You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
In attempts to fix permission related issues, people might end up adding the SQL Server and/or SQL Server Agent service account(s) to the local Administrators group or, even worse, set them to run as Local System or NT AUTHORITY\SYSTEM.
These types of shortcuts lead to news articles such as this one.
Describe the solution you'd like
Adding the following 4 checks:
CheckId 258 Check if SQL Server is running as Local System or NT AUTHORITY\SYSTEM
CheckId 259 Check if SQL Server Agent is running as Local System or NT AUTHORITY\SYSTEM
CheckID 260 Check if SQL Server service account is a member of the local Administrators group - only done when sp_Blitz is executed with @CheckServerInfo = 1
CheckID 261 Check if SQL Server Agent service account is a member of the local Administrators group - only done when sp_Blitz is executed with @CheckServerInfo = 1
These result in Priority 1 findings letting users know that SQL Server services are running under accounts with unreasonably high privileges.
The URL used is https://www.brentozar.com/go/setup , but if you you think some more practical example is good to drive the point home, I've set this up https://vladdba.com/SQLServerSvcAccount
Output example for CheckID 258 and CheckID 259.
Output example for CheckID 260 and CheckID 261.
Debug messages
Running CheckId [258].
Running CheckId [259].
[...]
Running CheckId [260].
Running CheckId [261].
CheckId [261] - found #localadmins table from CheckID 260 - no need to call xp_cmdshell again
If CheckID 260 was not skipped and ran successfully, CheckID 261 reuses the same output temp table to not have to call xp_cmdshell more times than needed
All these 4 checks are added to the checks to skip on Azure SQL MI.
Describe alternatives you've considered
Eye twitching when seeing some sp_Blitz results.
Are you ready to build the code for the feature?
Yup, pull request incoming right after I submit the issue.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
In attempts to fix permission related issues, people might end up adding the SQL Server and/or SQL Server Agent service account(s) to the local Administrators group or, even worse, set them to run as Local System or NT AUTHORITY\SYSTEM.
These types of shortcuts lead to news articles such as this one.
Describe the solution you'd like
Adding the following 4 checks:
Local System
orNT AUTHORITY\SYSTEM
Local System
orNT AUTHORITY\SYSTEM
@CheckServerInfo = 1
@CheckServerInfo = 1
These result in Priority 1 findings letting users know that SQL Server services are running under accounts with unreasonably high privileges.
The URL used is https://www.brentozar.com/go/setup , but if you you think some more practical example is good to drive the point home, I've set this up https://vladdba.com/SQLServerSvcAccount
Output example for CheckID 258 and CheckID 259.
Output example for CheckID 260 and CheckID 261.
Debug messages
If CheckID 260 was not skipped and ran successfully, CheckID 261 reuses the same output temp table to not have to call xp_cmdshell more times than needed
All these 4 checks are added to the checks to skip on Azure SQL MI.
Describe alternatives you've considered
Eye twitching when seeing some sp_Blitz results.
Are you ready to build the code for the feature?
Yup, pull request incoming right after I submit the issue.
The text was updated successfully, but these errors were encountered: