|---|
| Agent Job Execution | Determine whether only administrators can execute SQL Agent CmdExec Jobs | Only administrators should be allowed to execute SQL Agent CmdExec jobs for several key security and operational reasons: - Security Risks: CmdExec jobs can execute system-level commands, which could potentially have a significant impact on the server or database. Allowing non-administrative users to execute such jobs could lead to the unintended execution of malicious or destructive commands.
- Privilege Escalation: If a non-administrative user can execute CmdExec jobs, they may be able to run commands that elevate their privileges, such as executing system commands that they would not normally be able to access, potentially leading to a security breach.
- Data Integrity: CmdExec jobs often interact with the operating system, file systems, or external systems. If someone without proper authorization executes these jobs, they could inadvertently compromise the integrity of data, backup systems, or other critical functions.
- Audit and Accountability: By limiting CmdExec job execution to administrators, organizations can better track and control who is performing sensitive operations on the server. This accountability is crucial for auditing purposes, especially in regulated industries where compliance with standards and policies is essential.
- Prevent Accidental Misuse: Non-administrative users may not fully understand the potential risks and consequences of running certain system-level commands. Administrators, on the other hand, have the expertise to properly handle and manage such jobs, reducing the risk of accidental misuse.
- System Stability: Executing certain commands through CmdExec jobs could destabilize the server, affect performance, or interfere with other processes. Allowing only administrators to execute these jobs helps mitigate the risk of compromising system stability.
By restricting this capability to administrators, an organization can maintain tighter control over its environment and ensure that potentially dangerous commands are only run by trusted and qualified personnel.
|
| ALTER TRACE Permission Granted To Unauthorized Users | Determine whether unauthorized users have been granted the ALTER TRACE permission on SQL Server 2005 or later | The ALTER TRACE permission can be risky because it gives access to trace configurations and event logs that can reveal sensitive information, including: - Query text
- Execution plans
- User information
- Database and system activity
- Other performance and diagnostic details
This data could be exploited by an unauthorized user if they have the wrong intentions, which is why it’s typically restricted to highly trusted personnel (e.g., DBAs and security auditors).
|
| CONTROL SERVER Permission Granted To Unauthorized Users | Determine whether unauthorized users have been granted the CONTROL SERVER permission on SQL Server 2005 or later | The CONTROL SERVER permission is very powerful and grants the ability to: - Change server-level settings such as security policies, linked servers, system configurations, and agent jobs.
- Access all databases and execute any actions across all objects within SQL Server.
- Execute critical administrative tasks, including managing logins, server-wide permissions, backups, and more.
- Manage server security at the highest level, including the ability to modify or delete other users' permissions, roles, and access levels.
Granting this permission to unauthorized or untrusted users could lead to severe security risks, including: - Unauthorized access to sensitive data.
- Malicious actions such as the alteration or deletion of critical system or user data.
- Alteration of security settings, which could potentially allow further privilege escalation or data leaks.
|
| Database File Owners Not Acceptable | Determine whether SQL Server database files have unapproved owners | Database files (MDF, NDF, LDF) should be owned by the SQL Server service account to ensure proper access and security. Best practices- The SQL Server service account should own database files.
- Avoid personal or high-privilege accounts.
- Ensure correct permissions for smooth operation and security.
|
| Database File Permissions Not Acceptable | Determine whether users have unapproved access to SQL Server database files | Unapproved users should not have permissions over database files (MDF, NDF, LDF) to ensure proper access and security. Permissions should not be granted to:- Regular users or application accounts.
- Personal user accounts (e.g., DBA’s personal Windows login).
- Domain Admins (unless explicitly needed).
|
| Database Files Missing Required Administrative Permissions | Determine whether the required administrative accounts have access to all database files | Approved accounts should have permissions over database files (MDF, NDF, LDF) to ensure proper access and security. SQL Server Service Account (e.g., NT SERVICE\MSSQLSERVER for default instances or NT SERVICE\MSSQL$InstanceName for named instances) Full Control (Read, Write, Modify, Delete) on the folder containing the database files. This ensures SQL Server can manage the database files properly. Administrators Group- Full Control (for troubleshooting and backup purposes).
