You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -107,123 +107,172 @@ The following are sample scripts for creating a login and provisioning it with t
107
107
```sql
108
108
-- Create a login to run the assessment
109
109
use master;
110
-
DECLARE @SID NVARCHAR(MAX) = N'';
111
-
CREATE LOGIN [MYDOMAIN\MYACCOUNT] FROM WINDOWS;
112
-
SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROMsys.sysloginswhere name ='MYDOMAIN\MYACCOUNT'
113
-
IF (ISNULL(@SID,'') !='')
114
-
PRINT N'Created login [MYDOMAIN\MYACCOUNT] with SID = '+ @SID
115
-
ELSE
116
-
PRINT N'Login creation failed'
110
+
DECLARE @SID NVARCHAR(MAX) = N'';
111
+
CREATE LOGIN [MYDOMAIN\MYACCOUNT] FROM WINDOWS;
112
+
SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROMsys.sysloginswhere name ='MYDOMAIN\MYACCOUNT'
113
+
IF (ISNULL(@SID,'') !='')
114
+
PRINT N'Created login [MYDOMAIN\MYACCOUNT] with SID = '+ @SID
115
+
ELSE
116
+
PRINT N'Login creation failed'
117
117
GO
118
-
119
-
-- Create user in every database other than tempdb and model and provide minimal read-only permissions.
120
-
use master;
121
-
EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model'')) BEGIN TRY CREATE USER [MYDOMAIN\MYACCOUNT] FOR LOGIN [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
122
-
EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model'')) BEGIN TRY GRANT SELECT ON sys.sql_expression_dependencies TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
123
-
EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model'')) BEGIN TRY GRANT VIEW DATABASE STATE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
118
+
119
+
-- Create user in every database other than tempdb, model and secondary AG databases(with connection_type = ALL) and provide minimal read-only permissions.
120
+
USE master;
121
+
EXECUTE sp_MSforeachdb '
122
+
USE [?];
123
+
IF (''?'' NOT IN (''tempdb'',''model''))
124
+
BEGIN
125
+
DECLARE @is_secondary_replica BIT = 0;
126
+
IF CAST(PARSENAME(CAST(SERVERPROPERTY(''ProductVersion'') AS VARCHAR), 4) AS INT) >= 11
127
+
BEGIN
128
+
DECLARE @innersql NVARCHAR(MAX);
129
+
SET @innersql = N''
130
+
SELECT @is_secondary_replica = IIF(
131
+
EXISTS (
132
+
SELECT 1
133
+
FROM sys.availability_replicas a
134
+
INNER JOIN sys.dm_hadr_database_replica_states b
135
+
ON a.replica_id = b.replica_id
136
+
WHERE b.is_local = 1
137
+
AND b.is_primary_replica = 0
138
+
AND a.secondary_role_allow_connections = 2
139
+
AND b.database_id = DB_ID()
140
+
), 1, 0
141
+
);
142
+
'';
143
+
EXEC sp_executesql @innersql, N''@is_secondary_replica BIT OUTPUT'', @is_secondary_replica OUTPUT;
144
+
END
145
+
IF (@is_secondary_replica = 0)
146
+
BEGIN
147
+
CREATE USER [MYDOMAIN\MYACCOUNT] FOR LOGIN [MYDOMAIN\MYACCOUNT];
148
+
GRANT SELECT ON sys.sql_expression_dependencies TO [MYDOMAIN\MYACCOUNT];
149
+
GRANT VIEW DATABASE STATE TO [MYDOMAIN\MYACCOUNT];
150
+
END
151
+
END'
124
152
GO
125
-
153
+
126
154
-- Provide server level read-only permissions
127
155
use master;
128
-
BEGIN TRY GRANTSELECTONsys.sql_expression_dependencies TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
129
-
BEGIN TRY GRANT EXECUTE ON OBJECT::sys.xp_regenumkeys TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
130
-
BEGIN TRY GRANT VIEW DATABASE STATE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
131
-
BEGIN TRY GRANT VIEW SERVER STATE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
132
-
BEGIN TRY GRANT VIEW ANY DEFINITION TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
133
-
GO
134
-
135
-
-- Required from SQL 2014 onwards for database connectivity.
136
-
use master;
137
-
BEGIN TRY GRANT CONNECT ANY DATABASE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
156
+
GRANTSELECTONsys.sql_expression_dependencies TO [MYDOMAIN\MYACCOUNT];
157
+
GRANT EXECUTE ON OBJECT::sys.xp_regenumkeys TO [MYDOMAIN\MYACCOUNT];
158
+
GRANT EXECUTE ON OBJECT::sys.xp_instance_regread TO [MYDOMAIN\MYACCOUNT];
159
+
GRANT VIEW DATABASE STATE TO [MYDOMAIN\MYACCOUNT];
160
+
GRANT VIEW SERVER STATE TO [MYDOMAIN\MYACCOUNT];
161
+
GRANT VIEW ANY DEFINITION TO [MYDOMAIN\MYACCOUNT];
138
162
GO
139
-
163
+
140
164
-- Provide msdb specific permissions
141
165
use msdb;
142
-
BEGIN TRY GRANT EXECUTE ON [msdb].[dbo].[agent_datetime] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
143
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysjobsteps] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
144
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[syssubsystems] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
145
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysjobhistory] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
146
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[syscategories] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
147
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysjobs] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
148
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysmaintplan_plans] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
149
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[syscollector_collection_sets] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
150
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysmail_profile] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
151
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysmail_profileaccount] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
152
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysmail_account] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
166
+
GRANT EXECUTE ON [msdb].[dbo].[agent_datetime] TO [MYDOMAIN\MYACCOUNT];
167
+
GRANTSELECTON [msdb].[dbo].[sysjobsteps] TO [MYDOMAIN\MYACCOUNT];
168
+
GRANTSELECTON [msdb].[dbo].[syssubsystems] TO [MYDOMAIN\MYACCOUNT];
169
+
GRANTSELECTON [msdb].[dbo].[sysjobhistory] TO [MYDOMAIN\MYACCOUNT];
170
+
GRANTSELECTON [msdb].[dbo].[syscategories] TO [MYDOMAIN\MYACCOUNT];
171
+
GRANTSELECTON [msdb].[dbo].[sysjobs] TO [MYDOMAIN\MYACCOUNT];
172
+
GRANTSELECTON [msdb].[dbo].[sysmaintplan_plans] TO [MYDOMAIN\MYACCOUNT];
173
+
GRANTSELECTON [msdb].[dbo].[syscollector_collection_sets] TO [MYDOMAIN\MYACCOUNT];
174
+
GRANTSELECTON [msdb].[dbo].[sysmail_profile] TO [MYDOMAIN\MYACCOUNT];
175
+
GRANTSELECTON [msdb].[dbo].[sysmail_profileaccount] TO [MYDOMAIN\MYACCOUNT];
176
+
GRANTSELECTON [msdb].[dbo].[sysmail_account] TO [MYDOMAIN\MYACCOUNT];
153
177
GO
154
-
178
+
155
179
-- Clean up
156
180
--use master;
157
-
-- EXECUTE sp_MSforeachdb 'USE [?]; BEGIN TRY DROP USER [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;'
158
-
--BEGIN TRY DROP LOGIN [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
181
+
-- EXECUTE sp_MSforeachdb 'USE [?]; DROP USER [MYDOMAIN\MYACCOUNT]'
182
+
-- DROP LOGIN [MYDOMAIN\MYACCOUNT];
159
183
--GO
160
-
```
184
+
```
161
185
162
186
#### SQL Server Authentication
163
187
164
188
```sql
165
-
-- Create a login to run the assessment
189
+
--- Create a login to run the assessment
166
190
use master;
167
-
-- NOTE: SQL instances that host replicas of Always On Availability Groups must use the same SID with SQL login.
168
-
-- After the account is created in one of the member instances, copy the SID output from the script and include
169
-
-- this value when executing against the remaining replicas.
170
-
-- When the SID needs to be specified, add the value to the @SID variable definition below.
SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROMsys.sysloginswhere name ='evaluator'
185
-
IF (ISNULL(@SID,'') !='')
186
-
PRINT N'Created login [evaluator] with SID = '''+ @SID +'''. If this instance hosts any Always On Availability Group replica, use this SID value when executing the script against the instances hosting the other replicas'
187
-
ELSE
188
-
PRINT N'Login creation failed'
189
-
GO
190
-
191
-
-- Create user in every database other than tempdb and model and provide minimal read-only permissions.
192
-
use master;
193
-
EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model'')) BEGIN TRY CREATE USER [evaluator] FOR LOGIN [evaluator]END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
194
-
EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model'')) BEGIN TRY GRANT SELECT ON sys.sql_expression_dependencies TO [evaluator]END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
195
-
EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model'')) BEGIN TRY GRANT VIEW DATABASE STATE TO [evaluator]END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
207
+
END
208
+
SELECT @SID = N'0x'+CONVERT(NVARCHAR(100), sid, 2) FROMsys.sysloginswhere name ='evaluator'
209
+
IF (ISNULL(@SID,'') !='')
210
+
PRINT N'Created login [evaluator] with SID = '''+ @SID +'''. If this instance hosts any Always On Availability Group replica, use this SID value when executing the script against the instances hosting the other replicas'
211
+
ELSE
212
+
PRINT N'Login creation failed'
196
213
GO
197
-
198
-
-- Provide server level read-only permissions
199
-
use master;
200
-
BEGIN TRY GRANTSELECTONsys.sql_expression_dependencies TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
201
-
BEGIN TRY GRANT EXECUTE ON OBJECT::sys.xp_regenumkeys TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
202
-
BEGIN TRY GRANT VIEW DATABASE STATE TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
203
-
BEGIN TRY GRANT VIEW SERVER STATE TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
204
-
BEGIN TRY GRANT VIEW ANY DEFINITION TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
214
+
215
+
-- Create user in every database other than tempdb, model and secondary AG databases(with connection_type = ALL) and provide minimal read-only permissions.
216
+
USE master;
217
+
EXECUTE sp_MSforeachdb '
218
+
USE [?];
219
+
IF (''?'' NOT IN (''tempdb'',''model''))
220
+
BEGIN
221
+
DECLARE @is_secondary_replica BIT = 0;
222
+
IF CAST(PARSENAME(CAST(SERVERPROPERTY(''ProductVersion'') AS VARCHAR), 4) AS INT) >= 11
223
+
BEGIN
224
+
DECLARE @innersql NVARCHAR(MAX);
225
+
SET @innersql = N''
226
+
SELECT @is_secondary_replica = IIF(
227
+
EXISTS (
228
+
SELECT 1
229
+
FROM sys.availability_replicas a
230
+
INNER JOIN sys.dm_hadr_database_replica_states b
231
+
ON a.replica_id = b.replica_id
232
+
WHERE b.is_local = 1
233
+
AND b.is_primary_replica = 0
234
+
AND a.secondary_role_allow_connections = 2
235
+
AND b.database_id = DB_ID()
236
+
), 1, 0
237
+
);
238
+
'';
239
+
EXEC sp_executesql @innersql, N''@is_secondary_replica BIT OUTPUT'', @is_secondary_replica OUTPUT;
240
+
END
241
+
242
+
IF (@is_secondary_replica = 0)
243
+
BEGIN
244
+
CREATE USER [evaluator] FOR LOGIN [evaluator];
245
+
GRANT SELECT ON sys.sql_expression_dependencies TO [evaluator];
246
+
GRANT VIEW DATABASE STATE TO [evaluator];
247
+
END
248
+
END'
205
249
GO
206
-
207
-
-- Required from SQL 2014 onwards for database connectivity.
208
-
use master;
209
-
BEGIN TRY GRANT CONNECT ANY DATABASE TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
250
+
251
+
-- Provide server level read-only permissions
252
+
USE master;
253
+
GRANTSELECTONsys.sql_expression_dependencies TO [evaluator];
254
+
GRANT EXECUTE ON OBJECT::sys.xp_regenumkeys TO [evaluator];
255
+
GRANT EXECUTE ON OBJECT::sys.xp_instance_regread TO [evaluator];
256
+
GRANT VIEW DATABASE STATE TO [evaluator];
257
+
GRANT VIEW SERVER STATE TO [evaluator];
258
+
GRANT VIEW ANY DEFINITION TO [evaluator];
210
259
GO
211
-
260
+
212
261
-- Provide msdb specific permissions
213
-
use msdb;
214
-
BEGIN TRY GRANT EXECUTE ON [msdb].[dbo].[agent_datetime] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
215
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysjobsteps] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
216
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[syssubsystems] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
217
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysjobhistory] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
218
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[syscategories] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
219
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysjobs] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
220
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysmaintplan_plans] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
221
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[syscollector_collection_sets] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
222
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysmail_profile] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
223
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysmail_profileaccount] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
224
-
BEGIN TRY GRANTSELECTON [msdb].[dbo].[sysmail_account] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
262
+
USE msdb;
263
+
GRANT EXECUTE ON [msdb].[dbo].[agent_datetime] TO [evaluator];
264
+
GRANTSELECTON [msdb].[dbo].[sysjobsteps] TO [evaluator];
265
+
GRANTSELECTON [msdb].[dbo].[syssubsystems] TO [evaluator];
266
+
GRANTSELECTON [msdb].[dbo].[sysjobhistory] TO [evaluator];
267
+
GRANTSELECTON [msdb].[dbo].[syscategories] TO [evaluator];
268
+
GRANTSELECTON [msdb].[dbo].[sysjobs] TO [evaluator];
269
+
GRANTSELECTON [msdb].[dbo].[sysmaintplan_plans] TO [evaluator];
270
+
GRANTSELECTON [msdb].[dbo].[syscollector_collection_sets] TO [evaluator];
271
+
GRANTSELECTON [msdb].[dbo].[sysmail_profile] TO [evaluator];
272
+
GRANTSELECTON [msdb].[dbo].[sysmail_profileaccount] TO [evaluator];
273
+
GRANTSELECTON [msdb].[dbo].[sysmail_account] TO [evaluator];
225
274
GO
226
-
275
+
227
276
-- Clean up
228
277
--use master;
229
278
-- EXECUTE sp_MSforeachdb 'USE [?]; BEGIN TRY DROP USER [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;'
0 commit comments