Microsoft SQL Server Security check: Back-end queries to use

-

SQL Server, owned by Microsoft is one of the leading data platforms used as a production database to store very sensitive data. We should all know by now that data is an organization’s most valuable asset. This makes it a necessity to efficiently secure the SQL Server database.
This quick post will highlight some important back-end script that can be used to quickly check the status of your SQL Server database.
A comprehensive checklist is been developed and will be posted soon.
Enjoy......

Minimum Requirements:

  1. Access to an SQL Server database
  2. DB Roles required: db_reader


To check if guest account is still active
SELECT name, hasdbaccess
FROM sys.sysusers
WHERE name = 'guest'
Note:
hasdbaccess should be '0'
Guest account should NEVER be active in a production database


To check if the builtin administrator account has been removed.
SELECT r.name  as SrvRole, u.name  as LoginName  
FROM sys.server_role_members m JOIN
  sys.server_principals r ON m.role_principal_id = r.principal_id  JOIN
  sys.server_principals u ON m.member_principal_id = u.principal_id 
WHERE u.name = 'BUILTIN\Administrators'
Note:
Built in Administrator account should be disabled when the database is moved to production

To check whether the password policy is turn on or off
SELECT name  FROM sys.sql_logins 
 WHERE  is_policy_checked=0 OR is_expiration_checked = 0
Note:
A serious organisation should have a standards password policy in place.


To Check that Production and Sample databases are segregated
SELECT name FROM master.sys.databases 
 WHERE lower(name) LIKE '%test%' OR lower(name) LIKE '%dev%'
 OR lower(name) LIKE '%adventure%'
 OR lower(name) LIKE '%uat%'
 OR lower(name) LIKE 'pub%'
 OR lower(name) LIKE '%northwind%'
Note:
Sample databases like Pub, AdventureWorks and Northwind should not exist in a production database.


To check whether the "sa" password exists and if it does, Identify if the password policy is turned on for the "sa" login
SELECT p.name, CASE WHEN p.name = 'sa' THEN 'NO' ELSE 'YES' END as Renamed,
  s.is_policy_checked, s.is_expiration_checked, p.is_disabled
FROM sys.server_principals AS p
 LEFT OUTER JOIN sys.sql_logins AS s ON s.principal_id = p.principal_id
WHERE p.sid = 0x01


This will check different server configuration settings
SELECT name, value_in_use FROM sys.configurations
 WHERE configuration_id IN (16391, 102, 400, 1562, 16386, 16385, 16390, 16393)
Note:
Configuration_id 16393 is to check if "Contained Databases Authentication" option is enabled on SQL Server 2012.
There are known security threats associated with contained databases.


To check for SQL Server Authentication mode
SELECT SERVERPROPERTY ('IsIntegratedSecurityOnly')
Note:
- If this returns 0 the server uses both Windows and SQL Server security.
- If the value is 1 it is only setup for Windows Authentication.


To check for SQLServer version
SELECT @@VERSION


To check for SQLServer version (Alternative)
SELECT SERVERPROPERTY('ProductVersion') AS ProductVersion,
 SERVERPROPERTY('ProductLevel') AS ProductLevel


To find logins mapped to the "dbo" user in each database
EXEC master.sys.sp_MSforeachdb '
PRINT ''?''
EXEC [?].dbo.sp_helpuser ''dbo'''
Notes:
The dbo which also means database owner, is a user account that has permissions to perform all activities in the database. Members of the sysadmin fixed server role are automatically mapped to dbo account

To get the list of the users
EXEC sys.sp_helpuser


To get the list of database permissions
EXEC sys.sp_helprotect


To get the list of roles membership
EXEC sys.sp_helprolemember


To get the list of database application roles
SELECT name FROM sys.database_principals WHERE type = 'A'


To Check data and log files drives for the current database
SELECT name, type_desc, physical_name, 
 LEFT(physical_name, CHARINDEX( '\', physical_name,0)) AS DriveLetter
FROM sys.database_files


To get the list of linked server and the logins used for linked servers
SELECT * FROM sys.servers


Microsoft SQL Server Logo is the copyright of its respective owner

Comments

Post a Comment

Popular posts from this blog

Auditing Virtualization

-
Image
Virtualization is the process of creating virtual, representation of an entity, such as virtual applications, servers, storage and networks. It is the single most effective way to reduce IT expenses by reducing hardware footprint while boosting efficiency and agility for all size businesses. However good as it is, virtualization can create a single point of failure if poor implementation introduced a security flaw to the system. In this post I will be sharing with you how to audit virtualization.
Read more

How to Identify if the capacity of your FLASH storage device is genuine or counterfeit

-
Image
Have you at some time purchased a flash drive  or memory card that always stored corrupt data? You paid for a 64gig memory card and all you stored in it is simply just got corrupted. I have been a victim several times even with reputable retailers. These counterfeit flash storages are low capacity in nature, devices that have been maliciously altered so that they appear to have much more capacity than its original. An example is the 64 gig memory card I purchased which ended up having actual capacity of 2gig. So I actually paid for 2gig. Now I didn't get to know this on time because I actually copied a video file inside it as a test which checked out fine. The video file size was 1.5gb. I was able to play the video with no issue of corruption. Thus I "Assumed" the flash was genuine. Boy was I wrong. Later in the week I decided to do a major backup of my mobile phone since I was purchasing another one. After the backup, I formatted ...
Read more

Address Resolution Protocol (ARP): Understanding the basics

-
Image
Address resolution Protocol or ARP for short is basically used to resolve an IP address to a MAC address. A MAC address is a unique identifier for any device. And since we are talking networking today, The mac address we will be concentration on is that of a network device. Its important to note that, no two device can have the same mac address. Whenever a network device needs to communicate with another network device in a Local Area Network, it needs the MAC address of that device. This is where ARP comes to play. Lets take a look at the scenario bellow to clearly understand this concept: 1. There are 2 computers say A and B on the network. 2. They have both been assigned an IP address as seen below:        A: 192.168.0.1        B: 192.168.0.2 3. Computer A needs to communicate with computer B. 4. It looks at a list for the IP address to see if it has a corresponding MAC address. This list is called an ARP Cache. 5. If the en...
Read more