The security model offered by Microsoft SQL Server is highly configurable and very robust when all security best practices are followed.
Why should you care about it?
The least-privileged user account (LUA) approach is an essential part of a defensive, in-depth strategy for countering security threats.
LUA says that a user must be granted only those privileges, which are required to perform his task – nothing more, nothing less.
It is a best practice that can avoid many future issues like somebody renaming or dropping an object accidentally.
You can learn more about SQL Server Database Engine permissions in the Microsoft documentation.
How can I find users with elevated permissions in the SQL Server?
Sysadmin users
Run the query below to list all the users that are sysadmins or have GRANT CONTROL SERVER
.
USE master GO
SELECT DISTINCT p.name AS [loginname]
,p.type
,p.type_desc
,p.is_disabled
,s.sysadmin
,CONVERT(VARCHAR(10), p.create_date, 101) AS [created]
,CONVERT(VARCHAR(10), p.modify_date, 101) AS [update]
FROM sys.server_principals p
JOIN sys.syslogins s ON p.sid = s.sid
JOIN sys.server_permissions sp ON p.principal_id = sp.grantee_principal_id
WHERE p.type_desc IN (
'SQL_LOGIN'
,'WINDOWS_LOGIN'
,'WINDOWS_GROUP'
) -- Logins that are not process logins AND p.name NOT LIKE '##%' AND (s.sysadmin = 1 OR sp.permission_name = 'CONTROL SERVER') ORDER BY p.name
Database owners
Run the query below to list all the users mapped to the db_owner role.
EXEC sp_msForEachDb ' use [?]
select db_name() as [database_name], r.[name] as [role], p.[name] as [member] from
sys.database_role_members m
join
sys.database_principals r on m.role_principal_id = r.principal_id
join
sys.database_principals p on m.member_principal_id = p.principal_id
where
r.name = ''db_owner'''
How to reduce user permissions
Choose lower permission for the users listed if they don’t need to have these privileges.
Remove the user from the sysadmin server role when possible.
Use db_datareader and db_datawriter roles to give people the right to read and write to any table in the database.
Among several options, you can edit roles for an existing user using SQL Server Management Studio:
- Firstly, go into Security, Logins, and right-click on a Login.
- In the User Mapping tab, remove (uncheck) the login from the roles for each database. Make sure the users have some kind of access to do their queries.