Guest database users


Job details

Name: Guest database users
Platform: Sqlserver
Category: Security
Premium package: Security and compliance package
Description: Checks that CONNECT permission (in every non system database) are revoked for the guest user.
Long description: Checks that CONNECT permission (in every non system database) are revoked for the guest user so that a login is not able to access database information without being mapped to a database user explicitly.
Version: 1.2
Default schedule: 12 1 1 *
Requires engine install: Yes
Compatibility tag: .[type=‘instance’ & databasetype=‘sqlserver’]/instance[maj_version > ‘2005′ & hasengine=‘YES’ & eng_inst_priv = 0 & (engine_edition = ‘Microsoft SQL Server’ engine_edition = ‘Azure SQL Managed Instance’)]

Parameters

Name Default value Description
return status 1 Return status value (ALARM – 2, WARNING – 1, or OK – 0) when CONNECT permission for the guest (in all non system databases) are not revoked.
revoke CONNECT NO If set to “YES“ the alert will revoke “CONNECT“ permission for guest user in every non system database by running “REVOKE CONNECT FROM guest”.
history threshold 365 The maximum number of days to keep statistics for in the historic tables.

Job Summary

SELECT name, permission_name, state_desc FROM [DatabaseName].sys.database_permissions WHERE grantee_principal_id = DATABASE_PRINCIPAL_ID('guest')

Details of Implementation

Tables Description
“dbw_guest_database_user_info” Stores current permission settings
“dbw_guest_database_user_histr” Logs historical data of permission checks

Monitoring and Reporting

Operational Details

Overall, this dbWatch job plays a crucial role in maintaining the security posture of databases by managing and reporting on the CONNECT permissions of guest database users across server databases.