sp_check: SQL Server Database Checks

3 - Potential (Review Recommended)

SQL Login Audit does not include failed logins

Issue: The default audit of SQL Server logins does not include writing failed logins to the SQL Server Log.

Problem: If you encounter a brute-force hacking event against a particular login, you would have no record of the failed login attempts.

Learn More...

SQL Server service accounts

Issue: There is no issue. This is simply the name of the account used by the SQL Server service.

Problem: This probably isn't a problem, but did you know this was the account used to run this service? If not, you probably want to note it and any permissions it is assigned in case you need to restore this instance and all it's databases on another server.

Learn More...

Database owner is unknown

Issue: The owner of the database is unknown, meaning you likely restored this database on an instance where the owner login does not exist.

Problem: This isn't so much a problem as a mess that should be cleaned up, as you don't know what kind of permissions will be assigned if you restore a backup of this database on an instance where the login does exist.

Learn More...

Database owner is not sa

Issue: The owner of the database is something other than the sa login.

Problem: The owner of a database has additional permissions, such as full access to a database including the ability to CREATE, ALTER, or DROP any object within the database. Additionally, this could be problematic if the database is restored to an instance where the login exists.

Learn More...

SQL Server Audit

Issue: One or more SQL Audits have been detected to be running on your SQL Server instance.

Problem: Because SQL Audits can use excessive resources if set up to do things like track every query, you should review any running SQL Audits and determine if they are necessary and what is in their output files. Additionally, check to make sure the audits have the correct folder permissions where they are being written and that there is no chance they can consume all available drive space.

Learn More...

Endpoint ownership

Issue: One or more endpoints have been determined to be owned by a user login.

Problem: By default endpoints are set to be owned by whoever created them, so they can often be owned by user login. However, if the login that owns the endpoint becomes disabled in Windows, then the any high availability solutions you are using such as Availability Groups or Mirroring will cease communicating properly.

Learn More...

Linked server

Issue: One or more linked servers has been detected on your SQL Server instance.

Problem: Depending on the permission used by the linked server, users may have elevated permissions. If a linked server is set up using the sa login then we will classify it as level 1, "High - action required" since this means any user able to access the linked server will have permissions to do anything on the linked server - and you probably don't want that.

However, since there is no easy way to check permissions on a linked server, we generally classify this finding as level 3, "Potential- review recommended" since linked servers may still be set up to connect using a different login with elevated permissions.

Learn More...

Database backup certificate expiration date

Issue: The certificate used for database backups has expired.

Problem: If you encrypt your database backups, you need the associated certificate to be able to restore a backup of a database that has TDE enabled. If the certificate used to encrypt your backups is expired then you will not be able to either backup your database or restore previously encrypted backups.

Learn More...

Missing database backup certificate backup

Issue: The certificate used for database backups has not been backed up recently.

Problem: If you encrypt your database backups, you need the associated certificate to be able to restore a backup of a database that has TDE enabled. If you have never backed up your certificate, then you are currently not able to restore the backups of at least one user database on a different instance.

Learn More...

TDE certificate expiration date

Issue: The TDE certificate has not been backed up recently.

Problem: You need the TDE certificate to be able to restore a backup of a database that has TDE enabled. If you have made a backup of the certificate but the expiration date has passed then we classify this finding as level 3, "Potential- review recommended" since even expired certificates can be used to restore backups of encrypted databases.

Learn More...

About sp_checks

This page contains a list of SQL Server configuration checks performed by Straight Path's suite of sp_check tools. For more details about our free tools, select one from the following list: