{"id":3440,"date":"2013-12-27T17:20:29","date_gmt":"2013-12-27T16:20:29","guid":{"rendered":"http:\/\/andreas-wolter.com\/sicherheitspruefungs-script-umfrage-sql-server-datenbankbesitzer\/"},"modified":"2026-01-27T20:35:45","modified_gmt":"2026-01-28T01:35:45","slug":"security-check-script-survey-sql-server-security","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/security-check-script-survey-sql-server-security\/","title":{"rendered":"Security-Check-Script &#038; Survey: SQL Server Security &#8211; Database-Owners, critical Permissions and role membership"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-hvc0dc-e966cbc599fb82a34284be4d8fa6183b\">\n#top .av-special-heading.av-hvc0dc-e966cbc599fb82a34284be4d8fa6183b{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-hvc0dc-e966cbc599fb82a34284be4d8fa6183b .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-hvc0dc-e966cbc599fb82a34284be4d8fa6183b .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-hvc0dc-e966cbc599fb82a34284be4d8fa6183b av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >Security-Check-Script <span class='special_amp'>&amp;<\/span> Survey:<\/h3><div class='av-subheading av-subheading_below'><p>SQL Server Security &#8211; Database-Owners, critical Permissions and role membership<\/p>\n<\/div><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-fj3dzk-3374f32098790e72a376c0202cefacf8 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>In this survey, I would like to explore in a greater radius which accounts are typically used as database owners. I will subsequently publish the cumulated results here to share them with the community together with some recommendations for hardening security.<\/p>\n<p>In this instance, particular server-wide permissions both of the used account as well as, in case of membership of a (custom) <em>Server Role<\/em>, critical permissions of that role, are of interest.<!--more--><\/p>\n<p>Those who have followed my presentations on the topic \u201cSecurity in SQL Server\u201d in the last years, and especially the \u201e<a href=\"http:\/\/www.insidesql.org\/blogs\/andreaswolter\/2013\/07\/security-session-sql-server-attack-ed\" target=\"_blank\" rel=\"noopener\">SQL Server Attacked<\/a>\u201c series launched in the summer of 2013, may remember how I had also demonstrated there how to break out of a database and be granted full system rights (\u201cElevation of privileges\u201d), &#8211; based on a combination of <em>database owner<\/em>, <em>configuration<\/em> and <em>impersonation<\/em>.<\/p>\n<p>Here, I am providing a T-SQL Script which<\/p>\n<ul>\n<li>Identifies the respective <strong>database owners<\/strong> of all databases<\/li>\n<li>Detects <strong>invalid\/missing database owners<\/strong><\/li>\n<li>Indicates whether the owner directly possesses<strong> security-critical system-wide rights<\/strong><\/li>\n<li>Indicates <strong>membership in high privilege Server Roles<\/strong> \u2013 including the user defined Server Roles (possible since SQL 2012)<\/li>\n<li>Indicates the <strong>critical database configurations<\/strong> \u201ctrustworthy\u201d and \u201cdatabase chaining\u201d.<\/li>\n<\/ul>\n<p>Here you can find the script:<\/p>\n<p><a href=\"https:\/\/andreas-wolter.com\/downloads\/1312_database_owner_permissions_roles.sql.txt\">https:\/\/andreas-wolter.com\/downloads\/1312_database_owner_permissions_roles.sql.txt<\/a> (you can remove the .txt after downloading.)<\/p>\n<ul>\n<li>It should be working on all SQL Servers since the 2005 version (tested: 2008-2014).<\/li>\n<\/ul>\n<p>For the purpose of the <strong>survey<\/strong>, I would like to ask you to send the anonymized results (preferably in excel-format) to the email <a href=\"mailto:survey@SarpedonQualityLab.com\">survey@SarpedonQualityLab.com<\/a>, or as well post them here in the comments.<\/p>\n<p>For <strong>anonymization<\/strong> purposes, you can simply leave out the last three columns from the result set \u2013 these are not of use to a data collection and only meant for your internal usage :-).<\/p>\n<p>Here, you can see a sample result:<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-dmzm3k-d1816940954879c6dd1d5b08b464a0ab\">\n.avia-image-container.av-dmzm3k-d1816940954879c6dd1d5b08b464a0ab img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-dmzm3k-d1816940954879c6dd1d5b08b464a0ab .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-dmzm3k-d1816940954879c6dd1d5b08b464a0ab av-styling- avia-align-center  avia-builder-el-2  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3433 avia-img-lazy-loading-not-3433 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1312_Database_Ownership_Permissions_Sample_Result.png\" alt='' title='1312_Database_Ownership_Permissions_Sample_Result'  height=\"424\" width=\"1576\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1312_Database_Ownership_Permissions_Sample_Result.png 1576w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1312_Database_Ownership_Permissions_Sample_Result-600x161.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1312_Database_Ownership_Permissions_Sample_Result-300x81.