sp_check: SQL Server Database Checks

3 - Potential (Review Recommended)

xp_cmdshell enabled

Issue: You have the instance configuration 'xp_cmdshell' set to enabled.

Problem: Enabling the xp_cmdshell configuration allows for the spawning of a Windows command shell and passes a string for execution. Because this is a frequent target for malicious software, it is recommended to only have xp_cmdshell enabled if needed.

However, considering that by default xp_cmdshell can only be executed by members of the sysadmin role - who can also enable or disable this configuration at will - we recommend that more attention be given to the members of the sysadmin role than whether or not xp_cmdshell is enabled.

Learn More...

CLR enabled

Issue: You have the instance configuration 'clr enabled' set to enabled.

Problem: It is possible to do things in an assembly with a PERMISSION_SET value of UNSAFE that cannot be done in regular T-SQL, similarly to extended stored procedures, xp_cmdshell, and the OLE Automatic procedures.

Learn More...

Password vulnerabilities

Issue: One or more logins have been identified as having a password that is very easy to guess. Common password issues include being blank, the same as the login, or the word "password".

Problem: You don't want database users randomly guessing passwords and using someone else's login. Doing this can not only give them elevated permissions, but by impersonating another account they could cover their track for whatever misdoings they undertake.

Learn More...

Invalid Windows login

Issue: One or more logins have been verified as invalid Windows accounts.

Problem: Having random permissions for invalid accounts makes for messy permissions. Clean up the mess.

Learn More...

CONTROL SERVER permissions

Issue: Only approved groups and users should be granted the CONTROL SERVER on your SQL Server instance.

Problem: The CONTROL SERVER permission is one of the most powerful in SQL Server, as it includes nearly all permissions granted to the sysadmin role. Anyone with the CONTROL SERVER permission can not only drop and create objects in any database, but can also create backups of your data, change any other users permissions, or use a Windows shell to execute any kind of script. They can even impersonate other users.

Learn More...

securityadmin role members

Issue: Only approved groups and users should be included in the securityadmin role on your SQL Server instance.

Problem: Members of the securityadmin role can add, change, or remove the permissions of any user not in the sysadmin role.

Learn More...

sysadmin role members

Issue: Only approved groups and users should be included in the sysadmin role on your SQL Server instance.

Problem: The sysadmin role is the most powerful in SQL Server, as it includes all permissions. Anyone in the sysadmin role can not only drop and create objects in any database, but can also create backups of your data, change any other users permissions, or use a Windows shell to execute any kind of script.

Learn More...

Local Administrators group

Issue: Only approved groups and users should be included in the local Administrators role on the server of your SQL Server instance.

Problem: The local Administrators role in Windows is the most powerful on your server, as members of this role can do anything on your server - including adding themselves as members of the all-powerful sysadmin role in SQL Server. Anyone in the sysadmin role can not only drop and create objects in any database, but can also create backups of your data, change any other users permissions, or use a Windows shell to execute any kind of script.

Learn More...

Remote dedicated admin connections

Issue: There is no issue. This is simply indicates if the 'remote admin connections' configuration is enabled.

Problem: If you didn't know, SQL Server reserves one CPU thread for a member of the sysadmin group to use for a connection.

Learn More...

Enabled sa login

Issue: The sa login on your SQL Server instance is enabled.

Problem: The sa login is a common attack point for SQL Server instances, as hackers know that by default every instance has an sa login and that login is in the all-powerful sysadmin role. Using password libraries to guess the password, someone with bad intentions could gain access using the sa login and do anything they want with your instance including changing other permissions or using a Windows shell to deploy malicious software.

Learn More...
Previous 14567 Next

About sp_checks

This page contains a list of SQL Server configuration checks performed by Straight Path's suite of sp_check tools. For more details about our free tools, select one from the following list: