It’s been a while since we made some improvements to the public version of sp_CheckSecurity, but internally we’ve been busy fine tuning checks and adding even more to discover potential vulnerabilities in your SQL Server instances.
Today we’re announcing a new version that includes additions, corrections, and a few other adjustments that should be helpful. Here’s what new!
Simplified the Importance (vulnerability) levels. To standardize the output with our other tools like sp_CheckBackup and sp_CheckTempdb, we renamed “Vulnerabilities” to “Importance” and have reduced the levels from 4 to 3 like the other sp_Checks.
Added @Mode (and removed @ShowHighOnly). Again, we did this to standardize the parameters among our sp_Checks. In any of them, @Mode = 0 will return just the issues that have been discovered. And you can still get the results previously returned by @ShowHighOnly = 1 but using @Mode = 1 instead.
Added @Override to complete checks if instance has more than 50 databases. In the previous version we noted there could be some performance issues if there were a lot of databases. Although 50 is a bit arbitrary, we wanted to have a threshold to warn you that executing sp_CheckSecuroty might be resource intensive
Added a lot more checks. New checks (and links to relevant content pages) have been added for:
- SQL Server service using built-in elevated account
- service account in sysadmin role
- databases owned by members of the sysadmin role
- renamed sa login
- C2 audit mode enabled
- Common Criteria Compliance enabled
- Contained Database Authentication enabled
- contained databases
- Remote Access is enabled
- databases owned by Windows logins
- Hide Instance is enabled
- Extended Protection is enabled
- Force Encryption is enabled
Update version checks to account for recent security updates. Microsoft has released quite a few recent GDR updates that address security vulnerabilities (for supported versions only, of course), so we have updated the checks to see if those have been applied to your instances.
Improved linked server checks. The linked server checks now include the security context instead of recommending you go look for yourself.
Improved performance of database backup certificate checks. We fixed a nasty little bug that may have caused excessive runtimes if you are using encrypted backups.
Grouped configurations with naming convention “Configuration:”. Since we’re checking several configurations, we grouped them by name in the results so you can review them all faster.
Other minor fixes like typos and formatting. Because nobody’s perfect. We’re trying to do better.
We hope you are finding sp_CheckSecurity (and sp_CheckBackup and sp_CheckTempdb) useful. You can download the latest version at the sp_CheckSecurity GitHub Repository.
And please let us know if there are any issues or enhancements you want us to know about by using the Issues page at the GitHub repository.
