-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathRulesDatabase.xml
More file actions
815 lines (815 loc) · 498 KB
/
RulesDatabase.xml
File metadata and controls
815 lines (815 loc) · 498 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Deserialized.System.Data.DataRow</T>
<T>Deserialized.System.Object</T>
</TN>
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">ca411b27-bf91-464b-9f69-7830f847673d</G>
<S N="RuleId">VA1020</S>
<S N="Severity">High</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that no database roles are assigned to the Guest user.</S>
<S N="Title">Server principal GUEST should not be a member of any role</S>
<S N="Query">SELECT name as [Role]_x000D__x000A__x0009_FROM sys.database_role_members AS drms _x000D__x000A__x0009_JOIN sys.database_principals AS dps _x000D__x000A__x0009_ON drms.role_principal_id = dps.principal_id _x000D__x000A__x0009_WHERE member_principal_id = DATABASE_PRINCIPAL_ID('guest')</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">ALTER ROLE [$0] DROP MEMBER GUEST</S>
</Props>
</Obj>
<Obj RefId="1">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">7ae63878-53b3-4d46-bf3c-80343a223aae</G>
<S N="RuleId">VA1042</S>
<S N="Severity">Medium</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Cross database ownership chaining is an extension of ownership chaining, except it does cross the database boundary. This rule checks that this option is disabled for all databases except for 'master' and 'tempdb'.</S>
<S N="Title">Database ownership chaining should be disabled for all databases except for 'master' and 'tempdb'</S>
<S N="Query">SELECT CASE _x000D__x000A_ WHEN EXISTS (SELECT * _x000D__x000A_ FROM sys.databases _x000D__x000A_ WHERE NAME = Db_name() _x000D__x000A_ AND is_db_chaining_on = 1) THEN 1 _x000D__x000A_ ELSE 0 _x000D__x000A_ END AS Violation, _x000D__x000A_ Db_name() AS [Database]</S>
<S N="ExpectedResult">0</S>
<S N="RemedSkeleton">ALTER DATABASE [$1] SET DB_CHAINING OFF</S>
</Props>
</Obj>
<Obj RefId="2">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">1b6c29f6-47af-4731-bcfd-bc4ff6812f60</G>
<S N="RuleId">VA1043</S>
<S N="Severity">Medium</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that the guest user cannot connect to any database.</S>
<S N="Title">Principal GUEST should not have access to any user database</S>
<S N="Query">SELECT CASE _x000D__x000A_ WHEN EXISTS (SELECT * _x000D__x000A_ FROM sys.database_permissions perms _x000D__x000A_ JOIN sys.database_principals usrs _x000D__x000A_ ON grantee_principal_id = principal_id _x000D__x000A_ WHERE grantee_principal_id = _x000D__x000A_ Database_principal_id('guest') _x000D__x000A_ AND perms.type = 'CO') THEN 1 _x000D__x000A_ ELSE 0 _x000D__x000A_ END AS Violation</S>
<S N="ExpectedResult">0</S>
<S N="RemedSkeleton">DROP USER [guest]</S>
</Props>
</Obj>
<Obj RefId="3">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">c7b71fe4-6321-4b8a-aa62-5f6f04700262</G>
<S N="RuleId">VA1044</S>
<S N="Severity">Medium</S>
<S N="Category">SurfaceAreaReduction</S>
<S N="Description">SQL Server provides a dedicated administrator connection (DAC). The DAC lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server. This rule checks that remote dedicated admin connections are disabled.</S>
<S N="Title">Remote Admin Connections should be disabled</S>
<S N="Query">SELECT CASE _x000D__x000A_ WHEN EXISTS (SELECT * _x000D__x000A_ FROM sys.configurations _x000D__x000A_ WHERE NAME = 'remote admin connections' _x000D__x000A_ AND Cast(value AS INT) = 1) THEN 1 _x000D__x000A_ ELSE 0 _x000D__x000A_ END AS Violation</S>
<S N="ExpectedResult">0</S>
<S N="RemedSkeleton">EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;_x000D__x000A_EXECUTE sp_configure 'remote admin connections', 0; RECONFIGURE;_x000D__x000A_EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;</S>
</Props>
</Obj>
<Obj RefId="4">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">978ddc7d-cfd2-4ab1-b4ad-a717e03f6ca8</G>
<S N="RuleId">VA1051</S>
<S N="Severity">Medium</S>
<S N="Category">SurfaceAreaReduction</S>
<S N="Description">The AUTO_CLOSE option specifies whether the database shuts down cleanly and frees resources after the last user exits. This rule checks that this option is disabled on all databases.</S>
<S N="Title">AUTO_CLOSE should be disabled on all databases</S>
