3.2 Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases

Information

Remove the right of the guest user to connect to SQL Server databases, except for master, msdb, tempdb, and, on AWS RDS instances, rdsadmin.

Rationale:

A login assumes the identity of the guest user when a login has access to SQL Server but does not have access to a database through its own account and the database has a guest user account. Revoking the CONNECT permission for the guest user will ensure that a login is not able to access database information without explicit access to do so.

Impact:

When CONNECT permission to the guest user is revoked, a SQL Server instance login must be mapped to a database user explicitly in order to have access to the database.

Solution

The following code snippet revokes CONNECT permissions from the guest user in a database. Replace <database_name> as appropriate:

USE <database_name>;
GO
REVOKE CONNECT FROM guest;

Default Value:

The guest user cannot have the CONNECT permission revoked in master, msdb, tempdb, and, on AWS RDS instances, rdsadmin; however, this permission should be revoked in all other databases on the SQL Server instance.

See Also

https://workbench.cisecurity.org/benchmarks/12777

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: MS_SQLDB

Control ID: 72d0aadd6050beb771ec1b556646fff20418961c8f8daefdf0f49320e4854195