Security Audit Db_DataReader

Sandy Skaar, 2011-04-14 (first published: 2011-03-29)

This script uses undocumented stored procedure sp_MsForEachDb. If you prefer, you can substitute the ? in the script, un-comment the code and run it under a USE <database> context for each database you wish to audit.

You may also wish to add to the list of DbRoles for inclusion by adding roles to the /*, ''<other role>''*/ in the script and delete tne /* and */ comment marks.

I recommend running this in a development environment until you know the affect it will have on your system.

Note: You may have to adjust the sizes of the columns as needed for your database names, owners, etc.

--Find db_dbreader roles with permissions other than Select or Connect for each database --Author: HawkeyeDB --Date: 3/29/2011 --Revision: First --Purpose: Find db_dbreader roles with permissions other than Select or Connect for each database --Recommendations: Run this in a non-production environment first, the script uses dynamic SQL and an -- undocumented stored procedure --Find db_dbreader roles with permissions other than Select or Connect for each database --Author: HawkeyeDB --Date: 3/29/2011 --Revision: First --Purpose: Find db_dbreader roles with permissions other than Select or Connect for each database --Recommendations: Run this in a non-production environment first, the script uses dynamic SQL and an -- undocumented stored procedure EXEC sp_MSforeachdb @command1='USE [?] DECLARE @Roles varchar(200) SET @Roles = ''db_datareader, Init_Role, Viewer'' DECLARE @sqlcmd1 nvarchar(500) CREATE TABLE #temp_helprotect(Owner varchar(50), Object varchar(500), Grantee varchar(50), Grantor varchar(50), ProtectType varchar(50), Action varchar(50), RefColumn varchar(1000)); SET @sqlcmd1 = ''EXEC [?]..sp_helprotect''; INSERT INTO #temp_helprotect EXECUTE(@sqlcmd1); DECLARE @sqlcmd2 nvarchar(200); CREATE TABLE #temp_rolemember(DbRole varchar(50), MemberName varchar(100), MemberSID nvarchar(1000)); SET @sqlcmd2 = ''EXEC [?]..sp_helprolemember''; INSERT INTO #temp_rolemember EXECUTE(@sqlcmd2); SELECT DbRole, MemberName INTO #dbreaders FROM #temp_rolemember WHERE MemberName NOT IN(Select MemberName FROM #temp_rolemember WHERE RTRIM(LTRIM(DbRole)) NOT IN(''db_datareader'', ''Init_role'', ''Viewer'')) SELECT DISTINCT A.MemberName, B.Grantee, B.Object, B.Grantor, B.ProtectType, B.Action, C.name FROM #dbreaders A, #temp_helprotect B, sys.sysdatabases C, #temp_rolemember D WHERE A.MemberName = D.MemberName AND A.MemberName LIKE ''%'' + B.Grantee + ''%'' AND Action Not In(''Select'', ''Connect'') AND C.dbid = DB_ID() ORDER BY A.MemberName, B.Grantee; DROP TABLE #temp_rolemember; DROP TABLE #dbreaders; DROP TABLE #temp_helprotect;'

Fixed Database Roles

by Andy Warren

SQLServerCentral.com

Security

This article covers four of the fixed database roles (db_datareader, db_datawriter, db_denydatareader, and db_denydatawriter). If you're new to SQL security (and maybe even if you're not) this article is worth reading.