<S N="Query">SELECT CASE _x000D__x000A_ WHEN EXISTS (SELECT * _x000D__x000A_ FROM sys.databases _x000D__x000A_ WHERE NAME = Db_name() _x000D__x000A_ AND is_auto_close_on = 1) THEN 1 _x000D__x000A_ ELSE 0 _x000D__x000A_ END AS Violation, _x000D__x000A_ Db_name() AS [Database]</S>
<S N="ExpectedResult">0</S>
<S N="RemedSkeleton">ALTER DATABASE [$1] SET AUTO_CLOSE OFF</S>
</Props>
</Obj>
<Obj RefId="5">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">fe3fe256-cba5-4e3a-a51e-87f09af670de</G>
<S N="RuleId">VA1054</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. This rule displays a list of all securable objects or columns that are accessible to all users through the PUBLIC role.</S>
<S N="Title">Excessive permissions should not be granted to PUBLIC role on objects or columns</S>
<S N="Query">SELECT permission_name, schema_name, object_name FROM (_x000D__x000A_SELECT objs.type as object_type, schema_name(schema_id) as schema_name, objs.name as object_name, user_name(grantor_principal_id) as grantor_principal_name, permission_name, perms.type, state_x000D__x000A_FROM sys.database_permissions perms, sys.objects objs_x000D__x000A_WHERE objs.object_id = perms.major_id _x000D__x000A_AND perms.class = 1 -- objects or columns. Other cases are handled by VA1095 which has different remediation syntax_x000D__x000A_AND grantee_principal_id = DATABASE_PRINCIPAL_ID('public') _x000D__x000A_UNION_x000D__x000A_SELECT 'system_object' as object_type, 'sys' as schema_name, object_name(major_id) as object_name, user_name(grantor_principal_id) as grantor_principal_name, permission_name, type, state_x000D__x000A_FROM sys.database_permissions_x000D__x000A_WHERE class = 1 AND grantee_principal_id = DATABASE_PRINCIPAL_ID('public') AND major_id < 0_x000D__x000A_) t_x000D__x000A_WHERE NOT (_x000D__x000A_(permission_name = 'EXECUTE' AND type = 'EX ' AND STATE = 'G' AND grantor_principal_name = 'dbo' AND schema_name = 'dbo' AND (_x000D__x000A_(object_type = 'FN' AND object_name IN ('fn_sysdac_get_currentusername', 'fn_sysdac_get_username', 'fn_sysdac_is_currentuser_sa', 'fn_sysdac_is_dac_creator', 'fn_sysdac_is_login_creator', 'fn_syspolicy_is_automation_enabled'))_x000D__x000A_OR_x000D__x000A_(object_type = 'P' AND object_name IN ('sp_sysdac_add_history_entry', 'sp_sysdac_add_instance', 'sp_sysdac_delete_history', 'sp_sysdac_delete_instance', 'sp_sysdac_drop_database', 'sp_sysdac_ensure_dac_creator', 'sp_sysdac_rename_database', 'sp_sysdac_resolve_pending_entry', 'sp_sysdac_rollback_all_pending_objects', 'sp_sysdac_rollback_committed_step', 'sp_sysdac_rollback_pending_object', 'sp_sysdac_setreadonly_database', 'sp_sysdac_update_history_entry', 'sp_sysdac_update_instance', 'sp_sysdac_upgrade_instance'))_x000D__x000A_))_x000D__x000A_OR_x000D__x000A_(permission_name = 'EXECUTE' AND type = 'EX ' AND STATE = 'G' AND grantor_principal_name = 'dbo' AND schema_name = 'sys' AND object_type = 'system_object' AND (_x000D__x000A_object_name IN (_x000D__x000A_'fn_cColvEntries_80', 'fn_cdc_check_parameters', 'fn_cdc_decrement_lsn', 'fn_cdc_get_column_ordinal', 'fn_cdc_get_max_lsn', 'fn_cdc_get_min_lsn', 'fn_cdc_has_column_changed', 'fn_cdc_hexstrtobin', 'fn_cdc_increment_lsn', 'fn_cdc_is_bit_set', 'fn_cdc_map_lsn_to_time', 'fn_cdc_map_time_to_lsn', 'fn_fIsColTracked', 'fn_GetCurrentPrincipal', 'fn_GetRowsetIdFromRowDump', 'fn_hadr_backup_is_preferred_replica', 'fn_hadr_is_primary_replica', 'fn_hadr_is_same_replica', 'fn_IsBitSetInBitmask', 'fn_isrolemember', 'fn_MapSchemaType', 'fn_MSdayasnumber', 'fn_MSgeneration_downloadonly', 'fn_MSget_dynamic_filter_login', 'fn_MSorbitmaps', 'fn_MSrepl_map_resolver_clsid', 'fn_MStestbit', 'fn_MSvector_downloadonly', 'fn_numberOf1InBinaryAfterLoc', 'fn_numberOf1InVarBinary', 'fn_PhysLocFormatter', 'fn_repl_hash_binary', 'fn_repladjustcolumnmap', 'fn_repldecryptver4', 'fn_replformatdatetime', 'fn_replgetparsedddlcmd', 'fn_replp2pversiontotranid', 'fn_replreplacesinglequote', 'fn_replreplacesinglequoteplusprotectstring', 'fn_repluniquename', 'fn_replvarbintoint', 'fn_sqlvarbasetostr', 'fn_varbintohexstr', 'fn_varbintohexsubstring', 'fn_yukonsecuritymodelrequired', 'GeographyCollectionAggregate', 'GeographyConvexHullAggregate', 'GeographyEnvelopeAggregate', 'GeographyUnionAggregate', 'GeometryCollectionAggregate', 'GeometryConvexHullAggregate', 'GeometryEnvelopeAggregate', 'GeometryUnionAggregate', 'ORMask', 'sp_add_agent_parameter', 'sp_add_agent_profile', 'sp_add_log_shipping_alert_job', 'sp_add_log_shipping_primary_database', 'sp_add_log_shipping_primary_secondary', 'sp_add_log_shipping_secondary_database', 