Professional Documents
Culture Documents
5. Retrieve all logins and its status, and make sure of the following:
1. The log in: ‘sa’, is disabled.
2. Each log in belongs to a specific person, and the log in role consistent with their job
descriptions.
3. All logins are granted based on documented approvals.
4. Any log in belongs to terminated employees are disabled.
Use the following statement:
SELECT name AS LoginName,
type_desc AS LoginType,
is_disabled AS Status
FROM sys.server_principals
WHERE type IN ('S', 'U', 'G') -- S: SQL Login, U: Windows Login, G: Windows Group
Note: status 1, indicates login is disabled, while status 0, indicates that login is enabled.
5. Password policy is enforced for all logins.
For SQL server authentication, use the following statement to retrieve logins with
password policy NOT enforced (the flag is 0):
SELECT name AS LoginName,
type_desc AS LoginType,
is_policy_checked AS IsPasswordPolicyEnforced
FROM sys.sql_logins
WHERE is_policy_checked = 0;
For windows authentication, check the password policy in the local security policy.
Use the following command in CMD:
Net accounts
6. List the logins with its mapped database, and make sure that there is a documented
approval for each login specifies its mapped database(s). 1
Use the following statement:
ELECT SP.name AS UserName,
SP.type_desc AS UserType,
SD.name AS DatabaseName
FROM sys.server_principals SP
LEFT JOIN sys.server_role_members SRM ON SP.principal_id = SRM.member_principal_id
LEFT JOIN sys.server_principals SR ON SRM.role_principal_id = SR.principal_id
LEFT JOIN sys.databases SD ON SD.owner_sid = SP.sid
1
‘sa’ login is mapped by default with system databases.
WHERE SP.type IN ('U', 'S', 'G') -- U: SQL Login, S: Windows Login, G: Windows Group
ORDER BY SP.name;
Make sure that roles are consistent with job descriptions and evaluate SoD.
Make sure the roles are granted based on documented approvals.
Make sue “Public” role is granted to users who only need it.
7. Inquire about logins with ANY permissions:
Use the following statement:
SELECT SP.name AS LoginName,
SP.type_desc AS LoginType,
P.permission_name AS Permission
FROM sys.server_permissions P
JOIN sys.server_principals SP ON P.grantee_principal_id = SP.principal_id
WHERE P.permission_name LIKE '%any%';
ANY permission shouldn’t be granted unless there are a justification with a clearly
stated and documented approval.
Make sure “Public role” is not granted the “ANY” permission (except for view). Use
the following statement to retrieve permissions granted to the “public role”:
SELECT
p.class_desc AS [Securable Class],
OBJECT_NAME(p.major_id) AS [Securable],
p.permission_name AS [Permission],
p.state_desc AS [Permission State],
u.name AS [Grantee]
FROM
sys.database_permissions AS p
INNER JOIN
sys.database_principals AS u
ON
p.grantee_principal_id = u.principal_id
WHERE
u.name = 'public';
USE tempdb
-- Do some guess-work for the owner's login type (comment out if you prefere to have NULL
instead of guess-work)
UPDATE A SET A.DBLogin_Type = (SELECT TOP(1) B.DBLogin_Type FROM ##DBLogin B WHERE
B.DBLogin_Name = A.DBLogin_Name AND B.DBLogin_Type IS NOT NULL) FROM ##DBLogin A WHERE
(A.DBLogin_Type IS NULL) AND (A.DBLogin_Owner = 1);
UPDATE ##DBLogin SET DBLogin_Type = 'WINDOWS_USER' WHERE (DBLogin_Type IS NULL) AND
(DBLogin_Owner = 1) AND (DBLogin_Name LIKE '%_\_%');
UPDATE ##DBLogin SET DBLogin_Type = 'SQL_USER' WHERE (DBLogin_Type IS NULL) AND
(DBLogin_Owner = 1) AND (DBLogin_Name NOT LIKE '%_\_%');
SELECT DBLogin_Database, DBLogin_Name, MAX(DBLogin_Type) AS DBLogin_Type,
CAST(MAX(DBLogin_Owner) AS BIT) AS DBLogin_Owner FROM ##DBLogin
GROUP BY DBLogin_Database, DBLogin_Name
ORDER BY DBLogin_Database, DBLogin_Owner DESC, DBLogin_Name, DBLogin_Type