Skip to content

Commit 1e5b058

Browse files
VladDBAVladDBA
authored
Added new security related checks
- CheckId 258 Check if SQL Server is running as `Local System` or `NT AUTHORITY\SYSTEM` - CheckId 259 Check if SQL Server Agent is running as `Local System` or `NT AUTHORITY\SYSTEM` - CheckID 260 Check if SQL Server service account is a member of the local Administrators group - only done when sp_Blitz is executed with `@CheckServerInfo = 1` - CheckID 261 Check if SQL Server Agent service account is a member of the local Administrators group - only done when sp_Blitz is executed with `@CheckServerInfo = 1`
1 parent 0dd8c89 commit 1e5b058

1 file changed

Lines changed: 200 additions & 0 deletions

File tree

sp_Blitz.sql

Lines changed: 200 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -880,6 +880,10 @@ AS
880880
INSERT INTO #SkipChecks (CheckID, DatabaseName) VALUES (80, 'tempdb'); /* Max file size set */
881881
INSERT INTO #SkipChecks (CheckID) VALUES (224); /* CheckID 224 - Performance - SSRS/SSAS/SSIS Installed */
882882
INSERT INTO #SkipChecks (CheckID) VALUES (92); /* CheckID 92 - drive space */
883+
INSERT INTO #SkipChecks (CheckID) VALUES (258);/* CheckID 258 - Security - SQL Server service is running as LocalSystem or NT AUTHORITY\SYSTEM */
884+
INSERT INTO #SkipChecks (CheckID) VALUES (259);/* CheckID 259 - Security - SQL Server Agent service is running as LocalSystem or NT AUTHORITY\SYSTEM */
885+
INSERT INTO #SkipChecks (CheckID) VALUES (260); /* CheckID 260 - Security - SQL Server service account is member of Administrators */
886+
INSERT INTO #SkipChecks (CheckID) VALUES (261); /*CheckID 261 - Security - SQL Server Agent service account is member of Administrators */
883887
INSERT INTO #BlitzResults
884888
( CheckID ,
885889
Priority ,
@@ -4991,6 +4995,78 @@ IF @ProductVersionMajor >= 10
49914995

49924996
END;
49934997
END;
4998+
/* CheckID 258 - Security - SQL Server Service is running as LocalSystem or NT AUTHORITY\SYSTEM */
4999+
IF @ProductVersionMajor >= 10
5000+
AND NOT EXISTS ( SELECT 1
5001+
FROM #SkipChecks
5002+
WHERE DatabaseName IS NULL AND CheckID = 258 )
5003+
BEGIN
5004+
IF EXISTS ( SELECT 1
5005+
FROM sys.all_objects
5006+
WHERE [name] = 'dm_server_services' )
5007+
BEGIN
5008+
IF @Debug IN (1, 2) RAISERROR('Running CheckId [%d].', 0, 1, 258) WITH NOWAIT;
5009+
5010+
INSERT INTO [#BlitzResults]
5011+
( [CheckID] ,
5012+
[Priority] ,
5013+
[FindingsGroup] ,
5014+
[Finding] ,
5015+
[URL] ,
5016+
[Details] )
5017+
5018+
SELECT
5019+
258 AS [CheckID] ,
5020+
1 AS [Priority] ,
5021+
'Security' AS [FindingsGroup] ,
5022+
'SQL Server is running under the '+ [service_account] +' account' AS [Finding] ,
5023+
'https://www.brentozar.com/go/setup' AS [URL] ,
5024+
'SQL Server''s service account is '+ [service_account]
5025+
+' - meaning that anyone who can use xp_cmdshell can do absolutely anything on the host.' AS [Details]
5026+
FROM
5027+
[sys].[dm_server_services]
5028+
WHERE ([service_account] = 'LocalSystem'
5029+
OR LOWER([service_account]) = 'nt authority\system')
5030+
AND [servicename] LIKE 'SQL Server%'
5031+
AND [servicename] NOT LIKE 'SQL Server Agent%';
5032+
END;
5033+
END;
5034+
5035+
/* CheckID 259 - Security - SQL Server Agent Service is running as LocalSystem or NT AUTHORITY\SYSTEM */
5036+
IF @ProductVersionMajor >= 10
5037+
AND NOT EXISTS ( SELECT 1
5038+
FROM #SkipChecks
5039+
WHERE DatabaseName IS NULL AND CheckID = 259 )
5040+
BEGIN
5041+
IF EXISTS ( SELECT 1
5042+
FROM sys.all_objects
5043+
WHERE [name] = 'dm_server_services' )
5044+
BEGIN
5045+
IF @Debug IN (1, 2) RAISERROR('Running CheckId [%d].', 0, 1, 259) WITH NOWAIT;
5046+
5047+
INSERT INTO [#BlitzResults]
5048+
( [CheckID] ,
5049+
[Priority] ,
5050+
[FindingsGroup] ,
5051+
[Finding] ,
5052+
[URL] ,
5053+
[Details] )
5054+
5055+
SELECT
5056+
259 AS [CheckID] ,
5057+
1 AS [Priority] ,
5058+
'Security' AS [FindingsGroup] ,
5059+
'SQL Server Agent is running under the '+ [service_account] +' account' AS [Finding] ,
5060+
'https://www.brentozar.com/go/setup' AS [URL] ,
5061+
'SQL Server Agent''s service account is '+ [service_account]
5062+
+' - meaning that anyone who can create and run jobs can do absolutely anything on the host.' AS [Details]
5063+
FROM
5064+
[sys].[dm_server_services]
5065+
WHERE ([service_account] = 'LocalSystem'
5066+
OR LOWER([service_account]) = 'nt authority\system')
5067+
AND [servicename] LIKE 'SQL Server Agent%';
5068+
END;
5069+
END;
49945070