'sp_add_log_shipping_secondary_primary', 'sp_addapprole', 'sp_addarticle', 'sp_adddatatype', 'sp_adddatatypemapping', 'sp_adddistpublisher', 'sp_adddistributiondb', 'sp_adddistributor', 'sp_adddynamicsnapshot_job', 'sp_addextendedproperty', 'sp_AddFunctionalUnitToComponent', 'sp_addlinkedserver', 'sp_addlinkedsrvlogin', 'sp_addlogin', 'sp_addlogreader_agent', _x000D__x000A_'sp_addmergealternatepublisher', 'sp_addmergearticle', 'sp_addmergefilter', 'sp_addmergelogsettings', 'sp_addmergepartition', 'sp_addmergepublication', 'sp_addmergepullsubscription', 'sp_addmergepullsubscription_agent', 'sp_addmergepushsubscription_agent', 'sp_addmergesubscription', 'sp_addmessage', 'sp_addpublication', 'sp_addpublication_snapshot', 'sp_addpullsubscription', 'sp_addpullsubscription_agent', 'sp_addpushsubscription_agent', 'sp_addqreader_agent', 'sp_addqueued_artinfo', 'sp_addremotelogin', 'sp_addrole', 'sp_addrolemember', 'sp_addscriptexec', 'sp_addserver', 'sp_addsrvrolemember', 'sp_addsubscriber', 'sp_addsubscriber_schedule', 'sp_addsubscription', 'sp_addsynctriggers', 'sp_addsynctriggerscore', 'sp_addtabletocontents', 'sp_addtype', 'sp_addumpdevice', 'sp_adduser', 'sp_adjustpublisheridentityrange', 'sp_altermessage', 'sp_approlepassword', 'sp_article_validation', 'sp_articlecolumn', 'sp_articlefilter', 'sp_articleview', 'sp_assemblies_rowset', 'sp_assemblies_rowset_rmt', 'sp_assemblies_rowset2', 'sp_assembly_dependencies_rowset', 'sp_assembly_dependencies_rowset_rmt', 'sp_assembly_dependencies_rowset2', 'sp_attach_db', 'sp_attach_single_file_db', 'sp_attachsubscription', 'sp_audit_write', 'sp_autostats', 'sp_availability_group_command_internal', 'sp_bcp_dbcmptlevel', 'sp_begin_parallel_nested_tran', 'sp_bindefault', 'sp_bindrule', 'sp_bindsession', 'sp_browsemergesnapshotfolder', 'sp_browsereplcmds', 'sp_browsesnapshotfolder', 'sp_can_tlog_be_applied', 'sp_catalogs', 'sp_catalogs_rowset', 'sp_catalogs_rowset_rmt', 'sp_catalogs_rowset2', 'sp_cdc_add_job', 'sp_cdc_change_job', 'sp_cdc_cleanup_change_table', 'sp_cdc_dbsnapshotLSN', 'sp_cdc_disable_db', 'sp_cdc_disable_table', 'sp_cdc_drop_job', 'sp_cdc_enable_db', 'sp_cdc_enable_table', 'sp_cdc_generate_wrapper_function', 'sp_cdc_get_captured_columns', 'sp_cdc_get_ddl_history', 'sp_cdc_help_change_data_capture', 'sp_cdc_help_jobs', 'sp_cdc_restoredb', 'sp_cdc_scan', 'sp_cdc_start_job', 'sp_cdc_stop_job', 'sp_cdc_vupgrade', 'sp_cdc_vupgrade_databases', 'sp_change_agent_parameter', 'sp_change_agent_profile', 'sp_change_log_shipping_primary_database', 'sp_change_log_shipping_secondary_database', 'sp_change_log_shipping_secondary_primary', 'sp_change_subscription_properties', 'sp_change_tracking_waitforchanges', 'sp_change_users_login', 'sp_changearticle', 'sp_changearticlecolumndatatype', 'sp_changedbowner', 'sp_changedistpublisher', 'sp_changedistributiondb', 'sp_changedistributor_password', 'sp_changedistributor_property', 'sp_changedynamicsnapshot_job', 'sp_changelogreader_agent', 'sp_changemergearticle', 'sp_changemergefilter', 'sp_changemergelogsettings', 'sp_changemergepublication', 'sp_changemergepullsubscription', 'sp_changemergesubscription', 'sp_changeobjectowner', 'sp_changepublication', 'sp_changepublication_snapshot', 'sp_changeqreader_agent', 'sp_changereplicationserverpasswords', 'sp_changesubscriber', 'sp_changesubscriber_schedule', 'sp_changesubscription', 'sp_changesubscriptiondtsinfo', 'sp_changesubstatus', 'sp_check_constbytable_rowset', 'sp_check_constbytable_rowset2', 'sp_check_constraints_rowset', 'sp_check_constraints_rowset2', 'sp_check_dynamic_filters', 'sp_check_for_sync_trigger', 'sp_check_join_filter', 'sp_check_log_shipping_monitor_alert', 'sp_check_publication_access', 'sp_check_subset_filter', 'sp_check_sync_trigger', 'sp_checkinvalidivarticle', 'sp_checkOraclepackageversion', 'sp_clean_db_file_free_space', 'sp_clean_db_free_space', 'sp_cleanmergelogfiles', 'sp_cleanup_log_shipping_history', 'sp_cleanup_temporal_history', 'sp_cleanupdbreplication', 'sp_column_privileges', 'sp_column_privileges_ex', 'sp_column_privileges_rowset', 'sp_column_privileges_rowset_rmt', 'sp_column_privileges_rowset2', 'sp_columns', 'sp_columns_100', 'sp_columns_100_rowset', 'sp_columns_100_rowset2', 'sp_columns_90', 'sp_columns_90_rowset', 'sp_columns_90_rowset_rmt', 'sp_columns_90_rowset2', 'sp_columns_ex', 'sp_columns_ex_100', 'sp_columns_ex_90', 'sp_columns_managed', 'sp_columns_rowset', 'sp_columns_rowset_rmt', 'sp_columns_rowset2', 'sp_commit_parallel_nested_tran', 