Rules

A list of the available rules.

NoAlterAppRole

Checks for any SQL statements that alter an application role.

ID: S012

This rule checks for the following statements:

  • ALTER APPLICATION ROLE
  • sp_approlepassword

NoAlterAuthExceptObject

Checks for any SQL statements that alters an authorization other than on an object.

ID: S022

This rule checks for the following statements:

  • ALTER AUTHORIZATION ON *

Exceptions:

  • ALTER AUTHORIZATION ON OBJECT

NoAlterDatabaseAll

Checks for any SQL statements that alter any database configuration.

ID: S019

This rule checks for the following statements:

  • ALTER DATABASE
  • DBCC SHRINKDATABASE
  • DBCC SHRINKFILE

NoAlterDatabaseFiles

Checks for any SQL statements that alter a database file.

ID: S020

This rule checks for the following statements:

  • ALTER DATABASE ADD FILE
  • ALTER DATABASE ADD LOG FILE
  • ALTER DATABASE ADD FILEGROUP
  • ALTER DATABASE REMOVE FILE
  • ALTER DATABASE REMOVE LOG FILE
  • ALTER DATABASE REMOVE FILEGROUP
  • ALTER DATABASE MODIFY FILE
  • ALTER DATABASE MODIFY LOG FILE
  • ALTER DATABASE MODIFY FILEGROUP
  • DBCC SHRINKDATABASE
  • DBCC SHRINKFILE

NoAlterDatabaseRole

Checks for any SQL statements that alter a database role.

ID: S009

This rule checks for the following statements:

  • ALTER ROLE
  • sp_addrolemember
  • sp_droprolemember

NoAlterLogin

Checks for any SQL statements that alter a login.

ID: S003

This rule checks for the following statements:

  • ALTER LOGIN
  • sp_denylogin
  • sp_change_users_login
  • sp_password
  • sp_defaultdb
  • sp_defaultlanguage

NoAlterServerConfiguration

Checks for any SQL statements that alter the server configuration.

ID: S021

This rule checks for the following statements:

  • ALTER SERVER CONFIGURATION
  • sp_configure

NoAlterServerRole

Checks for any SQL statements that alter a server role.

ID: S006

This rule checks for the following statements:

  • ALTER SERVER ROLE
  • sp_addsrvrolemember
  • sp_dropsrvrolemember

NoAlterUser

Checks for any SQL statements that alter a user.

ID: S016

This rule checks for the following statements:

  • ALTER USER
  • sp_change_users_login
  • sp_migrate_user_to_contained

NoBackup

Checks for any SQL statements that create a backup.

ID: S023

This rule checks for the following statements:

  • BACKUP

NoCreateAppRole

Checks for any SQL statements that create an application role.

ID: S010

This rule checks for the following statements:

  • CREATE APPLICATION ROLE
  • sp_addapprole

NoCreateDatabase

Checks for any SQL statements that create a database.

ID: S017

This rule checks for the following statements:

  • CREATE DATABASE
  • sp_attach_db
  • sp_attach_single_file_db
  • DBCC CLONEDATABASE

NoCreateDatabaseRole

Checks for any SQL statements that create a database role.

ID: S007

This rule checks for the following statements:

  • CREATE ROLE
  • sp_addrole

NoCreateLogin

Checks for any SQL statements that create a login.

ID: S001

This rule checks for the following statements:

  • CREATE LOGIN
  • sp_grantlogin
  • sp_addlogin
  • sp_addremotelogin

NoCreateServerRole

Checks for any SQL statements that create a server role.

ID: S004

This rule checks for the following statements:

  • CREATE SERVER ROLE

NoCreateUser

Checks for any SQL statements that create a user.

ID: S014

This rule checks for the following statements:

  • CREATE USER
  • sp_adduser
  • sp_grantdbaccess

NoDropAppRole

Checks for any SQL statements that drop an application role.

ID: S011

This rule checks for the following statements:

  • DROP APPLICATION ROLE
  • sp_dropapprole

NoDropDatabase

Checks for any SQL statements that drop a database.

ID: S018

This rule checks for the following statements:

  • DROP DATABASE
  • sp_detach_db
  • sp_dbremove

NoDropDatabaseRole

Checks for any SQL statements that drop a database role.

ID: S008

This rule checks for the following statements:

  • DROP ROLE
  • sp_droprole

NoDropLogin

Checks for any SQL statements that drop a login.

ID: S002

This rule checks for the following statements:

  • DROP LOGIN
  • sp_droplogin
  • sp_dropremotelogin
  • sp_revokelogin

NoDropServerRole

Checks for any SQL statements that drop a server role.

ID: S005

This rule checks for the following statements:

  • DROP SERVER ROLE

NoDropUser

Checks for any SQL statements that drop a user.

ID: S015

This rule checks for the following statements:

  • DROP USER
  • sp_dropuser
  • sp_revokedbaccess

NoDynamicSQL

Checks for any SQL statements that use dynamic sql.

ID: S013

This rule checks for the following statements:

  • EXEC (string)
  • sp_executesql
  • sp_prepexec
  • sp_execute
  • sp_cursorprepexec
  • sp_cursorexecute

NoGrantExceptObject

Checks for any SQL statements that grant permissions except to objects (table, procedure, etc).

This rule limits the ability to grant permissions to only managing data on an object level. In addition to only allowing grants on objects it also prevents grants that could drop the referenced objects such as alter, take ownership, etc.

ID: S024

This rule checks for the following statements:

  • GRANT *

Exceptions:

  • GRANT DELETE ON OBJECT::*
  • GRANT EXECUTE ON OBJECT::*
  • GRANT INSERT ON OBJECT::*
  • GRANT RECEIVE ON OBJECT::*
  • GRANT SELECT ON OBJECT::*
  • GRANT UPDATE ON OBJECT::*
  • GRANT VIEW DEFINITION ON OBJECT::*
  • GRANT VIEW CHANGE TRACKING ON OBJECT::*
  • GRANT EXECUTE ON OBJECT::*
  • GRANT REFERENCES () ON OBJECT::
  • GRANT UNMASK ON OBJECT::*