The security model offered by Microsoft SQL Server is highly configurable and very robust when all security best practices are followed.
Why should you care about it?
The least-privileged user account (LUA) approach is an essential part of a defensive, in-depth strategy for countering security threats.
LUA says that a user must be granted only those privileges, which are required to perform his task – nothing more, nothing less.
It is a best practice that can avoid many future issues like somebody rename or drop an object accidentally.
You can learn more about SQL Server database engine permissions in the Microsoft documentation.
How can I find users with elevated permissions in SQL Server?
Run the query below to list all the users with that are sysadmins or have GRANT CONTROL SERVER.
USE master GO SELECT DISTINCT p.name AS [loginname] , p.type , p.type_desc , p.is_disabled, s.sysadmin, CONVERT(VARCHAR(10),p.create_date ,101) AS [created], CONVERT(VARCHAR(10),p.modify_date , 101) AS [UPDATE] FROM sys.server_principals p JOIN sys.syslogins s ON p.sid = s.sid JOIN sys.server_permissions sp ON p.principal_id = sp.grantee_principal_id WHERE p.type_desc IN ('SQL_LOGIN', 'WINDOWS_LOGIN', 'WINDOWS_GROUP') -- Logins that are not process logins AND p.name NOT LIKE '##%' AND (s.sysadmin = 1 OR sp.permission_name = 'CONTROL SERVER') ORDER BY p.name
Run the query below to list all the users mapped to db_owner role.
EXEC sp_msForEachDb ' use [?] select db_name() as [database_name], r.[name] as [role], p.[name] as [member] from sys.database_role_members m join sys.database_principals r on m.role_principal_id = r.principal_id join sys.database_principals p on m.member_principal_id = p.principal_id where r.name = ''db_owner'''
How to Reduce User Permissions
Choose lower permission to the users listed if they don`t need to have these privileges.
Remove the user from the sysadmin server role when possible.
Use db_datareader and db_datawriter roles to give people the right to read and write to any table in the database.
Among several options, you can edit roles for an existing user using SQL Server Management Studio:
- Go into Security, Logins, and right-click on a login
- Go to Server roles and you can see their roles for server.
- Go to User Mapping and you can see their roles for each database.
- Unchecking them from the roles – Make sure the users got some kind of access to do their queries.