'sp_configure', 'sp_configure_peerconflictdetection', 'sp_constr_col_usage_rowset', 'sp_constr_col_usage_rowset2', 'sp_control_dbmasterkey_password', 'sp_control_plan_guide', 'sp_copymergesnapshot', 'sp_copysnapshot', 'sp_copysubscription', 'sp_create_plan_guide', 'sp_create_plan_guide_from_handle', 'sp_createmergepalrole', 'sp_createorphan', 'sp_createstats', 'sp_createtranpalrole', 'sp_cursor', 'sp_cursor_list', 'sp_cursorclose', 'sp_cursorexecute', 'sp_cursorfetch', 'sp_cursoropen', 'sp_cursoroption', 'sp_cursorprepare', 'sp_cursorprepexec', 'sp_cursorunprepare', _x000D__x000A_'sp_databases', 'sp_datatype_info', 'sp_datatype_info_100', 'sp_datatype_info_90', 'sp_db_ebcdic277_2', 'sp_db_increased_partitions', 'sp_db_selective_x005F_xml_index', 'sp_db_vardecimal_storage_format', 'sp_dbcmptlevel', 'sp_dbfixedrolepermission', 'sp_dbmmonitoraddmonitoring', 'sp_dbmmonitorchangealert', 'sp_dbmmonitorchangemonitoring', 'sp_dbmmonitordropalert', 'sp_dbmmonitordropmonitoring', 'sp_dbmmonitorhelpalert', 'sp_dbmmonitorhelpmonitoring', 'sp_dbmmonitorresults', 'sp_dbmmonitorupdate', 'sp_ddopen', 'sp_defaultdb', 'sp_defaultlanguage', 'sp_delete_backup', 'sp_delete_backup_file_snapshot', 'sp_delete_http_namespace_reservation', 'sp_delete_log_shipping_alert_job', 'sp_delete_log_shipping_primary_database', 'sp_delete_log_shipping_primary_secondary', 'sp_delete_log_shipping_secondary_database', 'sp_delete_log_shipping_secondary_primary', 'sp_deletemergeconflictrow', 'sp_deletepeerrequesthistory', 'sp_deletetracertokenhistory', 'sp_denylogin', 'sp_depends', 'sp_describe_cursor', 'sp_describe_cursor_columns', 'sp_describe_cursor_tables', 'sp_describe_first_result_set', 'sp_describe_parameter_encryption', 'sp_describe_undeclared_parameters', 'sp_detach_db', 'sp_disableagentoffload', 'sp_distcounters', 'sp_drop_agent_parameter', 'sp_drop_agent_profile', 'sp_dropanonymousagent', 'sp_dropanonymoussubscription', 'sp_dropapprole', 'sp_droparticle', 'sp_dropdatatypemapping', 'sp_dropdevice', 'sp_dropdistpublisher', 'sp_dropdistributiondb', 'sp_dropdistributor', 'sp_dropdynamicsnapshot_job', 'sp_dropextendedproperty', 'sp_droplinkedsrvlogin', 'sp_droplogin', 'sp_dropmergealternatepublisher', 'sp_dropmergearticle', 'sp_dropmergefilter', 'sp_dropmergelogsettings', 'sp_dropmergepartition', 'sp_dropmergepublication', 'sp_dropmergepullsubscription', 'sp_dropmergesubscription', 'sp_dropmessage', 'sp_droporphans', 'sp_droppublication', 'sp_droppublisher', 'sp_droppullsubscription', 'sp_dropremotelogin', 'sp_dropreplsymmetrickey', 'sp_droprole', 'sp_droprolemember', 'sp_dropserver', 'sp_dropsrvrolemember', 'sp_dropsubscriber', 'sp_dropsubscription', 'sp_droptype', 'sp_dropuser', 'sp_dsninfo', 'sp_enable_heterogeneous_subscription', 'sp_enableagentoffload', 'sp_enum_oledb_providers', 'sp_enumcustomresolvers', 'sp_enumdsn', 'sp_enumeratependingschemachanges', 'sp_enumerrorlogs', 'sp_enumfullsubscribers', 'sp_enumoledbdatasources', 'sp_estimate_data_compression_savings', 'sp_estimated_rowsize_reduction_for_vardecimal', 'sp_execute', 'sp_execute_external_script', 'sp_executesql', 'sp_expired_subscription_cleanup', 'sp_filestream_force_garbage_collection', 'sp_filestream_recalculate_container_size', 'sp_firstonly_bitmap', 'sp_fkeys', 'sp_flush_commit_table', 'sp_flush_commit_table_on_demand', 'sp_flush_CT_internal_table_on_demand', 'sp_flush_log', 'sp_foreign_keys_rowset', 'sp_foreign_keys_rowset_rmt', 'sp_foreign_keys_rowset2', 'sp_foreign_keys_rowset3', 'sp_foreignkeys', 'sp_fulltext_catalog', 'sp_fulltext_column', 'sp_fulltext_database', 'sp_fulltext_keymappings', 'sp_fulltext_load_thesaurus_file', 'sp_fulltext_pendingchanges', 'sp_fulltext_recycle_crawl_log', 'sp_fulltext_semantic_register_language_statistics_db', 'sp_fulltext_semantic_unregister_language_statistics_db', 'sp_fulltext_service', 'sp_fulltext_table', 'sp_FuzzyLookupTableMaintenanceInstall', 'sp_FuzzyLookupTableMaintenanceInvoke', 'sp_FuzzyLookupTableMaintenanceUninstall', 'sp_generate_agent_parameter', 'sp_generatefilters', 'sp_get_database_scoped_credential', 'sp_get_distributor', 'sp_get_job_status_mergesubscription_agent', 'sp_get_mergepublishedarticleproperties', 'sp_get_Oracle_publisher_metadata', 'sp_get_query_template', 'sp_get_redirected_publisher', 'sp_getagentparameterlist', 'sp_getapplock', 'sp_getbindtoken', 'sp_getdefaultdatatypemapping', 'sp_getmergedeletetype', 'sp_getProcessorUsage', 'sp_getpublisherlink', 'sp_getqueuedarticlesynctraninfo', 