49955071
/*This checks to see if the Full Text thingy is offline*/
49965072
IF @ProductVersionMajor >= 10
@@ -9555,6 +9631,130 @@ IF @ProductVersionMajor >= 10 AND NOT EXISTS ( SELECT 1
95559631

95569632
END;
95579633

9634+
/* CheckID 260 - Security - SQL Server service account is member of Administrators */
9635+
IF NOT EXISTS ( SELECT 1
9636+
FROM #SkipChecks
9637+
WHERE DatabaseName IS NULL AND CheckID = 260 ) AND @ProductVersionMajor >= 10
9638+
BEGIN
9639+
9640+
IF (SELECT value_in_use FROM sys.configurations WHERE [name] = 'xp_cmdshell') = 1
9641+
AND EXISTS ( SELECT 1 FROM sys.all_objects WHERE [name] = 'dm_server_services' )
9642+
BEGIN
9643+
IF @Debug IN (1, 2) RAISERROR('Running CheckId [%d].', 0, 1, 260) WITH NOWAIT;
9644+
IF OBJECT_ID('tempdb..#localadmins') IS NOT NULL DROP TABLE #localadmins;
9645+
CREATE TABLE #localadmins (cmdshell_output NVARCHAR(1000));
9646+
9647+
INSERT INTO #localadmins
9648+
EXEC /**/xp_cmdshell/**/ N'net localgroup administrators' /* added comments around command since some firewalls block this string TL 20210221 */
9649+
9650+
IF EXISTS (SELECT 1
9651+
FROM #localadmins
9652+
WHERE LOWER(cmdshell_output) = ( SELECT LOWER([service_account])
9653+
FROM [sys].[dm_server_services]
9654+
WHERE [servicename] LIKE 'SQL Server%'
9655+
AND [servicename] NOT LIKE 'SQL Server Agent%'
9656+
AND [servicename] NOT LIKE 'SQL Server Launchpad%'))
9657+
BEGIN
9658+
INSERT INTO #BlitzResults
9659+
( CheckID ,
9660+
Priority ,
9661+
FindingsGroup ,
9662+
Finding ,
9663+
URL ,
9664+
Details
9665+
)
9666+
SELECT
9667+
260 AS CheckID
9668+
,1 AS Priority
9669+
,'Security' AS FindingsGroup
9670+
,'SQL Server''s service account is a local admin' AS Finding
9671+
,'https://www.brentozar.com/go/setup' AS URL
9672+
,'SQL Server''s service account is a member of the local Administrators group - meaning that anyone who can use xp_cmdshell can do anything on the host.' as Details
9673+
9674+
END;
9675+
9676+
END;
9677+
END;
9678+
9679+
/* CheckID 261 - Security - SQL Server Agent service account is member of Administrators */
9680+
IF NOT EXISTS ( SELECT 1
9681+
FROM #SkipChecks
9682+
WHERE DatabaseName IS NULL AND CheckID = 261 ) AND @ProductVersionMajor >= 10
9683+
BEGIN
9684+
9685+
IF (SELECT value_in_use FROM sys.configurations WHERE [name] = 'xp_cmdshell') = 1
9686+
AND EXISTS ( SELECT 1 FROM sys.all_objects WHERE [name] = 'dm_server_services' )
9687+
BEGIN
9688+
IF @Debug IN (1, 2) RAISERROR('Running CheckId [%d].', 0, 1, 261) WITH NOWAIT;
9689+
/*If this table exists and CheckId 260 was not skipped, then we're piggybacking off of 260's results */
9690+
IF OBJECT_ID('tempdb..#localadmins') IS NOT NULL
9691+
AND NOT EXISTS ( SELECT 1
9692+
