3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role

Information

public is a special fixed server role containing all logins. Unlike other fixed server roles, permissions can be changed for the public role. In keeping with the principle of least privileges, the public server role should not be used to grant permissions at the server scope as these would be inherited by all users.

Rationale:

Every SQL Server login belongs to the public role and cannot be removed from this role. Therefore, any permissions granted to this role will be available to all logins unless they have been explicitly denied to specific logins or user-defined server roles.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Add the extraneous permissions found in the Audit query results to the specific logins to user-defined server roles which require the access.

Revoke the <permission_name> from the public role as shown below

USE [master]
GO
REVOKE <permission_name> FROM public;
GO

Impact:

When the extraneous permissions are revoked from the public server role, access may be lost unless the permissions are granted to the explicit logins or to user-defined server roles containing the logins which require the access.

Default Value:

By default, the public server role is granted VIEW ANY DATABASE permission and the CONNECT permission on the default endpoints (TSQL Local Machine, TSQL Named Pipes, TSQL Default TCP, TSQL Default VIA). The VIEW ANY DATABASE permission allows all logins to see database metadata, unless explicitly denied.

References:

https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles

https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles#permissions-of-fixed-server-roles

See Also

https://workbench.cisecurity.org/files/2837