CIRATS Remediation: Health Check deviations on the report performed by SCS team.

Risk: Medium - Requires one SQL instance restart Deviation to be corrected: 1-) Alter SQL Server Log Retentition Period to 99 versions *It does not need Server or Instance Reboot.*

2-) Remove permissions of BUILTIN/administrators *Just System Administrators Role (SA)* *It does not need Server or Instance Reboot.*

3-) (SQL Server 2000) Delete Windows User SQLDebugger *Applicable just in SQL Server 2000 *It DOES need to be done on each node of the cluster.* *It does not need Server or Instance Reboot.*

4-) (SQL Server 2000) Delete Guest from User databases * In SQL Server 2000 the Guest User can be deleted from User Databases. * - 4.1 Run the below query to identify which Databases have the Guest User is activated: print 'The Guest Has access to the following databases' EXEC sp_MSForEachDB 'Use ?; if (Select count(*) from sysusers Where name = ''guest'' and hasdbaccess = 1) = 1 print db_Name()' - 4.2 If Guest exists in User databases, delete the Guest User from each of them.
*The Guest user is located inside the User databases and dont inside the SQL(Instance) users.* *Guest User deletion is not allowed to System databases (Master,Msdb,TempDB, Model).*

5-) (SQL Server 2005) Disable Guest from User databases * In SQL Server 2005 the Guest User just can be disabled from User Databases. * - 5.1 Run the below query to identify which Databases have the Guest User is activated: print 'The Guest Has access to the following databases' EXEC sp_MSForEachDB 'Use ?; if (Select count(*) from sysusers Where name = ''guest'' and hasdbaccess = 1) = 1 print db_Name()' - 5.2 If Guest exists in User databases, Disable(Right-Click->Disable) the Guest User from each of them.
*The Guest user is located inside the User databases and dont inside the SQL(Instance) users.* *Guest User deletion is not allowed to System databases (Master,Msdb,TempDB, Model).*

6-) Disable Cross database ownership chaining *It does not need Server or Instance Reboot.* -6.1 Execute the below query to check the actual configuration: (SQL 2000 and SQL Server 2005) sp_configure 'Cross DB Ownership Chaining' Result should be:

IF its different execute the next step. -6.2 To correct the values ( It MUST be blank): (SQL Server 2005) (SQL Server 2000)

Right-Click -> Properties on the Instance Name

7-)Alter Users databases from Master to TempDB *It does not need Server or Instance Reboot.* Execute the below query to check the actual configuration: SELECT name, dbname FROM master .. syslogins WHERE dbname = 'master' Wrong possible result:

Changing Default database for the user in SQL Server 2005 by windows:

No SQL Server 2005 apenas os usurios abaixo devem permanecer no DB Master:

Changing Default database for the user in SQL Server 2005 by Script: EXEC sp_defaultdb 'Domaim\user', 'tempdb' ou EXEC sp_defaultdb 'user', 'tempdb' Exemplo:

8-) Alter login attempt log to "All" (Instance Properties) *It DOES need Server or Instance Reboot.* SQL Server 2000 Instance Properties -> Select ALL. SQL Server 2005 Instance Properties -> Both as below:

9-) Alter login authentication to Mixed *It DOES need Server or Instance Reboot.* SQL Server 2000 Instance Properties -> Select SQL and Windows Authentication. SQL Server 2005 Instance Properties -> Both as below:

10-) (If applicable, because there are some, without domain service account) Alter start up account to instance default.s service account *It DOES need Server or Instance Reboot.* Research the Service account in Password Vault (https://passwordvault.intra.aexp.com/passwordvault) with the specific instance name.

11-) (If applicable/exist) Delete IBMBR SQL logins: Taskcheck , DRextract and EMERSA from the instance.

12-) (SQL 2000) Delete sample databases: Pubs and Northwind.