Blitz Result: Security Admins List
Like sysadmins, don’t think of these security accounts as just plain security admins.
Think of them as users who can get you fired.
“But you said that about sysadmins!” Yep. But the sysadmins aren’t alone.
Anyone in the security admin role can temporarily grant additional permissions themselves (or others), do something they’re not supposed to, and then remove the permissions to hide their tracks. Surprise: security admins are essentially the equivalent of sysadmins.
This part of our SQL Server sp_Blitz script lists all of the users in the security admin role. If any of these names don’t seem familiar to you, you have a problem.
To Fix the Problem
Validate the logins with this right using the steps below.
Validate Permissions for SQL Server Security Admins and Reduce Where Needed
You probably don’t want to remove users willy-nilly, but you’ll definitely want to make sure everyone with this permission is approved.
- Copy the list of logins with this permission
- Verify that the logins should have those rights with business owners
- Remove or reduce permissions for any login that doesn’t need this right. For applications, be careful and test this before you make the change.
- If any of these logins use SQL Server Authentication, verify if passwords are being rotated regularly. Consider changing to Windows authentication