Rules
A list of the available rules.
NoAlterAppRole
Checks for any SQL statements that alter an application role.
ID: S012
This rule checks for the following statements:
- ALTER APPLICATION ROLE
- sp_approlepassword
NoAlterAuthExceptObject
Checks for any SQL statements that alters an authorization other than on an object.
ID: S022
This rule checks for the following statements:
- ALTER AUTHORIZATION ON *
Exceptions:
- ALTER AUTHORIZATION ON OBJECT
NoAlterDatabaseAll
Checks for any SQL statements that alter any database configuration.
ID: S019
This rule checks for the following statements:
- ALTER DATABASE
- DBCC SHRINKDATABASE
- DBCC SHRINKFILE
NoAlterDatabaseFiles
Checks for any SQL statements that alter a database file.
ID: S020
This rule checks for the following statements:
- ALTER DATABASE ADD FILE
- ALTER DATABASE ADD LOG FILE
- ALTER DATABASE ADD FILEGROUP
- ALTER DATABASE REMOVE FILE
- ALTER DATABASE REMOVE LOG FILE
- ALTER DATABASE REMOVE FILEGROUP
- ALTER DATABASE MODIFY FILE
- ALTER DATABASE MODIFY LOG FILE
- ALTER DATABASE MODIFY FILEGROUP
- DBCC SHRINKDATABASE
- DBCC SHRINKFILE
NoAlterDatabaseRole
Checks for any SQL statements that alter a database role.
ID: S009
This rule checks for the following statements:
- ALTER ROLE
- sp_addrolemember
- sp_droprolemember
NoAlterLogin
Checks for any SQL statements that alter a login.
ID: S003
This rule checks for the following statements:
- ALTER LOGIN
- sp_denylogin
- sp_change_users_login
- sp_password
- sp_defaultdb
- sp_defaultlanguage
NoAlterServerConfiguration
Checks for any SQL statements that alter the server configuration.
ID: S021
This rule checks for the following statements:
- ALTER SERVER CONFIGURATION
- sp_configure
NoAlterServerRole
Checks for any SQL statements that alter a server role.
ID: S006
This rule checks for the following statements:
- ALTER SERVER ROLE
- sp_addsrvrolemember
- sp_dropsrvrolemember
NoAlterUser
Checks for any SQL statements that alter a user.
ID: S016
This rule checks for the following statements:
- ALTER USER
- sp_change_users_login
- sp_migrate_user_to_contained
NoBackup
Checks for any SQL statements that create a backup.
ID: S023
This rule checks for the following statements:
- BACKUP
NoCreateAppRole
Checks for any SQL statements that create an application role.
ID: S010
This rule checks for the following statements:
- CREATE APPLICATION ROLE
- sp_addapprole
NoCreateDatabase
Checks for any SQL statements that create a database.
ID: S017
This rule checks for the following statements:
- CREATE DATABASE
- sp_attach_db
- sp_attach_single_file_db
- DBCC CLONEDATABASE
NoCreateDatabaseRole
Checks for any SQL statements that create a database role.
ID: S007
This rule checks for the following statements:
- CREATE ROLE
- sp_addrole
NoCreateLogin
Checks for any SQL statements that create a login.
ID: S001
This rule checks for the following statements:
- CREATE LOGIN
- sp_grantlogin
- sp_addlogin
- sp_addremotelogin
NoCreateServerRole
Checks for any SQL statements that create a server role.
ID: S004
This rule checks for the following statements:
- CREATE SERVER ROLE
NoCreateUser
Checks for any SQL statements that create a user.
ID: S014
This rule checks for the following statements:
- CREATE USER
- sp_adduser
- sp_grantdbaccess
NoDropAppRole
Checks for any SQL statements that drop an application role.
ID: S011
This rule checks for the following statements:
- DROP APPLICATION ROLE
- sp_dropapprole
NoDropDatabase
Checks for any SQL statements that drop a database.
ID: S018
This rule checks for the following statements:
- DROP DATABASE
- sp_detach_db
- sp_dbremove
NoDropDatabaseRole
Checks for any SQL statements that drop a database role.
ID: S008
This rule checks for the following statements:
- DROP ROLE
- sp_droprole
NoDropLogin
Checks for any SQL statements that drop a login.
ID: S002
This rule checks for the following statements:
- DROP LOGIN
- sp_droplogin
- sp_dropremotelogin
- sp_revokelogin
NoDropServerRole
Checks for any SQL statements that drop a server role.
ID: S005
This rule checks for the following statements:
- DROP SERVER ROLE
NoDropUser
Checks for any SQL statements that drop a user.
ID: S015
This rule checks for the following statements:
- DROP USER
- sp_dropuser
- sp_revokedbaccess
NoDynamicSQL
Checks for any SQL statements that use dynamic sql.
ID: S013
This rule checks for the following statements:
- EXEC (string)
- sp_executesql
- sp_prepexec
- sp_execute
- sp_cursorprepexec
- sp_cursorexecute
NoGrantExceptObject
Checks for any SQL statements that grant permissions except to objects (table, procedure, etc).
This rule limits the ability to grant permissions to only managing data on an object level. In addition to only allowing grants on objects it also prevents grants that could drop the referenced objects such as alter, take ownership, etc.
ID: S024
This rule checks for the following statements:
- GRANT *
Exceptions:
- GRANT DELETE ON OBJECT::*
- GRANT EXECUTE ON OBJECT::*
- GRANT INSERT ON OBJECT::*
- GRANT RECEIVE ON OBJECT::*
- GRANT SELECT ON OBJECT::*
- GRANT UPDATE ON OBJECT::*
- GRANT VIEW DEFINITION ON OBJECT::*
- GRANT VIEW CHANGE TRACKING ON OBJECT::*
- GRANT EXECUTE ON OBJECT::*
- GRANT REFERENCES () ON OBJECT::
- GRANT UNMASK ON OBJECT::*