SQL Server System Administrators (DBAs) (Optional)- Read & Execute, List Folder Contents (only if direct file access is necessary).
- DBAs typically manage SQL Server through the database engine, not direct file access.
|
| Direct Access Permissions | Check for logins that have had server-level permissions granted directly to them. | Best practice is to avoid granting server level permissions directly to a user login. Direct access should be removed from individual logins and be replaced with a server role. |
| Ensure public role is not granted access SQL Agent proxies in msdb database | Determine whether the public role is granted access to SQL Agent proxies | The public role should never be granted access to SQL Agent proxies in the msdb database.
Granting the public role access to SQL Agent proxies can introduce serious security risks, as the public role is automatically assigned to all users in SQL Server Security Risk: Any login with access to msdb would inherit proxy access, potentially allowing unauthorized users to execute jobs using elevated privileges. Principle of Least Privilege: Only specific users should be allowed to run jobs under SQL Agent proxies. Potential Privilege Escalation: Attackers or malicious users could misuse an improperly assigned proxy to gain elevated access to the system. Grant Proxy Access Only to Specific Users or RolesUse the msdb database roles such as: - SQLAgentUserRole: Can create/modify jobs owned by the user.
- SQLAgentReaderRole: Can view job history and schedules.
- SQLAgentOperatorRole: Can manage all jobs but not create them.
Explicitly Grant Proxy Access to Trusted LoginsUse sp_grant_proxy_to_subsystem to assign the proxy to a specific principal. Avoid using the sysadmin role for job execution unless necessaryUse credential-based authentication for SQL Agent Proxies.
|
| Everyone Database File Access | Determine whether the Everyone group has access to SQL Server database files | Unapproved users should not have permissions over database files (MDF, NDF, LDF) to ensure proper access and security. Granting the Everyone group access to database files is a major security risk and violates the principle of least privilege. Security Risk - The Everyone group includes all authenticated users, meaning any user on the server could potentially read, modify, or delete database files.
Data Integrity & Confidentiality- Unauthorized access could lead to data corruption, leakage, or theft.
Compliance Violations - Many security standards (e.g., HIPAA, GDPR, PCI-DSS) require strict access control, and granting Everyone access would be a violation.
Risk of Ransomware/Attacks - Malware or attackers could encrypt, delete, or tamper with database files if permissions are too open.
|
| Everyone System Table Access | Determine whether the Everyone group has read access to system tables on the SQL Server | Granting the Everyone group access to system tables is a major security risk because system tables store sensitive metadata, such as: - Login credentials (hashed passwords, security principals)
- Database structure and configuration
- User roles and permissions
- SQL Agent jobs and history
- Linked server connections
Security Risk - Any user could view sensitive system information, potentially exposing security vulnerabilities.
Unauthorized Access - Attackers could extract data about user accounts, roles, and permissions for privilege escalation.
Data Integrity - While read access doesn't modify data, it exposes system-level details that should only be available to admins.
Compliance Violations - Security standards like HIPAA, GDPR, PCI-DSS require strict control over system data.
|
| Executable File Owners Not Acceptable | Determine whether SQL Server executable files have unapproved owners | SQL Server executable files (sqlservr.exe, sqlagent.exe, etc.) are critical system files that control the database engine and services. Allowing regular users access to these files poses serious security risks and could lead to service disruptions, data breaches, or privilege escalation attacks. Security Risk - Users with access to executable files could modify, delete, or replace them to inject malicious code.
Service Disruption - Accidental or intentional modifications could prevent SQL Server from starting or cause instability.
Privilege Escalation - Attackers could exploit file access to gain elevated privileges and control the SQL Server instance.
Compliance Violations - Security standards like HIPAA, GDPR, PCI-DSS require strict protection of database services.
