3.2 Ensure CONNECT permissions on the 'guest user' is Revoked within all SQL Server databases excluding the master, msdb and tempdb

Information

Remove the right of the guest user to connect to SQL Server databases, except for master, msdb, and tempdb.

Rationale:

A login assumes the identity of the guest user when a login has access to SQL Server but does not have access to a database through its own account and the database has a guest user account. Revoking the CONNECT permission for the guest user will ensure that a login is not able to access database information without explicit access to do so.

Solution

The following code snippet revokes CONNECT permissions from the guest user in a database. Replace <database_name> as appropriate:

USE <database_name>;
GO
REVOKE CONNECT FROM guest;

Impact:

When CONNECT permission to the guest user is revoked, a SQL Server instance login must be mapped to a database user explicitly in order to have access to the database.

Default Value:

The guest user account is added to each new database but without CONNECT permission by default.

References:

https://docs.microsoft.com/en-us/sql/relational-databases/policy-based-management/guest-permissions-on-user-databases

Notes:

The guest account cannot have the CONNECT permission revoked in master, msdb and tempdb, but this permission should be revoked in all other databases on the SQL Server instance.

See Also

https://workbench.cisecurity.org/files/2837

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|16, CSCv7|14.6

Plugin: MS_SQLDB

Control ID: da42321de4421d4bdac1666dc4baa1557b78efa04e55d592b2f4c941b8846981