SQL SERVER – Identifying Guest User using Policy Based Management

If you are following my recent blog posts, you may have noticed that I’ve written a lot about Guest User in SQL Server. Here are all the blog posts which I have written on Policy Based Management subject.

One of the requests I received was whether we could create a policy that would prevent users unable guest user in user databases. Well, here is a quick tutorial to answer this. Let us see how quickly we can do it.

Requirements

  1. Check if the guest user is disabled in all the user-created databases.
  2. Exclude master, tempdb and msdb database for guest user validation.

We will create the following conditions based on the above two requirements:

  1. If the name of the user is ‘guest’
  2. If the user has connect (@hasDBAccess) permission in the database
  3. Check in All user databases, except: master, tempDB and msdb

Once we create two conditions, we will create a policy which will validate the conditions.

Condition 1: Is the User Guest?

Expand the Database >> Management >> Policy Management >> Conditions

SQL SERVER - Identifying Guest User using Policy Based Management pbm1

Right click on the Conditions, and click on “New Condition…”. First we will create a condition where we will validate if the user name is ‘guest’, and if it’s so, then we will further validate if it has DB access.

SQL SERVER - Identifying Guest User using Policy Based Management pbm2

Check the image for the necessary configuration for condition:
Facet: User
Expression:
@Name = ‘guest’

Condition 2: Does the User have DBAccess?

Expand the Database >> Management >> Policy Management >> Conditions

Solarwinds

Right click on Conditions and click on “New Condition…”. Now we will validate if the user has DB access.

SQL SERVER - Identifying Guest User using Policy Based Management pbm2-2

Check the image for necessary configuration for condition:
Facet: User
Expression:
@hasDBAccess = False

Condition 3: Exclude Databases

Expand the Database >> Management >> Policy Management >> Conditions

Write click on Conditions and click on “New Condition…” Now we will create condition where we will validate if database name is master, tempdb or msdb and if database name is any of them, we will not validate our first one condition with them.

SQL SERVER - Identifying Guest User using Policy Based Management pbm2-3

Check the image for necessary configuration for condition:
Facet: Database
Expression:
@Name != ‘msdb’
AND @Name != ‘tempdb’
AND @Name != ‘master’

The next step will be creating a policy which will enforce these conditions.

Creating a Policy

Right click on Policies and click “New Policy…”

Here, we justify what condition we want to validate against what the target is.

SQL SERVER - Identifying Guest User using Policy Based Management pbm4

Condition: Has User DBAccess
Target Database: Every Database except (master, tempdb and MSDB)
Target User: Every User in Target Database with name ‘guest’

SQL SERVER - Identifying Guest User using Policy Based Management pbm5

Now we have options for two evaluation modes: 1) On Demand and 2) On Schedule

We will select On Demand in this example; however, you can change the mode to On Schedule through the drop down menu, and select the interval of the evaluation of the policy.

Evaluate the Policies

We have selected OnDemand as our policy evaluation mode. We will now evaluate by means of executing Evaluate policy. Click on Evaluate and it will give the following result:

SQL SERVER - Identifying Guest User using Policy Based Management pbm6

The result demonstrates that one of the databases has a policy violation. Username guest is enabled in AdventureWorks database. You can disable the guest user by running the following code in AdventureWorks database.

SQL SERVER - Identifying Guest User using Policy Based Management pbm7

USE AdventureWorks;</p>
<p style="text-align: justify;">REVOKE CONNECT FROM guest;

Once you run above query, you can already evaluate the policy again. Notice that the policy violation is fixed now.

SQL SERVER - Identifying Guest User using Policy Based Management pbm9

You can change the method of the evaluation policy to On Schedule and validate policy on interval. You can check the history of the policy and detect the violation.

SQL SERVER - Identifying Guest User using Policy Based Management pbm10

SQL SERVER - Identifying Guest User using Policy Based Management pbm11

Quiz

I have created three conditions to check if the guest user has database access or not. Now I want to ask you: Is it possible to do the same with 2 conditions? If yes, HOW? If no, WHY NOT?

Reference: Pinal Dave (https://blog.sqlauthority.com)

Solarwinds
, , ,
Previous Post
SQL SERVER – Standards Support, Protocol, Data Portability – 3 Important SQL Server Documentations for Downloads
Next Post
SQL SERVER – Detecting Leap Year in T-SQL using SQL Server 2012 – IIF, EOMONTH and CONCAT Function

Related Posts

8 Comments. Leave new

  • Hi Pinal Sir,

    I guess the only databases that should ever have the guest account enabled are databases the ‘master’,’msdb’ and ‘tempdb’ databases.These enables users access to create job’s,temporary objects,and connect to SQL server. so only the guest user have permissions by default in the ‘model’ database because ‘model’ is template for the all databases so this guest user will include all new databases.

    So I think this is the best way to clear the guest user….!!!!

    If i’m not wrong that above code should be like with…(!=) instead of (=), screen shot is Ok sir.

    Facet: Database
    Expression:
    @Name != ‘msdb’
    AND @Name != ‘tempdb’
    AND @Name != ‘master’

    Thanks.

    Reply
  • Subramanya Sharma
    February 27, 2012 10:25 am

    We can merge condition 1 and 2 as one condition. As the facets of the conditions are same, we can combine using the And operator. By this we can implement the same thing in two conditions.

    Reply
  • Hello Sir,

    This is very Good post. I learnt about using policy based management after reading this post. This looks very strong feature indeed. Thanks for this gyaan.

    Following is the answer of your question, according to me.

    First Condition should be like this..

    1) First Condition

    Facet: User
    Expression:
    @Name = ‘guest’
    AND @hasDBAccess = False

    2) Second Condition

    Facet: Database
    Expression:
    @Name != ‘msdb’
    AND @Name != ‘tempdb’
    AND @Name != ‘master’

    Thanks,
    Ashish

    Reply
  • dineshvishe1Dinesh
    January 2, 2013 10:22 am

    I am sys admin of server still Error come like’ can not create the trigger ‘syspolicy_server_trigger’,because you do not have permission’.what permission required?

    Reply
  • Brent McCracken
    January 16, 2013 5:44 am

    This is already covered by one of the Microsoft Best Practice Policies – Guest Permissions

    Reply
  • is there any way we can use sql server policy to prevent execution of specific stored procedure that has update or delete queries

    Reply

Leave a Reply

Menu