Title

The guest user account should be disabled. (Cat II impact)

Discussion

The guest user ID in a database allows access by all Windows login IDs without requiring an individual database account. This allows unauthorized access to the database.

Check Content

From the query prompt: SELECT name FROM [master].sys.databases WHERE name NOT IN ('master', 'tempdb') AND state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT COUNT(grantee_principal_id) FROM sys.database_permissions WHERE grantee_principal_id = 2 AND state = 'G' AND permission_name = 'CONNECT' If any value other than a 0 is returned, this is a Finding.

Fix Text

Revoke connect permission from all databases except master and tempdb. From the query prompt: SELECT name FROM [master].sys.databases WHERE name NOT IN ('master', 'tempdb') AND state = 0 Repeat for each database: From the query prompt: USE [database name] REVOKE CONNECT FROM 'guest'

Additional Identifiers

Rule ID: SV-23779r2_rule

Vulnerability ID: V-2451

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.