sp_check: SQL Server Database Checks

4 - Low (Action Recommended)

Invalid Windows login

Issue: One or more logins have been verified as invalid Windows accounts.

Problem: Having random permissions for invalid accounts makes for messy permissions. Clean up the mess.

Learn More...

CONTROL SERVER permissions

Issue: Only approved groups and users should be granted the CONTROL SERVER on your SQL Server instance.

Problem: The CONTROL SERVER permission is one of the most powerful in SQL Server, as it includes nearly all permissions granted to the sysadmin role. Anyone with the CONTROL SERVER permission can not only drop and create objects in any database, but can also create backups of your data, change any other users permissions, or use a Windows shell to execute any kind of script. They can even impersonate other users.

Learn More...

securityadmin role members

Issue: Only approved groups and users should be included in the securityadmin role on your SQL Server instance.

Problem: Members of the securityadmin role can add, change, or remove the permissions of any user not in the sysadmin role.

Learn More...

sysadmin role members

Issue: Only approved groups and users should be included in the sysadmin role on your SQL Server instance.

Problem: The sysadmin role is the most powerful in SQL Server, as it includes all permissions. Anyone in the sysadmin role can not only drop and create objects in any database, but can also create backups of your data, change any other users permissions, or use a Windows shell to execute any kind of script.

Learn More...

Local Administrators group

Issue: Only approved groups and users should be included in the local Administrators role on the server of your SQL Server instance.

Problem: The local Administrators role in Windows is the most powerful on your server, as members of this role can do anything on your server - including adding themselves as members of the all-powerful sysadmin role in SQL Server. Anyone in the sysadmin role can not only drop and create objects in any database, but can also create backups of your data, change any other users permissions, or use a Windows shell to execute any kind of script.

Learn More...

Remote dedicated admin connections

Issue: There is no issue. This is simply indicates if the 'remote admin connections' configuration is enabled.

Problem: If you didn't know, SQL Server reserves one CPU thread for a member of the sysadmin group to use for a connection.

Learn More...

Enabled sa login

Issue: The sa login on your SQL Server instance is enabled.

Problem: The sa login is a common attack point for SQL Server instances, as hackers know that by default every instance has an sa login and that login is in the all-powerful sysadmin role. Using password libraries to guess the password, someone with bad intentions could gain access using the sa login and do anything they want with your instance including changing other permissions or using a Windows shell to deploy malicious software.

Learn More...

Security update available

Issue: Occasionally Microsoft issue a General Distribution Release (GDR) in between Cumulative Updates (CU), typically to address newly discovered vulnerabilities.

Problem: If your instance has not had the most recent GDR applied, the instance may be compromised by a known vulnerability.

Learn More...

Unsupported versions and builds

Issue: The SQL Server version instance is one that is no longer supported by Microsoft.

Problem: Currently, SQL Server versions 2012 and earlier are no longer supported by Microsoft, which means there will be no further updates to address any known or recently discovered vulnerabilities.

Learn More...

About sp_checks

This page contains a list of SQL Server configuration checks performed by Straight Path's suite of sp_check tools. For more details about our free tools, select one from the following list: