SQL vulnerability assessment rules reference - Microsoft Defender for Cloud (original) (raw)

VA1017

Execute permissions on xp_cmdshell from all users (except dbo) should be revoked

High

The xp_cmdshell extended stored procedure spawns a Windows command shell, passing in a string for execution. This rule checks that no users (other than users with the CONTROL SERVER permission like members of the sysadmin server role) have permission to execute the xp_cmdshell extended stored procedure.

SQL Server 2012+1

Execute permissions on xp_cmdshell from all users (except dbo) should be revoked for SQL Servers

48fad5ca-f530-41bb-9454-c6002bd1085c

VA1020

Database user GUEST should not be a member of any role

High

The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that no database roles are assigned to the Guest user.

SQL Server 2012+

SQL Database

Database user GUEST should not be a member of any role in SQL databases

24b8d8dd-4e2e-4cdf-9fb0-b480401a54e0

VA1042

Database ownership chaining should be disabled for all databases except for master, msdb, and tempdb

High

Cross database ownership chaining is an extension of ownership chaining, except it does cross the database boundary. This rule checks that this option is disabled for all databases except for master, msdb, and tempdb . For master, msdb, and tempdb, cross database ownership chaining is enabled by default.

SQL Server 2012+

SQL Managed Instance

Database ownership chaining should be disabled for all databases except for 'master', 'msdb' and 'tempdb' on SQL Servers

4ce5114e-d749-4569-b4e0-24853b1422a4

VA1043

Principal GUEST should not have access to any user database

Medium

The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that the guest user cannot connect to any database.

SQL Server 2012+

SQL Managed Instance

Principal GUEST should not have access to any user SQL database

9a330556-d9f3-43e5-bade-ca4170e10374

VA1046

CHECK_POLICY should be enabled for all SQL logins

Low

CHECK_POLICY option enables verifying SQL logins against the domain policy. This rule checks that CHECK_POLICY option is enabled for all SQL logins.

SQL Server 2012+

SQL Managed Instance

CHECK_POLICY should be enabled for all SQL logins for SQL Servers

045516fd-3ec2-4d3f-a519-30f971f1e45f

VA1047

Password expiration check should be enabled for all SQL logins

Low

Password expiration policies are used to manage the lifespan of a password. When SQL Server enforces password expiration policy, users are reminded to change old passwords, and accounts that have expired passwords are disabled. This rule checks that password expiration policy is enabled for all SQL logins.

SQL Server 2012+

SQL Managed Instance

Password expiration check should be enabled for all SQL logins on SQL Servers

a14a9bb7-237c-4dae-9b36-e8b63d47539c

VA1048

Database principals should not be mapped to the sa account

High

A database principal that is mapped to the sa account can be exploited by an attacker to elevate permissions to sysadmin

SQL Server 2012+

SQL Managed Instance

Database principals should not be mapped to the sa account in SQL databases

3cd5e6e8-71bb-40c4-8a08-204959e91a23

VA1052

Remove BUILTIN\Administrators as a server login

Low

The BUILTIN\Administrators group contains the Windows Local Administrators group. In older versions of Microsoft SQL Server, this group has administrator rights by default. This rule checks that this group is removed from SQL Server.

SQL Server 2012+

BUILTIN\Administrators should be removed as a server login for SQL Servers

2b31ae5a-28ce-42a7-b80c-6430056978b3

VA1053

Account with default name sa should be renamed or disabled

Low

sa is a well-known account with principal ID 1. This rule verifies that the sa account is either renamed or disabled.

SQL Server 2012+

SQL Managed Instance

Account with default name 'sa' should be renamed and disabled on SQL Servers

f9be60bc-423f-4462-adb4-e1be62a9ff39

VA1054

Excessive permissions should not be granted to PUBLIC role on objects or columns

Low

Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object the user inherits the permissions granted to public on that object. This rule displays a list of all securable objects or columns that are accessible to all users through the PUBLIC role.

SQL Server 2012+

SQL Database

Excessive permissions should not be granted to PUBLIC role on objects or columns in SQL databases

6aed60ee-9f8a-47f1-a9d1-0305e0ed03ed

VA1058

sa login should be disabled

High

sa is a well-known account with principal ID 1. This rule verifies that the sa account is disabled.

SQL Server 2012+

SQL Managed Instance

'sa' login should be disabled for SQL Servers

b1ce48d9-cd89-4d75-84a0-d0dc5505a898

VA1059

xp_cmdshell should be disabled

High

xp_cmdshell spawns a Windows command shell and passes it a string for execution. This rule checks that xp_cmdshell is disabled.

SQL Server 2012+

SQL Managed Instance

xp_cmdshell should be disabled for SQL Servers

eadae6a8-e9f4-4173-8c12-6f64703f9d01

VA1067

Database Mail XPs should be disabled when it is not in use

Medium

This rule checks that Database Mail is disabled when no database mail profile is configured. Database Mail can be used for sending e-mail messages from the SQL Server Database Engine and is disabled by default. If you are not using this feature, it is recommended to disable it to reduce the surface area.