'sp_getqueuedrows', 'sp_getschemalock', 'sp_getsqlqueueversion', 'sp_getsubscription_status_hsnapshot', 'sp_getsubscriptiondtspackagename', 'sp_gettopologyinfo', 'sp_getVolumeFreeSpace', 'sp_grant_publication_access', 'sp_grantdbaccess', 'sp_grantlogin', 'sp_help', 'sp_help_agent_default', 'sp_help_agent_parameter', 'sp_help_agent_profile', 'sp_help_datatype_mapping', 'sp_help_fulltext_catalog_components', 'sp_help_fulltext_catalogs', 'sp_help_fulltext_catalogs_cursor', 'sp_help_fulltext_columns', 'sp_help_fulltext_columns_cursor', 'sp_help_fulltext_system_components', 'sp_help_fulltext_tables', 'sp_help_fulltext_tables_cursor', _x000D__x000A_'sp_help_log_shipping_alert_job', 'sp_help_log_shipping_monitor', 'sp_help_log_shipping_monitor_primary', 'sp_help_log_shipping_monitor_secondary', 'sp_help_log_shipping_primary_database', 'sp_help_log_shipping_primary_secondary', 'sp_help_log_shipping_secondary_database', 'sp_help_log_shipping_secondary_primary', 'sp_help_peerconflictdetection', 'sp_help_publication_access', 'sp_help_spatial_geography_histogram', 'sp_help_spatial_geography_index', 'sp_help_spatial_geography_index_x005F_xml', 'sp_help_spatial_geometry_histogram', 'sp_help_spatial_geometry_index', 'sp_help_spatial_geometry_index_x005F_xml', 'sp_helpallowmerge_publication', 'sp_helparticle', 'sp_helparticlecolumns', 'sp_helparticledts', 'sp_helpconstraint', 'sp_helpdatatypemap', 'sp_helpdb', 'sp_helpdbfixedrole', 'sp_helpdevice', 'sp_helpdistpublisher', 'sp_helpdistributiondb', 'sp_helpdistributor', 'sp_helpdistributor_properties', 'sp_helpdynamicsnapshot_job', 'sp_helpextendedproc', 'sp_helpfile', 'sp_helpfilegroup', 'sp_helpindex', 'sp_helplanguage', 'sp_helplinkedsrvlogin', 'sp_helplogins', 'sp_helplogreader_agent', 'sp_helpmergealternatepublisher', 'sp_helpmergearticle', 'sp_helpmergearticlecolumn', 'sp_helpmergearticleconflicts', 'sp_helpmergeconflictrows', 'sp_helpmergedeleteconflictrows', 'sp_helpmergefilter', 'sp_helpmergelogfiles', 'sp_helpmergelogfileswithdata', 'sp_helpmergelogsettings', 'sp_helpmergepartition', 'sp_helpmergepublication', 'sp_helpmergepullsubscription', 'sp_helpmergesubscription', 'sp_helpntgroup', 'sp_helppeerrequests', 'sp_helppeerresponses', 'sp_helppublication', 'sp_helppublication_snapshot', 'sp_helppublicationsync', 'sp_helppullsubscription', 'sp_helpqreader_agent', 'sp_helpremotelogin', 'sp_helpreplfailovermode', 'sp_helpreplicationdb', 'sp_helpreplicationdboption', 'sp_helpreplicationoption', 'sp_helprole', 'sp_helprolemember', 'sp_helprotect', 'sp_helpserver', 'sp_helpsort', 'sp_helpsrvrole', 'sp_helpsrvrolemember', 'sp_helpstats', 'sp_helpsubscriberinfo', 'sp_helpsubscription', 'sp_helpsubscription_properties', 'sp_helpsubscriptionerrors', 'sp_helptext', 'sp_helptracertokenhistory', 'sp_helptracertokens', 'sp_helptrigger', 'sp_helpuser', 'sp_helpxactsetjob', 'sp_http_generate_wsdl_complex', 'sp_http_generate_wsdl_defaultcomplexorsimple', 'sp_http_generate_wsdl_defaultsimpleorcomplex', 'sp_http_generate_wsdl_simple', 'sp_identitycolumnforreplication', 'sp_IH_LR_GetCacheData', 'sp_IHadd_sync_command', 'sp_IHarticlecolumn', 'sp_IHget_loopback_detection', 'sp_IHScriptIdxFile', 'sp_IHScriptSchFile', 'sp_IHValidateRowFilter', 'sp_IHXactSetJob', 'sp_indexcolumns_managed', 'sp_indexes', 'sp_indexes_100_rowset', 'sp_indexes_100_rowset2', 'sp_indexes_90_rowset', 'sp_indexes_90_rowset_rmt', 'sp_indexes_90_rowset2', 'sp_indexes_managed', 'sp_indexes_rowset', 'sp_indexes_rowset_rmt', 'sp_indexes_rowset2', 'sp_indexoption', 'sp_invalidate_textptr', 'sp_is_makegeneration_needed', 'sp_ivindexhasnullcols', 'sp_kill_filestream_non_transacted_handles', 'sp_kill_oldest_transaction_on_secondary', 'sp_lightweightmergemetadataretentioncleanup', 'sp_link_publication', 'sp_linkedservers', 'sp_linkedservers_rowset', 'sp_linkedservers_rowset2', 'sp_lock', 'sp_logshippinginstallmetadata', 'sp_lookupcustomresolver', 'sp_mapdown_bitmap', 'sp_markpendingschemachange', 'sp_marksubscriptionvalidation', 'sp_memory_optimized_cs_migration', 'sp_mergearticlecolumn', 'sp_mergecleanupmetadata', 'sp_mergedummyupdate', 'sp_mergemetadataretentioncleanup', 'sp_mergesubscription_cleanup', 'sp_mergesubscriptionsummary', 'sp_migrate_user_to_contained', 'sp_MS_replication_installed', 'sp_MSacquireHeadofQueueLock', 'sp_MSacquireserverresourcefordynamicsnapshot', 'sp_MSacquireSlotLock', 'sp_MSacquiresnapshotdeliverysessionlock', 'sp_MSactivate_auto_sub', 'sp_MSactivatelogbasedarticleobject', 