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1312_Database_Ownership_Permissions_Sample_Result-768x207.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1312_Database_Ownership_Permissions_Sample_Result-1030x277.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1312_Database_Ownership_Permissions_Sample_Result-1500x404.png 1500w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1312_Database_Ownership_Permissions_Sample_Result-705x190.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1312_Database_Ownership_Permissions_Sample_Result-450x121.png 450w\" sizes=\"(max-width: 1576px) 100vw, 1576px\" \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-chwhn4-62cf1287c4be0d17489a7c266ef7c190 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>The script does not permanently save any data in the system and removes its temporary intermediary results by itself.<\/p>\n<p>I hope you find the report useful and I hope you can share the (anonymized) results with the community. <strong>I will not store or use any email but only use the anonymized Query-results.<\/strong><\/p>\n<p>Thank you in advance for your participation and support of the community! I promise to publish the results with according details on best &#038; bad practices in the next months.<\/p>\n<p><br class=\"\u201cclear\u201c\" \/>Andreas<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-bg3w5s-41f56f0bcd5595de5eaea985bf01e947\">\n#top .flex_column.av-bg3w5s-41f56f0bcd5595de5eaea985bf01e947{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n.flex_column.av-bg3w5s-41f56f0bcd5595de5eaea985bf01e947{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n.responsive #top #wrap_all .flex_column.av-bg3w5s-41f56f0bcd5595de5eaea985bf01e947{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n<\/style>\n<div  class='flex_column av-bg3w5s-41f56f0bcd5595de5eaea985bf01e947 av_one_full  avia-builder-el-4  el_after_av_textblock  el_before_av_hr  first flex_column_div av-zero-column-padding  column-top-margin'     ><section  class='av_textblock_section av-9nvnf4-0e30459c5c9d4348fc1c595fa179532b '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><div><\/div>\n<div><\/div>\n<\/div><\/section><\/div>\r\n\r\n<div  class='hr av-2q0w0-7040093d5daca5847dd76ca5cf1cf12d hr-default  avia-builder-el-6  el_after_av_one_full  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-social-sharing-box av-5c785s-77fd21b46523b427901fe18f63148c71 av-social-sharing-box-default  avia-builder-el-7  el_after_av_hr  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/security-check-script-survey-sql-server-security\/&#038;t=Security-Check-Script%20%26%20Survey%3A%20SQL%20Server%20Security%20%E2%80%93%20Database-Owners%2C%20critical%20Permissions%20and%20role%20membership\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=Security-Check-Script%20%26%20Survey%3A%20SQL%20Server%20Security%20%E2%80%93%20Database-Owners%2C%20critical%20Permissions%20and%20role%20membership&#038;url=https:\/\/andreas-wolter.com\/en\/?p=3440\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=Security-Check-Script%20%26%20Survey%3A%20SQL%20Server%20Security%20%E2%80%93%20Database-Owners%2C%20critical%20Permissions%20and%20role%20membership&#038;url=https:\/\/andreas-wolter.com\/en\/security-check-script-survey-sql-server-security\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-48sjmo-baa9de8fa0c87ba5ad16d7a47356afba\">\n#top .hr.hr-invisible.av-48sjmo-baa9de8fa0c87ba5ad16d7a47356afba{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-48sjmo-baa9de8fa0c87ba5ad16d7a47356afba hr-invisible  avia-builder-el-8  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-2vrxe8-18191e8d79a251b8f8157b6085ffde3d  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"In this survey, I would like to explore in a greater radius which accounts are typically used as database owners. I will subsequently publish the cumulated results here to share them with the community together with some recommendations for hardening security. In this instance, particular server-wide permissions both of the used account as well as, [&hellip;]","protected":false},"author":4,"featured_media":3436,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[121,57,133],"tags":[220,237,27,238,232,187,189],"class_list":["post-3440","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripts-en","category-security-en","category-surveysumfragen","tag-database-owner-en","tag-script-en","tag-security-en","tag-security-check-en","tag-sicherheit-en","tag-survey-en","tag-umfrage-en"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=3440"}],"version-history":[{"count":5,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3440\/revisions"}],"predecessor-version":[{"id":3441,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3440\/revisions\/3441"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/3436"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=3440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=3440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=3440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}