FROM #SkipChecks
9693+
WHERE DatabaseName IS NULL AND CheckID = 260 )
9694+
BEGIN
9695+
IF @Debug IN (1, 2) RAISERROR('CheckId [%d] - found #localadmins table from CheckID 260 - no need to call xp_cmdshell again', 0, 1, 261) WITH NOWAIT;
9696+
9697+
IF EXISTS (SELECT 1
9698+
FROM #localadmins
9699+
WHERE LOWER(cmdshell_output) = ( SELECT LOWER([service_account])
9700+
FROM [sys].[dm_server_services]
9701+
WHERE [servicename] LIKE 'SQL Server Agent%'
9702+
AND [servicename] NOT LIKE 'SQL Server Launchpad%'))
9703+
BEGIN
9704+
INSERT INTO #BlitzResults
9705+
( CheckID ,
9706+
Priority ,
9707+
FindingsGroup ,
9708+
Finding ,
9709+
URL ,
9710+
Details
9711+
)
9712+
SELECT
9713+
261 AS CheckID
9714+
,1 AS Priority
9715+
,'Security' AS FindingsGroup
9716+
,'SQL Server Agent''s service account is a local admin' AS Finding
9717+
,'https://www.brentozar.com/go/setup' AS URL
9718+
,'SQL Server Agent''s service account is a member of the local Administrators group - meaning that anyone who can create and run jobs can do anything on the host.' as Details
9719+
9720+
END;
9721+
END; /*piggyback*/
9722+
ELSE /*can't piggyback*/
9723+
BEGIN
9724+
/*had to use a different table name because SQL Server/SSMS complains when parsing that the table still exists when it gets to the create part*/
9725+
IF OBJECT_ID('tempdb..#localadminsag') IS NOT NULL DROP TABLE #localadminsag;
9726+
CREATE TABLE #localadminsag (cmdshell_output NVARCHAR(1000));
9727+
INSERT INTO #localadmins
9728+
EXEC /**/xp_cmdshell/**/ N'net localgroup administrators' /* added comments around command since some firewalls block this string TL 20210221 */
9729+
9730+
IF EXISTS (SELECT 1
9731+
FROM #localadmins
9732+
WHERE LOWER(cmdshell_output) = ( SELECT LOWER([service_account])
9733+
FROM [sys].[dm_server_services]
9734+
WHERE [servicename] LIKE 'SQL Server Agent%'
9735+
AND [servicename] NOT LIKE 'SQL Server Launchpad%'))
9736+
BEGIN
9737+
INSERT INTO #BlitzResults
9738+
( CheckID ,
9739+
Priority ,
9740+
FindingsGroup ,
9741+
Finding ,
9742+
URL ,
9743+
Details
9744+
)
9745+
SELECT
9746+
261 AS CheckID
9747+
,1 AS Priority
9748+
,'Security' AS FindingsGroup
9749+
,'SQL Server Agent''s service account is a local admin' AS Finding
9750+
,'https://www.brentozar.com/go/setup' AS URL
9751+
,'SQL Server Agent''s service account is a member of the local Administrators group - meaning that anyone who can create and run jobs can do anything on the host.' as Details
9752+
9753+
END;
9754+
9755+
END;/*can't piggyback*/
9756+
END;
9757+
END; /* CheckID 261 */
95589758

95599759
END; /* IF @CheckServerInfo = 1 */
95609760
END; /* IF ( ( SERVERPROPERTY('ServerName') NOT IN ( SELECT ServerName */

0 commit comments

Comments
 (0)