'sp_MSactivateprocedureexecutionarticleobject', 'sp_MSadd_anonymous_agent', 'sp_MSadd_article', 'sp_MSadd_compensating_cmd', 'sp_MSadd_distribution_agent', 'sp_MSadd_distribution_history', 'sp_MSadd_dynamic_snapshot_location', 'sp_MSadd_filteringcolumn', 'sp_MSadd_log_shipping_error_detail', 'sp_MSadd_log_shipping_history_detail', 'sp_MSadd_logreader_agent', 'sp_MSadd_logreader_history', 'sp_MSadd_merge_agent', 'sp_MSadd_merge_anonymous_agent', 'sp_MSadd_merge_history', 'sp_MSadd_merge_history90', 'sp_MSadd_merge_subscription', 'sp_MSadd_mergereplcommand', 'sp_MSadd_mergesubentry_indistdb', 'sp_MSadd_publication', 'sp_MSadd_qreader_agent', 'sp_MSadd_qreader_history', 'sp_MSadd_repl_alert', 'sp_MSadd_repl_command', 'sp_MSadd_repl_commands27hp', 'sp_MSadd_repl_error', 'sp_MSadd_replcmds_mcit', 'sp_MSadd_replmergealert', _x000D__x000A_'sp_MSadd_snapshot_agent', 'sp_MSadd_snapshot_history', 'sp_MSadd_subscriber_info', 'sp_MSadd_subscriber_schedule', 'sp_MSadd_subscription', 'sp_MSadd_subscription_3rd', 'sp_MSadd_tracer_history', 'sp_MSadd_tracer_token', 'sp_MSaddanonymousreplica', 'sp_MSadddynamicsnapshotjobatdistributor', 'sp_MSaddguidcolumn', 'sp_MSaddguidindex', 'sp_MSaddinitialarticle', 'sp_MSaddinitialpublication', 'sp_MSaddinitialschemaarticle', 'sp_MSaddinitialsubscription', 'sp_MSaddlightweightmergearticle', 'sp_MSaddmergedynamicsnapshotjob', 'sp_MSaddmergetriggers', 'sp_MSaddmergetriggers_from_template', 'sp_MSaddmergetriggers_internal', 'sp_MSaddpeerlsn', 'sp_MSaddsubscriptionarticles', 'sp_MSadjust_pub_identity', 'sp_MSagent_retry_stethoscope', 'sp_MSagent_stethoscope', 'sp_MSallocate_new_identity_range', 'sp_MSalreadyhavegeneration', 'sp_MSanonymous_status', 'sp_MSarticlecleanup', 'sp_MSbrowsesnapshotfolder', 'sp_MScache_agent_parameter', 'sp_MScdc_capture_job', 'sp_MScdc_cleanup_job', 'sp_MScdc_db_ddl_event', 'sp_MScdc_ddl_event', 'sp_MScdc_logddl', 'sp_MSchange_article', 'sp_MSchange_distribution_agent_properties', 'sp_MSchange_logreader_agent_properties', 'sp_MSchange_merge_agent_properties', 'sp_MSchange_mergearticle', 'sp_MSchange_mergepublication', 'sp_MSchange_originatorid', 'sp_MSchange_priority', 'sp_MSchange_publication', 'sp_MSchange_retention', 'sp_MSchange_retention_period_unit', 'sp_MSchange_snapshot_agent_properties', 'sp_MSchange_subscription_dts_info', 'sp_MSchangearticleresolver', 'sp_MSchangedynamicsnapshotjobatdistributor', 'sp_MSchangedynsnaplocationatdistributor', 'sp_MSchangeobjectowner', 'sp_MScheck_agent_instance', 'sp_MScheck_dropobject', 'sp_MScheck_Jet_Subscriber', 'sp_MScheck_logicalrecord_metadatamatch', 'sp_MScheck_merge_subscription_count', 'sp_MScheck_pub_identity', 'sp_MScheck_pull_access', 'sp_MScheck_snapshot_agent', 'sp_MScheck_subscription', 'sp_MScheck_subscription_expiry', 'sp_MScheck_subscription_partition', 'sp_MScheck_tran_retention', 'sp_MScheckexistsgeneration', 'sp_MScheckexistsrecguid', 'sp_MScheckfailedprevioussync', 'sp_MScheckidentityrange', 'sp_MScheckIsPubOfSub', 'sp_MSchecksharedagentforpublication', 'sp_MSchecksnapshotstatus', 'sp_MScleanup_agent_entry', 'sp_MScleanup_conflict', 'sp_MScleanup_publication_ADinfo', 'sp_MScleanup_subscription_distside_entry', 'sp_MScleanupdynamicsnapshotfolder', 'sp_MScleanupdynsnapshotvws', 'sp_MSCleanupForPullReinit', 'sp_MScleanupmergepublisher_internal', 'sp_MSclear_dynamic_snapshot_location', 'sp_MSclearresetpartialsnapshotprogressbit', 'sp_MScomputelastsentgen', 'sp_MScomputemergearticlescreationorder', 'sp_MScomputemergeunresolvedrefs', 'sp_MSconflicttableexists', 'sp_MScreate_all_article_repl_views', 'sp_MScreate_article_repl_views', 'sp_MScreate_dist_tables', 'sp_MScreate_logical_record_views', 'sp_MScreate_sub_tables', 'sp_MScreate_tempgenhistorytable', 'sp_MScreatedisabledmltrigger', 'sp_MScreatedummygeneration', 'sp_MScreateglobalreplica', 'sp_MScreatelightweightinsertproc', 'sp_MScreatelightweightmultipurposeproc', 'sp_MScreatelightweightprocstriggersconstraints', 'sp_MScreatelightweightupdateproc', 'sp_MScreatemergedynamicsnapshot', 'sp_MScreateretry', 'sp_MSdbuseraccess', 'sp_MSdbuserpriv', 'sp_MSdefer_check', 'sp_MSdelete_tracer_history', 'sp_MSdeletefoldercontents', 'sp_MSdeletemetadataactionrequest', 'sp_MSdeletepeerconflictrow', 'sp_MSdeleteretry', 'sp_MSdeletetranconflictrow', 'sp_MSdelgenzero', 'sp_MSdelrow', 'sp_MSdelrowsbatch', 'sp_MSdelrowsbatch_downloadonly', 'sp_MSdelsubrows', 'sp_MSdelsubrowsbatch', 'sp_MSdependencies', 'sp_MSdetect_nonlogged_shutdown', 'sp_MSdetectinvalidpeerconfiguration', 