The SQL Server installation directory (e.g., C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\) contains critical files that should be restricted, including: - SQL Server Engine (sqlservr.exe)
- SQL Agent (sqlagent.exe)
- Configuration Manager (sqlservermanager16.msc)
- SQLCMD & BCP Utilities (sqlcmd.exe, bcp.exe)
- DLL Files (sqlos.dll, sqlmin.dll)
|
| Executable File Permissions Not Acceptable | Determine whether users have unapproved access to SQL Server executable files | SQL Server executable files (sqlservr.exe, sqlagent.exe, etc.) should have strictly controlled permissions to prevent unauthorized access, modifications, or security risks. Recommended permissions for SQL Server executables: | Account | Permission | Reason |
|---|
| SQL Server Service Account (NT SERVICE\MSSQLSERVER for default instances or NT SERVICE\MSSQL$InstanceName for named instances) | Full Control | Required to run SQL Server services. | | Administrators Group (BUILTIN\Administrators) | Full Control | Required for maintenance and emergency recovery. | | SYSTEM Account | Full Control | Required for OS-level operations. | | Authenticated Users | No Access | Prevents unauthorized access. | | Everyone Group | No Access | Major security risk. | | Regular Users & Developers | No Access | Should not have access to executables. |
|
| Executable Files Missing Required Administrative Permissions | Determine whether the required administrative accounts have access to all executable files (any .exe or .dll file) | Recommended permissions for SQL Server executables: | Account | Permission | Reason |
|---|
| SQL Server Service Account (NT SERVICE\MSSQLSERVER for default instances or NT SERVICE\MSSQL$InstanceName for named instances) | Full Control | Required to run SQL Server services. | | Administrators Group (BUILTIN\Administrators) | Full Control | Required for maintenance and emergency recovery. | | SYSTEM Account | Full Control | Required for OS-level operations. | | Authenticated Users | No Access | Prevents unauthorized access. | | Everyone Group | No Access | Major security risk. | | Regular Users & Developers | No Access | Should not have access to executables. |
|
| Integration Services Roles Have Dangerous Security Principals | Determine whether dangerous security principals belong to any SQL Server Information Services (SSIS) database roles. | Only specific, trusted accounts should be members of SSIS-related database roles in SQL Server to maintain security and the principle of least privilege. | Database Role | Purpose | Who Should Be a Member? | Permissions |
|---|
| db_ssisadmin | Full control over SSIS packages | DBAs & SSIS Administrators (Limited group) | Full administrative control over SSIS, including execution and modification of all packages. | | db_ssisltduser | Limited access to SSIS packages | Trusted Application Service Accounts, Specific Developers (if needed) | Read and execute permissions on packages, but cannot edit system-wide settings. | | db_ssisoperator | Can execute and monitor SSIS packages | Operations Team, Job Scheduling Accounts (SQL Agent) | Can execute and view package execution history but cannot modify packages. |
Who should not be a member of any SSIS database roles?- Regular Users: No need to interact with SSIS directly.
- Public / Everyone Group: Major security risk.
- Application Logins (Unless Required): Apps should execute SSIS packages through stored procedures or service accounts.
- Developers (Unless Needed): If needed, they should only be in db_ssisltduser role.
Best Practices- Use SQL Server service accounts for running SSIS jobs instead of adding individual users.
- Grant the minimum required access to prevent privilege escalation.
- Regularly audit role membership.
- Use Proxy Accounts for SQL Agent jobs instead of granting SSIS permissions to broad groups.
