SQL Server Guest Account

Check Description

This check determines whether the Microsoft® SQL Server™ Guest account has access to databases (excluding master, tempdb, and msdb). All databases to which the account has access are listed in the security report.

Note

If you get the "No permissions to access database" error message, you might not have permissions to the master database.

In SQL Server, a user logon account must be authorized to access a database and its objects in one of the following ways:

The logon account can be specified as a database user.
The logon account can use a Guest account in the database.
A Windows group logon can be mapped to a database role. Individual Windows accounts that are members of that group can then connect to the database.

Members of the db_owner or db_accessadmin database roles, or the Sysadmin fixed server role, create the database user account roles. An account can include several parameters: the SQL Server logon ID, database user name (optional), and up to one role name (optional). The database user name does not have to be the same as the user's logon ID. If a database user name is not provided, the user's logon ID and database user name are identical. After creating the database user, the user can be assigned to as many roles as necessary. If a role name is not provided, the database user is only a member of the public role.

Members of the db_owner, db_accessadmin, or Sysadmin roles can also create a Guest account. The Guest account allows any valid SQL Server logon account to access a database, even without a database user account. By default, the Guest account inherits any privileges that have been assigned to the public role. However, these privileges can be changed to be greater or less than that of the public role.

Additional Information

SQL Server Security Strategies\

Establishing Application Security and Application Roles