Skip to content

Revoke Database Roles To Guest User

Description

The guest user is present in all newly created databases, because guest must be a part of the model database for it to function properly. The guest account is sometimes used to access data between databases, and unlike other users, does not have to be mapped to a logon. A best practice is to revoke CONNECT permissions for the guest user, and to not map this user to any database level roles.

For more information, see Database-Level Roles

Rationale

If the guest user has database level roles, then this could allow an unauthenticated attacker to gain access to your database.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const {isEmptyArray} = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if guest user does not have roles assigned
 */
function validate(databaseSettings) {
    const success = isEmptyArray(databaseSettings.users) ||
        isEmptyArray(
            databaseSettings.users.filter(user =>
            user.sqlserver &&
            user.sqlserver.source === 'sys.database_principals' &&
            user.sqlserver.name === 'guest' &&
            !isEmptyArray(user.sqlserver.roles)))

    return {
        success
    }
}

validate(databaseSettings)