sp_check: SQL Server Database Checks

CONTROL SERVER permissions

What's the issue?

Only approved groups and users should be granted the CONTROL SERVER on your SQL Server instance.

Why is this a problem?

The CONTROL SERVER permission is one of the most powerful in SQL Server, as it includes nearly all permissions granted to the sysadmin role. Anyone with the CONTROL SERVER permission can not only drop and create objects in any database, but can also create backups of your data, change any other users permissions, or use a Windows shell to execute any kind of script. They can even impersonate other users.

What should you do about this?

Routinely review the list of users who have CONTROL SERVER permissions to ensure that only a select few users are required to have these elevated permissions. You may not even need any users to have CONTROL SERVER permissions, as most users requiring these permissions are typically included as members of the sysadmin role.

What do the Vulnerability Levels mean?

0 - Information only. This is stuff you should know about your instances like version and service account used, but if you don't know it…well, now you do.

1 - High vulnerability requiring action. These are the issues that could most likely lead to your company being front page news for all the wrong reasons. If your instances have any results at this level then we recommend cancelling that 3-martini lunch and instead huddling with your team to figure out when to address these issues.

2 - High vulnerability to review. These include settings and assigned permissions you should review soon, if not immediately. These findings may not necessarily indicate a clear vulnerability, but we've found unexpected vulnerabilities in these categories at many, many clients.

3 - Potential vulnerability to review. These are configurations or assigned permissions you may be using that could lead to problems for users. Or maybe they're just required for your applications. Either way, we recommend reviewing these to make sure these are correct.

4 – Low vulnerability with recommended action. These are typically security inconsistencies that should be addressed. They aren't likely to cause problems, but you should clean up the mess.