|
| Integration Services Roles Permissions Not Acceptable | Determine whether unapproved roles have been granted permissions on an Integration Services stored procedure. | Only specific roles should be granted permissions on SSIS-related stored procedures to maintain security and prevent unauthorized access. | Role | When to Grant Permissions? | Permissions to Grant |
|---|
| db_ssisadmin | Full control over SSIS packages and execution. | EXECUTE (Full control on SSIS stored procedures) | | db_ssisoperator | Allowed to execute and monitor SSIS packages. | EXECUTE (Only on stored procedures related to package execution) | | db_ssisltduser | Limited access for specific SSIS users (e.g., developers needing execution rights). | EXECUTE (Only on specific stored procedures as needed) | | SQLAgentUserRole (in msdb) | If SSIS packages are executed via SQL Agent jobs. | EXECUTE (For job-related SSIS stored procedures) | | Custom Role (Optional) | If business needs require a custom security setup. | Grant only necessary EXECUTE permissions. |
|
| Integration Services Users Permissions Not Acceptable | Determine whether unapproved users have been granted permissions on an Integration Services stored procedure. | Who Should NOT Be Granted Access to an Integration Services stored procedure?- Public Role: No reason for all users to access SSIS procedures.
- db_datareader/db_datawriter: These roles manage data, not SSIS execution.
- Regular Users: They should not interact directly with SSIS procedures.
- Application Logins: Use a dedicated service account instead of granting broad access.
|
| Limit Propagation of access rights | Check for users that have GRANT_WITH_GRANT_OPTION, as they can grant those rights to other users. | Regular users should not have GRANT WITH GRANT OPTION in SQL Server unless absolutely necessary. The WITH GRANT OPTION clause allows a user not only to use a permission but also to grant it to others. This can lead to privilege escalation if not carefully controlled. Why Shouldn’t Users Have GRANT WITH GRANT OPTION?- Privilege Escalation: Users can create uncontrolled access chains by granting permissions to others.
- Security Risks: Malicious or careless users can bypass access controls by delegating privileges.
- Difficult to Track: Managing and auditing permissions becomes harder because permissions can be passed indirectly.
- Compliance Violations: Security frameworks like HIPAA, GDPR, PCI-DSS require strict access control.
|
| Public Database Role Has Permissions | Determine whether the public database role has any permissions | The public database role should not be granted any additional permissions in SQL Server. The public role is a built-in default role in every database. All database users automatically belong to public if they are not explicitly assigned to another role. The public role is meant for the most basic, minimal permissions that every user needs. - Security Risk: Any permission granted to public applies to all users, including unintended ones.
- Privilege Escalation: If users gain access to a database, they might exploit excessive permissions.
- Compliance Violations: Security standards like HIPAA, GDPR, PCI-DSS require strict access control.
- Difficult to Manage: Permissions should be explicitly granted to roles/users instead of public.
|
| Public Role Has Permissions on User Database Objects | Determine whether the public database role has been granted permissions on user database objects. | The public database role should NOT be granted permissions on user database objects. - The public role is a default role that every database user automatically belongs to.
- It is meant for minimal, essential permissions required for basic connectivity.
- Any permissions granted to public apply to ALL users, making it a potential security risk.
|
| Public Server Role Has Permissions | Determine whether the public server role has been granted permissions | The public server role should NOT be granted any additional permissions. - The public server role is a built-in, fixed role in SQL Server.
- All logins automatically belong to public when they connect to SQL Server.
- It should only have the absolute minimum permissions necessary for connectivity.
Why Shouldn’t public Have Additional Permissions?- Security Risk: Any permissions granted to public apply to all logins, including unauthorized users.
- Privilege Escalation: Attackers who gain access to SQL Server could leverage public to escalate privileges.
- Compliance Violations: Security standards like HIPAA, GDPR, and PCI-DSS require strict access control, and excessive public permissions can violate compliance.
- Harder to Audit & Manage: It is much safer and easier to grant permissions explicitly to roles or users instead of modifying public.
|
| Public Server Role only granted default Microsoft permissions | Determine that the Public Server Role only has default permissions granted by Microsoft. In keeping with the principle of least privileges, the public server role should not be used to grant permissions at the server scope as these would be inherited by all users. | The public server role should not be granted any additional permissions. - The public server role is a built-in, fixed role in SQL Server.
- All logins automatically belong to public when they connect to SQL Server.
- It should only have the absolute minimum permissions necessary for connectivity.
Best Practices- Never assign explicit permissions to public at the server level.
- Instead, use appropriate server roles (sysadmin, securityadmin, dbcreator, etc.) for permissions.