SQL Server 2012+

Database Mail XPs should be disabled when it is not in use on SQL Servers

be5465f2-79a8-45aa-bf95-f6106bed0a57

VA1068

Server permissions shouldn't be granted directly to principals

Low

Server level permissions are associated with a server level object to regulate which users can gain access to the object. This rule checks that there are no server level permissions granted directly to logins.

SQL Server 2012+

SQL Managed Instance

Server permissions shouldn't be granted directly to principals for SQL Servers

8f04b48b-b199-45d8-9e5e-c07705a3be2e

VA1070

Database users shouldn't share the same name as a server login

Low

Database users might share the same name as a server login. This rule validates that there are no such users.

SQL Server 2012+

SQL Managed Instance

Database users shouldn't share the same name as a server login for Model SQL database

da61956e-b092-4acd-8b89-a78ddc6e6a46

VA1072

Authentication mode should be Windows Authentication

Medium

There are two possible authentication modes: Windows Authentication mode and mixed mode. Mixed mode means that SQL Server enables both Windows authentication and SQL Server authentication. This rule checks that the authentication mode is set to Windows Authentication.

SQL Server 2012+

Authentication mode should be Windows Authentication for SQL Servers

a89c44c5-0c04-4098-bd15-c617443995b6

VA1094

Database permissions shouldn't be granted directly to principals

Low

Permissions are rules associated with a securable object to regulate which users can gain access to the object. This rule checks that there are no DB permissions granted directly to users.

SQL Server 2012+

SQL Managed Instance

Database permissions shouldn't be granted directly to principals for SQL Servers

f644db73-c0ef-4e1c-846a-5ccf9280b4c1

VA1095

Excessive permissions should not be granted to PUBLIC role

Medium

Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. This displays a list of all permissions that are granted to the PUBLIC role.

SQL Server 2012+

SQL Managed Instance

SQL Database

Excessive permissions should not be granted to PUBLIC role in SQL databases

3f2a3bd7-5f36-4d4e-a0a9-f19933ec5bd9

VA1096

Principal GUEST should not be granted permissions in the database

Low

Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user.

SQL Server 2012+

SQL Managed Instance

SQL Database

Principal GUEST should not be granted permissions in SQL databases

6cbd7126-7091-43f5-8f30-e59cf1a7b6b6

VA1097

Principal GUEST should not be granted permissions on objects or columns

Low

SQL Server 2012+

SQL Managed Instance

SQL Database

Principal GUEST should not be granted permissions on objects or columns in SQL databases

063d0390-42cf-4bb5-82a0-72071e1a612f

VA1099

GUEST user should not be granted permissions on database securables

Low

SQL Server 2012+

SQL Managed Instance

SQL Database

GUEST user should not be granted permissions on SQL database securables

2115ef5d-2c98-484b-ac79-2883371be4a6

VA1246

Application roles should not be used

Low

An application role is a database principal that enables an application to run with its own user-like permissions. Application roles enable that only users connecting through a particular application can access specific data. Application roles are password-based (which applications typically hardcode) and not permission based which exposes the database to app role impersonation by password-guessing. This rule checks that no application roles are defined in the database.

SQL Server 2012+

SQL Managed Instance

SQL Database

Application roles should not be used in SQL databases

123285d4-ef1f-4543-a3ae-3f8656563b38

VA1248

User-defined database roles should not be members of fixed roles

Medium

To easily manage the permissions in your databases SQL Server provides several roles, which are security principals that group other principals. They are like groups in the Microsoft Windows operating system. Database accounts and other SQL Server roles can be added into database-level roles. Each member of a fixed-database role can add other users to that same role. This rule checks that no user-defined roles are members of fixed roles.

SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse

User-defined database roles should not be members of fixed roles in SQL databases

31c5a284-c8cd-47c3-9242-2429ed5adf7c

VA1267

Contained users should use Windows Authentication

Medium

Contained users are users that exist within the database and do not require a login mapping. This rule checks that contained users use Windows Authentication.

SQL Server 2012+

SQL Managed Instance

Contained users should use Windows Authentication in SQL Server databases

25cdb02c-6bd8-4444-8318-9df003edc170

VA1280

Server Permissions granted to public should be minimized

Medium

Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object the user inherits the permissions granted to public on that object. This rule checks that server permissions granted to public are minimized.

SQL Server 2012+

SQL Managed Instance

Server Permissions granted to public should be minimized for SQL Servers

b58b2914-1aec-4469-ae64-21e0078b1729

VA1282

Orphan roles should be removed

Low

Orphan roles are user-defined roles that have no members. Eliminate orphaned roles as they are not needed on the system. This rule checks whether there are any orphan roles.

SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse

Orphan database roles should be removed from SQL databases

7f5bd587-ba14-49ce-801a-f2613ccc3584

VA2020

Minimal set of principals should be granted ALTER or ALTER ANY USER database-scoped permissions

High

Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted ALTER or ALTER ANY USER database-scoped permissions.

SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse

Minimal set of principals should be granted ALTER or ALTER ANY USER database-scoped permissions in SQL databases

08c9b451-08a5-418d-9d2c-fc75197aab44

VA2033

Minimal set of principals should be granted database-scoped EXECUTE permission on objects or columns

Low

This rule checks which principals are granted EXECUTE permission on objects or columns to ensure this permission is granted to a minimal set of principals. Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users, database roles, or application roles). The EXECUTE permission applies to both stored procedures and scalar functions, which can be used in computed columns.

SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse

Minimal set of principals should be granted EXECUTE permission on objects or columns in SQL databases

3bee4ca7-e768-497f-ac60-032225a93ff2

VA2103

Unnecessary execute permissions on extended stored procedures should be revoked

Medium

Extended stored procedures are DLLs that an instance of SQL Server can dynamically load and run. SQL Server is packaged with many extended stored procedures that allow for interaction with the system DLLs. This rule checks that unnecessary execute permissions on extended stored procedures have been revoked.

SQL Server 2012+

SQL Managed Instance

Unnecessary execute permissions on extended stored procedures should be revoked for SQL Servers

0262e851-d99b-4299-bacc-136c92941541

VA2107

Minimal set of principals should be members of fixed Azure SQL DB master database roles

High

SQL Database provides two restricted administrative roles in the master database to which user accounts can be added that grant permissions to either create databases or manage logins. This rule check that a minimal set of principals are members of these administrative roles.

SQL Database

Azure Synapse

Minimal set of principals should be members of fixed Azure SQL Database master database roles

a4ca5495-f5ad-4d4d-807b-e8f62541ee34

VA2108

Minimal set of principals should be members of fixed high impact database roles

High

SQL Server provides roles to help manage the permissions. Roles are security principals that group other principals. Database-level roles are database-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed database roles.

SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse

Minimal set of principals should be members of fixed high impact database roles in SQL databases

7a0a58ed-8927-4e8d-80c3-59279fa44aa0

VA2109

Minimal set of principals should be members of fixed low impact database roles

Low

SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse

Minimal set of principals should be members of fixed low impact database roles in SQL databases

267df805-7fa4-415f-8b2e-08deefdb5e1b

VA2110

Execute permissions to access the registry should be revoked

High

Registry extended stored procedures allow Microsoft SQL Server to read write and enumerate values and keys in the registry. They are used by Enterprise Manager to configure the server. This rule checks that the permissions to execute registry extended stored procedures have been revoked from all users (other than dbo).

SQL Server 2012+

SQL Managed Instance

Execute permissions to access the registry should be restricted for SQL Servers

b66a88e5-8c46-47f2-9107-5ed84da7270f

VA2113

Data Transformation Services (DTS) permissions should only be granted to SSIS roles

Medium

Data Transformation Services (DTS), is a set of objects and utilities that allow the automation of extract, transform, and load operations to or from a database. The objects are DTS packages and their components, and the utilities are called DTS tools. This rule checks that only the SSIS roles are granted permissions to use the DTS system stored procedures and the permissions for the PUBLIC role to use the DTS system stored procedures have been revoked.

SQL Server 2012+

SQL Managed Instance

Data Transformation Services (DTS) permissions should only be granted to SSIS roles in MSDB SQL database

0d9a8166-01b2-434c-9791-c589b119eea8

VA2114

Minimal set of principals should be members of high impact fixed server roles

High

SQL Server provides roles to help manage permissions. Roles are security principals that group other principals. Server-level roles are server-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed server roles.

SQL Server 2012+

SQL Managed Instance

Minimal set of principals should be members of fixed server roles for SQL Servers

d8cfa23e-9485-44a4-831e-757c71e48988

VA2129

Changes to signed modules should be authorized

High

You can sign a stored procedure, function, or trigger with a certificate or an asymmetric key. This is designed for scenarios when permissions cannot be inherited through ownership chaining or when the ownership chain is broken, such as dynamic SQL. This rule checks for changes made to signed modules, which could be an indication of malicious use.

SQL Server 2012+

SQL Database

SQL Managed Instance

Changes to signed modules should be authorized for SQL databases

e058e189-97da-4c3b-8361-e7097a93131c

VA2130

Track all users with access to the database

Low

This check tracks all users with access to a database. Make sure that these users are authorized according to their current role in the organization.

SQL Database

Azure Synapse

Track all users with access to the database for SQL Databases

eeed5c32-daff-489c-8307-76035ee85274

VA2201

SQL logins with commonly used names should be disabled

High

This rule checks the accounts with database owner permission for commonly used names. Assigning commonly used names to accounts with database owner permission increases the likelihood of successful brute force attacks.

SQL Server 2012+

SQL logins with commonly used names should be disabled for SQL Servers

467115f4-5145-43a9-93a8-7dbfaa1eedc4