Skip to content

Revoke CONNECT Permission On The 'guest' User

Description

After successfully authenticating to SQL Server, the authenticated user will be mapped to a database user. If no such mapping exists, SQL Server checks whether a guest username exists. If the guest user exists, the logged in user is granted access to the database as guest. If the guest account does not exist or does not have connect permissions, SQL Server denies access to the database.

The guest user should not have CONNECT PERMISSIONS to any database other than master, tempdb, or msdb.

Rationale

All users with access to a database must be explicitly granted access. If the guest account can connect to the database, it may leak information to users of other databases.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const { isEmptyArray } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if CONNECT is revoked for guest on master, msdb, and tempdb
 */
function validate(databaseSettings) {
    let databasesToIgnore = ['master', 'msdb', 'tempdb']

    const success = isEmptyArray(databaseSettings.users) ||
                    isEmptyArray(databaseSettings.users.filter(user =>
                        user.sqlserver.name === "guest" &&
                        user.sqlserver.source === "sys.database_principals" &&
                        !(databasesToIgnore.includes(user.sqlserver.parentDatabase)) &&
                    isConnectPermissionGranted(user.sqlserver.permissions)))
    return {
        success,
    }
}
function isConnectPermissionGranted(permissions) {
    const success = (!isEmptyArray(permissions) &&
    (!isEmptyArray(permissions.filter(permission =>
        permission.name === 'CONNECT')) &&
        (permission.state === 'G' || permission.state === 'W')))

    return {
        success,
    }
}

validate(databaseSettings)