cirats_health check deviations
TRANSCRIPT
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 1/12
CIRATS
Remediation: Health Check deviations on the report performed by SCS team.
Risk: Medium - Requires one SQL instance restart
Deviation to be corrected:
1-) Alter SQL Server Log Retentition Period to 99 versions*It does not need Server or Instance Reboot.*
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 2/12
2-) Remove permissions of BUILTIN/administrators
*Just System Administrators Role (SA)**It does not need Server or Instance Reboot.*
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 3/12
3-) (SQL Server 2000) Delete Windows User SQLDebugger
*Applicable just in SQL Server 2000*It DOES need to be done on each node of the cluster.*
*It does not need Server or Instance Reboot.*
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 4/12
4-) (SQL Server 2000) Delete Guest from User databases* In SQL Server 2000 the Guest User can be deleted from User Databases. *
- 4.1 Run the below query to identify which Databases have the Guest User is activated:
print 'The Guest Has access to the following databases'
EXEC sp_MSForEachDB 'Use ?;if (Select count(*) from sysusers Where name = ''guest'' and hasdbaccess = 1) = 1
print db_Name()'
- 4.2 If Guest exists in User databases, delete the Guest User from each of them.*The Guest user is located inside the User databases and don’t inside the SQL(Instance) users.*
*Guest User deletion is not allowed to System databases (Master,Msdb,TempDB, Model).*
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 5/12
5-) (SQL Server 2005) Disable Guest from User databases* In SQL Server 2005 the Guest User just can be disabled from User Databases. *
- 5.1 Run the below query to identify which Databases have the Guest User is activated:
print 'The Guest Has access to the following databases'
EXEC sp_MSForEachDB 'Use ?;if (Select count(*) from sysusers Where name = ''guest'' and hasdbaccess = 1) = 1
print db_Name()'
- 5.2 If Guest exists in User databases, Disable(Right-Click->Disable) the Guest User
from each of them.*The Guest user is located inside the User databases and don’t inside the SQL(Instance) users.**Guest User deletion is not allowed to System databases (Master,Msdb,TempDB, Model).*
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 6/12
6-) Disable Cross database ownership chaining*It does not need Server or Instance Reboot.*
-6.1 Execute the below query to check the actual configuration:
(SQL 2000 and SQL Server 2005)sp_configure 'Cross DB Ownership Chaining'
Result should be:
IF it’s different execute the next step.
-6.2 To correct the values ( It MUST be blank):
(SQL Server 2005) (SQL Server 2000)
Right-Click -> Properties on the Instance Name
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 7/12
7-)Alter Users databases from Master to TempDB*It does not need Server or Instance Reboot.*
Execute the below query to check the actual configuration:
SELECT name, dbname FROM master .. syslogins WHERE dbname = 'master'
Wrong possible result:
Changing Default database for the user in SQL Server 2005 by windows:
No SQL Server 2005 apenas os usuários abaixo devem permanecer no DB Master:
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 8/12
Changing Default database for the user in SQL Server 2005 by Script:
EXEC sp_defaultdb 'Domaim\user', 'tempdb'
ou
EXEC sp_defaultdb 'user', 'tempdb'
Exemplo:
8-) Alter login attempt log to "All" (Instance Properties)
*It DOES need Server or Instance Reboot.*
SQL Server 2000 Instance Properties -> Select ALL.
SQL Server 2005 Instance Properties -> Both as below:
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 9/12
9-) Alter login authentication to Mixed*It DOES need Server or Instance Reboot.*
SQL Server 2000 Instance Properties -> Select SQL and Windows Authentication.
SQL Server 2005 Instance Properties -> Both as below:
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 10/12
10-) (If applicable, because there are some, without domain service account) Alter startup account to instance default.s service account
*It DOES need Server or Instance Reboot.*
Research the Service account in Password Vault(https://passwordvault.intra.aexp.com/passwordvault) with the specific instance name.
11-) (If applicable/exist) Delete IBMBR SQL logins: Taskcheck , DRextract andEMERSA from the instance.
12-) (SQL 2000) Delete sample databases: Pubs and Northwind.
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 11/12
7/31/2019 CIRATS_Health Check Deviations
http://slidepdf.com/reader/full/ciratshealth-check-deviations 12/12