7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 1/12

CIRATS

Remediation: Health Check deviations on the report performed by SCS team.

Risk: Medium - Requires one SQL instance restart

Deviation to be corrected:

1-) Alter SQL Server Log Retentition Period to 99 versions*It does not need Server or Instance Reboot.*

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 2/12

2-) Remove permissions of BUILTIN/administrators

*Just System Administrators Role (SA)**It does not need Server or Instance Reboot.*

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 3/12

3-) (SQL Server 2000) Delete Windows User SQLDebugger

*Applicable just in SQL Server 2000*It DOES need to be done on each node of the cluster.*

*It does not need Server or Instance Reboot.*

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 4/12

 

4-) (SQL Server 2000) Delete Guest from User databases* In SQL Server 2000 the Guest User can be deleted from User Databases. *

- 4.1 Run the below query to identify which Databases have the Guest User is activated:

print 'The Guest Has access to the following databases'

EXEC sp_MSForEachDB 'Use ?;if (Select count(*) from sysusers Where name = ''guest'' and hasdbaccess = 1) = 1

print db_Name()'

- 4.2 If Guest exists in User databases, delete the Guest User from each of them.*The Guest user is located inside the User databases and don’t inside the SQL(Instance) users.*

*Guest User deletion is not allowed to System databases (Master,Msdb,TempDB, Model).*

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 5/12

 

5-) (SQL Server 2005) Disable Guest from User databases* In SQL Server 2005 the Guest User just can be disabled from User Databases. *

- 5.1 Run the below query to identify which Databases have the Guest User is activated:

print 'The Guest Has access to the following databases'

EXEC sp_MSForEachDB 'Use ?;if (Select count(*) from sysusers Where name = ''guest'' and hasdbaccess = 1) = 1

print db_Name()'

- 5.2 If Guest exists in User databases, Disable(Right-Click->Disable) the Guest User

from each of them.*The Guest user is located inside the User databases and don’t inside the SQL(Instance) users.**Guest User deletion is not allowed to System databases (Master,Msdb,TempDB, Model).*

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 6/12

 

6-) Disable Cross database ownership chaining*It does not need Server or Instance Reboot.*

-6.1 Execute the below query to check the actual configuration:

(SQL 2000 and SQL Server 2005)sp_configure 'Cross DB Ownership Chaining'

Result should be:

IF it’s different execute the next step.

-6.2 To correct the values ( It MUST be blank):

(SQL Server 2005) (SQL Server 2000)

Right-Click -> Properties on the Instance Name

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 7/12

 

7-)Alter Users databases from Master to TempDB*It does not need Server or Instance Reboot.*

Execute the below query to check the actual configuration:

SELECT name, dbname FROM master .. syslogins WHERE dbname = 'master'

Wrong possible result:

Changing Default database for the user in SQL Server 2005 by windows:

No SQL Server 2005 apenas os usuários abaixo devem permanecer no DB Master:

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 8/12

 

Changing Default database for the user in SQL Server 2005 by Script:

EXEC sp_defaultdb 'Domaim\user', 'tempdb'

ou

EXEC sp_defaultdb 'user', 'tempdb'

Exemplo:

8-) Alter login attempt log to "All" (Instance Properties)

*It DOES need Server or Instance Reboot.*

SQL Server 2000 Instance Properties -> Select ALL.

SQL Server 2005 Instance Properties -> Both as below:

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 9/12

 

9-) Alter login authentication to Mixed*It DOES need Server or Instance Reboot.*

SQL Server 2000 Instance Properties -> Select SQL and Windows Authentication.

SQL Server 2005 Instance Properties -> Both as below:

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 10/12

 

10-) (If applicable, because there are some, without domain service account) Alter startup account to instance default.s service account

*It DOES need Server or Instance Reboot.*

Research the Service account in Password Vault(https://passwordvault.intra.aexp.com/passwordvault) with the specific instance name. 

11-) (If applicable/exist) Delete IBMBR SQL logins: Taskcheck , DRextract andEMERSA from the instance.

12-) (SQL 2000) Delete sample databases: Pubs and Northwind.

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 11/12

 

7/31/2019 CIRATS_Health Check Deviations

http://slidepdf.com/reader/full/ciratshealth-check-deviations 12/12