3.3 Ensure 'Orphaned Users' are Dropped From SQL Server Databases

Information

A database user for which the corresponding SQL Server login is undefined or is incorrectly defined on a server instance cannot log in to the instance and is referred to as orphaned and should be removed.

Rationale:

Orphan users should be removed to avoid potential misuse of those broken users in any way.

Solution

If the orphaned user cannot or should not be matched to an existing or new login using the Microsoft documented process referenced below, run the following T-SQL query in the appropriate database to remove an orphan user:

USE [<database_name>];
GO
DROP USER <username>;

See Also

https://workbench.cisecurity.org/benchmarks/7202

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.8

Plugin: MS_SQLDB

Control ID: 8468f13d959e2bd58d696cb33cea8ee7a17e910b939536a88469c12524564fe9