sp_check: SQL Server Database Checks

Cross-database ownership chaining

What's the issue?

The instance level configuration 'cross db ownership chaining' is enabled.

Why is this a problem?

Cross database ownership chaining allows for the creation of objects in one database that allow access to objects in other databases. Having this enabled at the instance level allows database owners or members of any database db_ddladmin and db_owner roles to create objects that can use objects in other databases, which can allow other users to have access to objects which they haven't been granted.

What should you do about this?

If you have databases that require cross-database ownership chaining, the recommended practice is to turn off the cross db ownership chaining option for the instance using sp_configure; then turn on cross-database ownership chaining for individual databases that require it using the ALTER DATABASE statement.

What do the Vulnerability Levels mean?

0 - Information only. This is stuff you should know about your instances like version and service account used, but if you don't know it…well, now you do.

1 - High vulnerability requiring action. These are the issues that could most likely lead to your company being front page news for all the wrong reasons. If your instances have any results at this level then we recommend cancelling that 3-martini lunch and instead huddling with your team to figure out when to address these issues.

2 - High vulnerability to review. These include settings and assigned permissions you should review soon, if not immediately. These findings may not necessarily indicate a clear vulnerability, but we've found unexpected vulnerabilities in these categories at many, many clients.

3 - Potential vulnerability to review. These are configurations or assigned permissions you may be using that could lead to problems for users. Or maybe they're just required for your applications. Either way, we recommend reviewing these to make sure these are correct.

4 – Low vulnerability with recommended action. These are typically security inconsistencies that should be addressed. They aren't likely to cause problems, but you should clean up the mess.