- Regularly audit the public role to ensure it has no extra permissions.
- Ensure public does NOT have VIEW ANY DATABASE, CONNECT ANY DATABASE, or CONTROL SERVER.
|
| Registry Key Owners Not Acceptable | Determine whether registry keys that can affect SQL Server security have unapproved owners | SQL Server stores its configuration settings in the Windows Registry. Important registry keys include: Instance Configuration:- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLSERVER\
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SQLAgent$InstanceName\
SQL Server Version & Feature Keys:- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\
Who Should NOT Own SQL Server Registry Keys?- Regular users: They should not have write access to registry keys to prevent accidental or malicious changes.
- Application accounts: Applications should access SQL Server via defined permissions, not registry modifications.
- Public or Everyone groups: This would create a major security risk.
|
| Registry Key Permissions Not Acceptable | Determine whether users have unapproved access to registry keys | Only the following users should have access to SQL Server-related registry keys: | Registry Key | Recommended Access | Reason |
|---|
| Instance Configuration (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\) | Administrators (Full Control) | Required for instance configuration and updates. | | SQL Server service account (Read/Write) | | MSSQLSERVER Services (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLSERVER\) | Administrators (Full Control) | Needed for SQL Server service startup. | | SQL Server service account (Read/Write) | | SQL Agent Service (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SQLAgent$InstanceName\) | Administrators (Full Control) | Required for SQL Server Agent jobs and scheduling. | | SQL Agent service account (Read/Write) | | Integration Services (SSIS) (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\SSIS\) | Administrators (Full Control) | Needed for SSIS package execution. | | SSIS service account (Read/Write) | | Reporting Services (SSRS) (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\SSRS\) | Administrators (Full Control) | Required for SSRS functionality. | | SSRS service account (Read/Write) | | Analysis Services (SSAS) (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\SSAS\) | Administrators (Full Control) | Needed for Analysis Services operations. | | SSAS service account (Read/Write) |
|
| Registry Keys Missing Required Administrative Permissions | Determine whether the required administrative accounts have access to all SQL Server registry keys | Only the following users should have access to SQL Server-related registry keys: | Registry Key | Recommended Access | Reason |
|---|
| Instance Configuration (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\) | Administrators (Full Control) | Required for instance configuration and updates. | | SQL Server service account (Read/Write) | | MSSQLSERVER Services (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLSERVER\) | Administrators (Full Control) | Needed for SQL Server service startup. | | SQL Server service account (Read/Write) | | SQL Agent Service (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SQLAgent$InstanceName\) | Administrators (Full Control) | Required for SQL Server Agent jobs and scheduling. | | SQL Agent service account (Read/Write) | | Integration Services (SSIS) (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\SSIS\) | Administrators (Full Control) | Needed for SSIS package execution. | | SSIS service account (Read/Write) | | Reporting Services (SSRS) (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\SSRS\) | Administrators (Full Control) | Required for SSRS functionality. | | SSRS service account (Read/Write) | | Analysis Services (SSAS) (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\SSAS\) | Administrators (Full Control) | Needed for Analysis Services operations. | | SSAS service account (Read/Write) |
|
| Sysadmins Own Databases | Determine whether any databases are owned by a system administrator | A user database in SQL Server should not be owned by a system account like sa or any built-in system owner. Best Practice- Assign Ownership to a Designated Service Account
- A dedicated SQL Server login (e.g., DBAdminUser) should own the database.
- The database owner (DBO) should not be a system account like sa for security and auditing reasons.
Why Shouldn't System Owners Own a Database?| Reason | Explanation |
|---|
| Security Risk | If an attacker gains access to sa, they can modify ALL databases. | | Auditing & Accountability | If sa owns the database, it is harder to track changes to specific users. | | Compliance Issues | Regulatory standards (HIPAA, GDPR, PCI-DSS) require least privilege access. | | Privilege Escalation Risk | Users with database ownership can execute high-privilege commands (sp_configure, DBCC, etc.). |
|