'sp_MSdetectinvalidpeersubscription', 'sp_MSdist_activate_auto_sub', 'sp_MSdist_adjust_identity', 'sp_MSdistpublisher_cleanup', 'sp_MSdistribution_counters', 'sp_MSdistributoravailable', 'sp_MSdodatabasesnapshotinitiation', 'sp_MSdopartialdatabasesnapshotinitiation', 'sp_MSdrop_6x_publication', 'sp_MSdrop_6x_replication_agent', 'sp_MSdrop_anonymous_entry', 'sp_MSdrop_article', 'sp_MSdrop_distribution_agent', 'sp_MSdrop_distribution_agentid_dbowner_proxy', 'sp_MSdrop_dynamic_snapshot_agent', 'sp_MSdrop_logreader_agent', 'sp_MSdrop_merge_agent', 'sp_MSdrop_merge_subscription', 'sp_MSdrop_publication', 'sp_MSdrop_qreader_history', 'sp_MSdrop_snapshot_agent', 'sp_MSdrop_snapshot_dirs', 'sp_MSdrop_subscriber_info', 'sp_MSdrop_subscription', 'sp_MSdrop_subscription_3rd', 'sp_MSdrop_tempgenhistorytable', 'sp_MSdroparticleconstraints', 'sp_MSdroparticletombstones', 'sp_MSdropconstraints', 'sp_MSdropdynsnapshotvws', 'sp_MSdropfkreferencingarticle', 'sp_MSdropmergearticle', 'sp_MSdropmergedynamicsnapshotjob', 'sp_MSdropobsoletearticle', 'sp_MSdropretry', 'sp_MSdroptemptable', _x000D__x000A_'sp_MSdummyupdate', 'sp_MSdummyupdate_logicalrecord', 'sp_MSdummyupdate90', 'sp_MSdummyupdatelightweight', 'sp_MSdynamicsnapshotjobexistsatdistributor', 'sp_MSenable_publication_for_het_sub', 'sp_MSensure_single_instance', 'sp_MSenum_distribution', 'sp_MSenum_distribution_s', 'sp_MSenum_distribution_sd', 'sp_MSenum_logicalrecord_changes', 'sp_MSenum_logreader', 'sp_MSenum_logreader_s', 'sp_MSenum_logreader_sd', 'sp_MSenum_merge', 'sp_MSenum_merge_agent_properties', 'sp_MSenum_merge_s', 'sp_MSenum_merge_sd', 'sp_MSenum_merge_subscriptions', 'sp_MSenum_merge_subscriptions_90_publication', 'sp_MSenum_merge_subscriptions_90_publisher', 'sp_MSenum_metadataaction_requests', 'sp_MSenum_qreader', 'sp_MSenum_qreader_s', 'sp_MSenum_qreader_sd', 'sp_MSenum_replication_agents', 'sp_MSenum_replication_job', 'sp_MSenum_replqueues', 'sp_MSenum_replsqlqueues', 'sp_MSenum_snapshot', 'sp_MSenum_snapshot_s', 'sp_MSenum_snapshot_sd', 'sp_MSenum_subscriptions', 'sp_MSenumallpublications', 'sp_MSenumallsubscriptions', 'sp_MSenumarticleslightweight', 'sp_MSenumchanges', 'sp_MSenumchanges_belongtopartition', 'sp_MSenumchanges_notbelongtopartition', 'sp_MSenumchangesdirect', 'sp_MSenumchangeslightweight', 'sp_MSenumcolumns', 'sp_MSenumcolumnslightweight', 'sp_MSenumdeletes_forpartition', 'sp_MSenumdeleteslightweight', 'sp_MSenumdeletesmetadata', 'sp_MSenumdistributionagentproperties', 'sp_MSenumerate_PAL', 'sp_MSenumgenerations', 'sp_MSenumgenerations90', 'sp_MSenumpartialchanges', 'sp_MSenumpartialchangesdirect', 'sp_MSenumpartialdeletes', 'sp_MSenumpubreferences', 'sp_MSenumreplicas', 'sp_MSenumreplicas90', 'sp_MSenumretries', 'sp_MSenumschemachange', 'sp_MSenumsubscriptions', 'sp_MSenumthirdpartypublicationvendornames', 'sp_MSestimatemergesnapshotworkload', 'sp_MSestimatesnapshotworkload', 'sp_MSevalsubscriberinfo', 'sp_MSevaluate_change_membership_for_all_articles_in_pubid', 'sp_MSevaluate_change_membership_for_pubid', 'sp_MSevaluate_change_membership_for_row', 'sp_MSexecwithlsnoutput', 'sp_MSfast_delete_trans', 'sp_MSfetchAdjustidentityrange', 'sp_MSfetchidentityrange', 'sp_MSfillupmissingcols', 'sp_MSfilterclause', 'sp_MSfix_6x_tasks', 'sp_MSfixlineageversions', 'sp_MSFixSubColumnBitmaps', 'sp_MSfixupbeforeimagetables', 'sp_MSflush_access_cache', 'sp_MSforce_drop_distribution_jobs', 'sp_MSforcereenumeration', 'sp_MSforeach_worker', 'sp_MSforeachdb', 'sp_MSforeachtable', 'sp_MSgenerateexpandproc', 'sp_MSget_agent_names', 'sp_MSget_attach_state', 'sp_MSget_DDL_after_regular_snapshot', 'sp_MSget_dynamic_snapshot_location', 'sp_MSget_identity_range_info', 'sp_MSget_jobstate', 'sp_MSget_last_transaction', 'sp_MSget_latest_peerlsn', 'sp_MSget_load_hint', 'sp_MSget_log_shipping_new_sessionid', 'sp_MSget_logicalrecord_lineage', 'sp_MSget_max_used_identity', 'sp_MSget_min_seqno', 'sp_MSget_MSmerge_rowtrack_colinfo', 'sp_MSget_new_x005F_xact_seqno', 'sp_MSget_oledbinfo', 'sp_MSget_partitionid_eval_proc', 'sp_MSget_publication_from_taskname', 'sp_MSget_publisher_rpc', 'sp_MSget_repl_cmds_anonymous', 'sp_MSget_repl_commands', 'sp_MSget_repl_error', 'sp_MSget_session_statistics', 'sp_MSget_shared_agent', 'sp_MSget_snapshot_history', 'sp_MSget_subscriber_partition_id', 'sp_MSget_subscription_dts_info', 'sp_MSget_subscription_guid', 'sp_MSget_synctran_commands', 'sp_MSget_type_wrapper', 'sp_MSgetagentoffloadinfo', 'sp_MSgetalternaterecgens', 