3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role

Information

public is a special fixed server role containing all logins. Unlike other fixed server roles, permissions can be changed for the public role. In keeping with the principle of least privileges, the public server role should not be used to grant permissions at the server scope as these would be inherited by all users.

Every SQL Server login belongs to the public role and cannot be removed from this role. Therefore, any permissions granted to this role will be available to all logins unless they have been explicitly denied to specific logins or user-defined server roles.

Solution

- Add the extraneous permissions found in the Audit query results to the specific logins to user-defined server roles which require the access.
- Revoke the

<permission_name>

from the public role as shown below USE [master]GOREVOKE <permission_name> FROM public;GO

Impact:

When the extraneous permissions are revoked from the public server role, access may be lost unless the permissions are granted to the explicit logins or to user-defined server roles containing the logins which require the access.

See Also

https://workbench.cisecurity.org/benchmarks/14058

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: MS_SQLDB

Control ID: 1c4d0520cd78721d0b89718f55e4706e89d16bd5f7b528a03d88963fec299f00