11/22/21, 7:39 PM DBA: SQL Audit Checklist For Internal Security Review

HOME DECODED BEER ABOUT CONTACT RSS

May 17, 2013 IT Security | SQL | Technology

DBA: SQL Audit Checklist For

Internal Security Review
LATEST BLOG POSTS

C:RETRO ROO>
Keywords:
By David K. Sutton ATARI XEGS
audit checklist DBA icacls REBOOT, PART
review security server
SQL SQL 2008 SQL 1: 8-BIT
query Windows Windows Free Free NOSTALGIA
2008 October 7th,
0 Comments 2016
Decades in the
Tweet this Post making, now the
moment of truth.
Plugs seated, power
anchor dropped,
and after a not- [...]

FIX: GOOGLE
CHROME SLOW
Active Directory: SCROLLING ON
Account Lockout Incredible Gifts MACBOOK
Policy – Think Twice Incredible Gifts
October 5th,
Before Applying 2016

SHARE THIS POST
START HERE
Raving Roo is a tech
blog covering IT
topics including
Windows, Mac, Active
Directory, and
information security.
And we also feature
craft beer reviews!
To get started, check
out today's most
popular posts, browse
our categories, or
perform a search:
To stay on top of security you need to regularly review This fix may work
on other platforms,
your server configurations. It’s helpful to build a checklist but I can only verify
that it works on
my 2013 MacBook
to be used as part of an internal security audit review. Air run [...]
Below is just such a checklist, specifically tailored to audit
WINDOWS 2012
a SQL 2008 Server running on Windows Server 2008. R2 REMOTE
Most of what’s in this checklist will work for other DESKTOP IS A
BLACK SCREEN
versions of SQL and Windows, but certain paths and SQL WITH COMMAND
PROMPT ONLY
queries may vary.
August 31st,
2016
Refer to SQL Server Security Best Practices for more
If you ever find
information on securing your SQL server. yourself in a
situation where
Windows Server
2012 R2 decides to
spontaneously
switc [...]

POPULAR TODAY

Car Won't Start? Is It MERGE MP3

Parked On A Hill? FILES USING

https://ravingroo.com/337/dba-sql-audit-checklist-internal-security-review/ 1/6
11/22/21, 7:39 PM DBA: SQL Audit Checklist For Internal Security Review
How To: Transparent CAT COMMAND
Terminal Window In ON MAC OS X
Mac OS X February 24th,
2016
Mac: How To Display
Photo Slideshow Are you looking for
Using OS X Finder a super quick way
to merge multiple
MP3 files into one
big MP3 file? This
CATEGORIES can be [...]

Active Directory
FIX: CORRUPT
Citrix XenApp WINDOWS 2012
CSS RDS BASIC
COLOR SCHEME
Exchange
January 18th,
Featured Beer 2016
Gaming This is a bizarre
Google Chrome issue that has
happened on
How To multiple occasions
with Windows 2012
iOS
4 Socket Xeon Gen3 2U Server servers in a
IT How To Remot [...]
Intel Xeon Scalable Gen3
IT Security
Intel Server System M70KLP sets a new
IPHONE / MAC
Linux TEXT
standard for 2U, upper-end mainstream

Mac servers REPLACEMENT:

Movies SHORTCUTS
broadberry.co.uk
FOR PHRASES
Office
January 10th,
Office 365 2016
Photography OPEN In both iOS and
Privacy Mac OS X, Apple
offers a feature
Retro Roo called Text
Replacement that
Sports allows you to
SQL AUDIT CHECKLIST configur [...]
SQL
Technology
This SQL audit checklist should be filled out on a regular HOW TO EDIT
Television GOOGLE
VMware
interval (example: quarterly) for each of your SQL CHROME
Windows servers. SQL queries and Windows commands are CUSTOM SPELL
CHECK
Windows Server 2012 included for convenience. You can also provide screen DICTIONARY
WordPress January 6th,
captures where appropriate. Each audit checklist should
2016
be saved with a custom file name, something like:
SEARCH So, you've
accidentally added
servername-year-month-day-audit-checklist a misspelled word
Type your query, hit e to Google Chrome's
custom dictionary,
SQL Server Audited:
how do you
rem [...]
Oh, and about those Audited By:

craft beer reviews...

Audit Date: OFFICE:
Our methodology of QUICKLY
craft beer reviews is REMOVE TEXT
1. Default Database “Data” location. FORMATTING
refined to this
exacting standard: No FROM COPY-
point in wasting our 2. Default Database “Log” location. PASTE
time or yours on a January 6th,
nasty grog...
2016
3. List all databases along with brief description.

Here are two
The Roo Only Raves
quicker methods to
What It Craves. SQL Query:
copy-paste
formatted text as
lynda.com online EXEC sp_databases unformatted text in
training tutorials
Microsoft Office
Ou [...]
4. Backup schedule and type (daily/full) as well as backup
server name.
FOLLOW US

https://ravingroo.com/337/dba-sql-audit-checklist-internal-security-review/ 2/6
11/22/21, 7:39 PM DBA: SQL Audit Checklist For Internal Security Review

5. Confirm “Login auditing” is configured for “Failed Follow

logins only” in the Security page of the SQL Server

Like 9
properties.

