Your SQL Server Is Handing Attackers a Map — By Default

Source: CQURE Academy

Author: Daniel

URL: https://cqureacademy.com/blog/your-sql-server-is-handing-attackers-a-map-by-default/

ONE SENTENCE SUMMARY:

SQL Server grants public VIEW ANY DATABASE by default, enabling enumeration and exposing misconfigurations like guest access and TRUSTWORTHY escalation.

MAIN POINTS:

1. Newly created logins can list all databases without any explicit permissions.
2. Default visibility occurs because public is granted server permission VIEW ANY DATABASE.
3. Enumerating database names reveals sensitive business context before any data access.
4. Attackers can probe for databases with guest CONNECT accidentally enabled.
5. Guest CONNECT enabled in one database grants access to every server login.
6. Scripted checks can identify databases where guest is effectively active.
7. REVOKE CONNECT FROM guest is recommended outside master, tempdb, and msdb.
8. Filtering for is_trustworthy_on highlights potential privilege escalation targets.
9. TRUSTWORTHY ON plus sa ownership enables db_owner to reach sysadmin via EXECUTE AS OWNER.
10. Revoking VIEW ANY DATABASE has manageable operational impacts on tools and SSMS visibility.

TAKEAWAYS:

1. Remove public’s database enumeration power, then explicitly grant it to needed accounts only.
2. Audit every database for accidental guest CONNECT grants and disable where unnecessary.
3. Treat db_owner requests as high risk, granting least privilege instead.
4. Identify and remediate TRUSTWORTHY ON databases, especially those owned by sysadmin accounts.
5. Accept msdb’s TRUSTWORTHY requirement but harden by restricting code, permissions, and monitoring DDL.