Permission Security Checks control the permissions for objects and roles.
The Permissions Security Checks available on the Configure the Policy section are the following:
Name | Description |
|---|---|
| Agent Job Execution | Determine whether only administrators can execute SQL Agent CmdExec Jobs |
| ALTER TRACE Permission Granted To Unauthorized Users | Determine whether unauthorized users have been granted the ALTER TRACE permission on SQL Server 2005 or later |
| CONTROL SERVER Permission Granted To Unauthorized Users | Determine whether unauthorized users have been granted the CONTROL SERVER permission on SQL Server 2005 or later |
| Database File Owners Not Acceptable | Determine whether SQL Server database files have unapproved owners |
| Database File Permissions Not Acceptable | Determine whether users have unapproved access to SQL Server database files |
| Database Files Missing Required Administrative Permissions | Determine whether the required administrative accounts have access to all database files |
| Direct Access Permissions | Check for logins that have had server-level permissions granted directly to them. |
| Ensure public role is not granted access SQL Agent proxies in msdb database | Determine whether the public role is granted access to SQL Agent proxies |
| Everyone Database File Access | Determine whether the Everyone group has access to SQL Server database files |
| Everyone System Table Access | Determine whether the Everyone group has read access to system tables on the SQL Server |
| Executable File Owners Not Acceptable | Determine whether SQL Server executable files have unapproved owners |
| Executable File Permissions Not Acceptable | Determine whether users have unapproved access to SQL Server executable files |
| Executable Files Missing Required Administrative Permissions | Determine whether the required administrative accounts have access to all executable files (any .exe or .dll file) |
| Integration Services Roles Have Dangerous Security Principals | Determine whether dangerous security principals belong to any SQL Server Information Services (SSIS) database roles. |
| Integration Services Roles Permissions Not Acceptable | Determine whether unapproved roles have been granted permissions on an Integration Services stored procedure. |
| Integration Services Users Permissions Not Acceptable | Determine whether unapproved users have been granted permissions on an Integration Services stored procedure. |
| Limit Propagation of access rights | Check for users that have GRANT_WITH_GRANT_OPTION, as they can grant those rights to other users. |
| Public Database Role Has Permissions | Determine whether the public database role has any permissions |
| Public Role Has Permissions on User Database Objects | Determine whether the public database role has been granted permissions on user database objects. |
| Public Server Role Has Permissions | Determine whether the public server role has been granted permissions |
| Public Server Role only granted default Microsoft permissions | Determine that the Public Server Role only has default permissions granted by Microsoft. In keeping with the principle of least privileges, the public server role should not be used to grant permissions at the server scope as these would be inherited by all users. |
| Registry Key Owners Not Acceptable | Determine whether registry keys that can affect SQL Server security have unapproved owners |
| Registry Key Permissions Not Acceptable | Determine whether users have unapproved access to registry keys |
| Registry Keys Missing Required Administrative Permissions | Determine whether the required administrative accounts have access to all SQL Server registry keys |
| Sysadmins Own Databases | Determine whether any databases are owned by a system administrator |