SQL Server Security

Why Should You Care About Users With Elevated Permissions In SQL Server?

Updated
3 min read
Written by
Mark Varnas

The security model offered by Microsoft SQL Server is highly configurable and very robust when all security best practices are followed.

Why should you care about it?

The least-privileged user account (LUA) approach is an essential part of a defensive, in-depth strategy for countering security threats.

LUA says that a user must be granted only those privileges, which are required to perform his task – nothing more, nothing less.

It is a best practice that can avoid many future issues like somebody renaming or dropping an object accidentally.

You can learn more about SQL Server Database Engine permissions in the Microsoft documentation.

How can I find users with elevated permissions in the SQL Server?

Sysadmin users

Run the query below to list all the users that are sysadmins or have GRANT CONTROL SERVER.

USE master GO

SELECT DISTINCT p.name AS [loginname]
	,p.type
	,p.type_desc
	,p.is_disabled
	,s.sysadmin
	,CONVERT(VARCHAR(10), p.create_date, 101) AS [created]
	,CONVERT(VARCHAR(10), p.modify_date, 101) AS [update]
FROM sys.server_principals p
JOIN sys.syslogins s ON p.sid = s.sid
JOIN sys.server_permissions sp ON p.principal_id = sp.grantee_principal_id
WHERE p.type_desc IN (
		'SQL_LOGIN'
		,'WINDOWS_LOGIN'
		,'WINDOWS_GROUP'
		) -- Logins that are not process logins AND p.name NOT LIKE '##%' AND (s.sysadmin = 1 OR sp.permission_name = 'CONTROL SERVER') ORDER BY p.name

Database owners

Run the query below to list all the users mapped to the db_owner role.

EXEC sp_msForEachDb ' use [?]

    select db_name() as [database_name], r.[name] as [role], p.[name] as [member] from

    sys.database_role_members m

    join

    sys.database_principals r on m.role_principal_id = r.principal_id

    join

    sys.database_principals p on m.member_principal_id = p.principal_id

    where

    r.name = ''db_owner'''

How to reduce user permissions

Choose lower permission for the users listed if they don’t need to have these privileges.

Remove the user from the sysadmin server role when possible.

Use db_datareader and db_datawriter roles to give people the right to read and write to any table in the database.

Among several options, you can edit roles for an existing user using SQL Server Management Studio:

  1. Firstly, go into Security, Logins, and right-click on a Login.
  2. In the User Mapping tab, remove (uncheck) the login from the roles for each database. Make sure the users have some kind of access to do their queries.

More information

Article by
Mark Varnas
Founder | CEO | SQL Veteran
Hey, I'm Mark, one of the guys behind Red9. I make a living performance tuning SQL Servers and making them more stable.

Leave a Comment

Managed SQL Server services, consulting, and emergency support from expert DBAs to improve performance, predictability, and cost.

Get started with Red9 today.

Contact us

Discover More

SQL Server Health Check SQL Server Migrations & Upgrades SQL Server Performance Tuning SQL Server Security SQL Server Tips

Discover what clients are saying about Red9

Red9 has incredible expertise both in SQL migration and performance tuning.

The biggest benefit has been performance gains and tuning associated with migrating to AWS and a newer version of SQL Server with Always On clustering. Red9 was integral to this process. The deep knowledge of MSSQL and combined experience of Red9 have been a huge asset during a difficult migration. Red9 found inefficient indexes and performance bottlenecks that improved latency by over 400%.

Rich Staats 5 stars
Rich Staats
Cloud Engineer
MetalToad

Always willing to go an extra mile

Working with Red9 DBAs has been a pleasure. They are great team players and have an expert knowledge of SQL Server database administration. And are always willing to go the extra mile to get the project done.
5 stars
Evelyn A.
Sr. Database Administrator

Boosts server health and efficiency for enhanced customer satisfaction

Since adding Red9 to the reporting and DataWarehousing team, Red9 has done a good job coming up to speed on our environments and helping ensure we continue to meet our customer's needs. Red9 has taken ownership of our servers ensuring they remain healthy by monitoring and tuning inefficient queries.
5 stars
Andrew F.
Datawarehousing Manager
See more testimonials