6. If this is a production SQL server, confirm there are no Raving Roo

9 likes
test databases (all test databases should be hosted on a
test server).
Like Page
7. Confirm “sample” SQL databases (AdventureWorks,
etc.) do not exist on production SQL server.
Raving Roo
about 5 years ago
8. List all “SQL Authentication” users along with purpose:
Decades in the making, now
SQL Query:
the moment of truth. Plugs
seated, power anchor
SELECT * from sys.sql_logins
dropped, and after a not-so-
confident yielding press of a
9. List all “Windows Authentication” users along with bloated candy-like teal button
purpose. and subsequent moment of
silence, one thought remains:
SQL Query:
I need proof of life. But,
suddenly the room is quiet no
USE master
more. Ah yes, I remember tha
SELECT name, type_desc, is_disabled
sound! An unsophisticated bu
satisfying reminiscent rumble
FROM sys.server_principals

emanates out the speaker of

WHERE type_desc IN ('WINDOWS_LOGIN', 'WINDOWS_GROUP') an old cathode ray tube. [
1 342 more word ]
10. Confirm SQL Server Security is set to “Windows
Authentication”. If configured for both Windows and SQL
authentication, explain why this is necessary.

11. If SQL Logins are used, confirm “Enforce password

policy” and “Enforce password expiration” are enabled on
each login. List exceptions below with reason. For
“service” SQL logins that are not subject to password
expiration (used for backend SQL authentication by
applications), a routine password change procedure
should be implemented.

12. Make sure SA account is disabled. If not disabled,

make sure it is renamed and has a strong password.
Change password at each audit. Or provide reason for
keeping SA account.

13. List members of “Local Administrators” group along

with purpose.

SQL Query:

BEGIN

CREATE TABLE #temp_localadmin (output VARCHAR(8000))

INSERT INTO #temp_localadmin

EXEC xp_cmdshell 'net localgroup administrators'

https://ravingroo.com/337/dba-sql-audit-checklist-internal-security-review/ 3/6
11/22/21, 7:39 PM DBA: SQL Audit Checklist For Internal Security Review

SELECT output AS local_administrator

FROM #temp_localadmin

WHERE output LIKE '%\%'

DROP TABLE #temp_localadmin

END

14. List db_owner database role members along with

purpose.

SQL Query:

EXEC sp_helprolemember db_owner

15. List db_securityadmin database role members along

with purpose.

SQL Query:

EXEC sp_helprolemember db_securityadmin

16. List db_accessadmin database role members along

with purpose.

SQL Query:

EXEC sp_helprolemember db_accessadmin

17. List sysadmin server role members along with

purpose.

SQL Query:

EXEC sp_helpsrvrolemember sysadmin

18. List serveradmin server role members along with

purpose.

SQL Query:

EXEC sp_helpsrvrolemember serveradmin

19. List securityadmin server role members along with

purpose.

SQL Query:

EXEC sp_helpsrvrolemember securityadmin

20. If custom application roles have been created, list

those roles and membership, along with purpose.

SQL Query:

EXEC sp_helprotect application rolename

21. List permissions for the “C:\Program Files\Microsoft

SQL Server” directory.

https://ravingroo.com/337/dba-sql-audit-checklist-internal-security-review/ 4/6
11/22/21, 7:39 PM DBA: SQL Audit Checklist For Internal Security Review

Windows Command:

icacls "C:\Program Files\Microsoft SQL Server"

22. List permissions for the “C:\Program Files\Microsoft

SQL
Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn”
directory.

Windows Command:

icacls "C:\Program Files\Microsoft SQL

Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn"

23. List permissions for the “C:\Program Files\Microsoft

SQL Server\80\Tools\Binn” directory.

Windows Command:

icacls "C:\Program Files\Microsoft SQL

Server\80\Tools\Binn"

24. List permissions for the “C:\Program Files\Microsoft

SQL Server\80\Com” directory.

Windows Command:

icacls "C:\Program Files\Microsoft SQL Server\80\COM"

/ photo by Daniel Kulinski

PLEASE SHARE YOUR TH…

0 Comments

Add a comment...

Facebook Comments Plugin

https://ravingroo.com/337/dba-sql-audit-checklist-internal-security-review/ 5/6
11/22/21, 7:39 PM DBA: SQL Audit Checklist For Internal Security Review

ALSO ON RAVING ROO

6 years ago • 8 comments 9 years ago • 3 comments

Merge MP3
Files Using CAT Graphics
… Interchange …

Comments Community 🔒 Privacy Policy


1 Login

 Favorite t Tweet f Share Sort by Best

Start the discussion…

LOG IN WITH

OR SIGN UP WITH DISQUS ?

Name

Get The Roo In Your Inbox HOME DECODED BEER CONTACT ABOUT

PRIVACY POLICY RSS SITEMAP PHOTOGRAPHY

Receive The Roo Report only when new content is
posted. We promise the Roo will be on his best behavior!

Email Address

Subscribe

Raving Roo   |   © 2013 - 2021

https://ravingroo.com/337/dba-sql-audit-checklist-internal-security-review/ 6/6