- Threat ID
- Threat Date
- Threat Name
- CONTROL SERVER permission granted
- CVE Reference
- CCE Reference
- Database Type
- Microsoft SQL Server
- Improper Access Controls
- Microsoft SQL Server 2005, 2008, 2008R2 and 2012
- CONTROL SERVER permission gives complete control over SQL Server. You should review the logins and roles granted this permission and verify that only database administrators have been granted CONTROL SERVER permission.
- CONTROL SERVER permission gives complete control over SQL Server. This permission should be granted only to database administrators.
You should review the list of logins and roles granted this permission and revoke the permission from any logins or roles that do not require it.
In SQL Server 2005 and later versions, the visibility of the metadata in catalog views is limited to securables that the user either owns or for which the user has been granted some permissions. Only privileged users should be used to audit. Minimum permissions for a user who can perform audits: "VIEW DEFINITION" on every database OR "VIEW ANY DEFINITION" on the server, "ALTER ANY LOGIN", "ALTER ANY SERVER ROLE" and "VIEW DEFINITION ON SERVER ROLE".
Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.