sp_check: SQL Server Database Checks

Orphaned users

What's the issue?

One or more users in user databases has been found to not have an associated login at the instance level.

Why is this a problem?

Orphan user permissions are unable to be assigned to a current login. This typically happens when SQL Server logins are used to assign user permissions to a database, and then either the login is dropped from the instance or the database is copied to an instance where the login does not exist.

What should you do about this?

Review any orphaned users and determine whether or not these permissions are required. If they are not required, the user should be dropped from the database.

If the permission are required and a login exists on the SQL Server instance, the permission can be fixed by executing the following T-SQL, replacing LoginName with the name of the login.

EXEC sp_change_users_login 'UPDATE_ONE','LoginName','LoginName'

What do the Vulnerability Levels mean?

0 - Information only. This is stuff you should know about your instances like version and service account used, but if you don't know it…well, now you do.

1 - High vulnerability requiring action. These are the issues that could most likely lead to your company being front page news for all the wrong reasons. If your instances have any results at this level then we recommend cancelling that 3-martini lunch and instead huddling with your team to figure out when to address these issues.

2 - High vulnerability to review. These include settings and assigned permissions you should review soon, if not immediately. These findings may not necessarily indicate a clear vulnerability, but we've found unexpected vulnerabilities in these categories at many, many clients.

3 - Potential vulnerability to review. These are configurations or assigned permissions you may be using that could lead to problems for users. Or maybe they're just required for your applications. Either way, we recommend reviewing these to make sure these are correct.

4 – Low vulnerability with recommended action. These are typically security inconsistencies that should be addressed. They aren't likely to cause problems, but you should clean up the mess.