'sp_MSgetarticlereinitvalue', 'sp_MSgetchangecount', 'sp_MSgetconflictinsertproc', 'sp_MSgetconflicttablename', 'sp_MSGetCurrentPrincipal', 'sp_MSgetdatametadatabatch', 'sp_MSgetdbversion', 'sp_MSgetdynamicsnapshotapplock', 'sp_MSgetdynsnapvalidationtoken', 'sp_MSgetgenstatus4rows', 'sp_MSgetisvalidwindowsloginfromdistributor', 'sp_MSgetlastrecgen', 'sp_MSgetlastsentgen', 'sp_MSgetlastsentrecgens', 'sp_MSgetlastupdatedtime', 'sp_MSgetlightweightmetadatabatch', 'sp_MSgetmakegenerationapplock', 'sp_MSgetmakegenerationapplock_90', 'sp_MSgetmaxbcpgen', 'sp_MSgetmaxsnapshottimestamp', 'sp_MSgetmergeadminapplock', 'sp_MSgetmetadata_changedlogicalrecordmembers', 'sp_MSgetmetadatabatch', 'sp_MSgetmetadatabatch90', 'sp_MSgetmetadatabatch90new', 'sp_MSgetonerow', 'sp_MSgetonerowlightweight', 'sp_MSgetpeerconflictrow', 'sp_MSgetpeerlsns', 'sp_MSgetpeertopeercommands', 'sp_MSgetpeerwinnerrow', 'sp_MSgetpubinfo', 'sp_MSgetreplicainfo', 'sp_MSgetreplicastate', 'sp_MSgetrowmetadata', 'sp_MSgetrowmetadatalightweight', 'sp_MSGetServerProperties', 'sp_MSgetsetupbelong_cost', 'sp_MSgetsubscriberinfo', 'sp_MSgetsupportabilitysettings', 'sp_MSgettrancftsrcrow', 'sp_MSgettranconflictrow', 'sp_MSgetversion', 'sp_MSgrantconnectreplication', 'sp_MShaschangeslightweight', 'sp_MShasdbaccess', _x000D__x000A_'sp_MShelp_article', 'sp_MShelp_distdb', 'sp_MShelp_distribution_agentid', 'sp_MShelp_identity_property', 'sp_MShelp_logreader_agentid', 'sp_MShelp_merge_agentid', 'sp_MShelp_profile', 'sp_MShelp_profilecache', 'sp_MShelp_publication', 'sp_MShelp_repl_agent', 'sp_MShelp_replication_status', 'sp_MShelp_replication_table', 'sp_MShelp_snapshot_agent', 'sp_MShelp_snapshot_agentid', 'sp_MShelp_subscriber_info', 'sp_MShelp_subscription', 'sp_MShelp_subscription_status', 'sp_MShelpcolumns', 'sp_MShelpconflictpublications', 'sp_MShelpcreatebeforetable', 'sp_MShelpdestowner', 'sp_MShelpdynamicsnapshotjobatdistributor', 'sp_MShelpfulltextindex', 'sp_MShelpfulltextscript', 'sp_MShelpindex', 'sp_MShelplogreader_agent', 'sp_MShelpmergearticles', 'sp_MShelpmergeconflictcounts', 'sp_MShelpmergedynamicsnapshotjob', 'sp_MShelpmergeidentity', 'sp_MShelpmergeschemaarticles', 'sp_MShelpobjectpublications', 'sp_MShelpreplicationtriggers', 'sp_MShelpsnapshot_agent', 'sp_MShelpsummarypublication', 'sp_MShelptracertokenhistory', 'sp_MShelptracertokens', 'sp_MShelptranconflictcounts', 'sp_MShelptype', 'sp_MShelpvalidationdate', 'sp_MSIfExistsSubscription', 'sp_MSindexspace', 'sp_MSinit_publication_access', 'sp_MSinit_subscription_agent', 'sp_MSinitdynamicsubscriber', 'sp_MSinsert_identity', 'sp_MSinsertdeleteconflict', 'sp_MSinserterrorlineage', 'sp_MSinsertgenerationschemachanges', 'sp_MSinsertgenhistory', 'sp_MSinsertlightweightschemachange', 'sp_MSinsertschemachange', 'sp_MSinvalidate_snapshot', 'sp_MSisnonpkukupdateinconflict', 'sp_MSispeertopeeragent', 'sp_MSispkupdateinconflict', 'sp_MSispublicationqueued', 'sp_MSisreplmergeagent', 'sp_MSissnapshotitemapplied', 'sp_MSkilldb', 'sp_MSlock_auto_sub', 'sp_MSlock_distribution_agent', 'sp_MSlocktable', 'sp_MSloginmappings', 'sp_MSmakearticleprocs', 'sp_MSmakebatchinsertproc', 'sp_MSmakebatchupdateproc', 'sp_MSmakeconflictinsertproc', 'sp_MSmakectsview', 'sp_MSmakedeleteproc', 'sp_MSmakedynsnapshotvws', 'sp_MSmakeexpandproc', 'sp_MSmakegeneration', 'sp_MSmakeinsertproc', 'sp_MSmakemetadataselectproc', 'sp_MSmakeselectproc', 'sp_MSmakesystableviews', 'sp_MSmakeupdateproc', 'sp_MSmap_partitionid_to_generations', 'sp_MSmarkreinit', 'sp_MSmatchkey', 'sp_MSmerge_alterschemaonly', 'sp_MSmerge_altertrigger', 'sp_MSmerge_alterview', 'sp_MSmerge_ddldispatcher', 'sp_MSmerge_getgencount', 'sp_MSmerge_getgencur_public', 'sp_MSmerge_is_snapshot_required', 'sp_MSmerge_log_identity_range_allocations', 'sp_MSmerge_parsegenlist', 'sp_MSmerge_upgrade_subscriber', 'sp_MSmergesubscribedb', 'sp_MSmergeupdatelastsyncinfo', 'sp_MSneedmergemetadataretentioncleanup', 'sp_MSNonSQLDDL', 'sp_MSNonSQLDDLForSchemaDDL', 'sp_MSobjectprivs', 'sp_MSpeerapplyresponse', 'sp_MSpeerapplytopologyinfo', 'sp_MSpeerconflictdetection_statuscollection_applyresponse', 'sp_MSpeerconflictdetection_statuscollection_sendresponse', 'sp_MSpeerconflictdetection_topology_applyresponse', 'sp_MSpeerdbinfo', 'sp_MSpeersendresponse', 'sp_MSpeersendtopologyinfo', 'sp_MSpeertopeerfwdingexec', 'sp_MSpost_auto_proc', 'sp_MSpostapplyscript_forsubscriberprocs', 'sp_MSprep_exclusive', 'sp_MSprepare_mergearticle', 'sp_MSprofile_in_use', 'sp_MSproxiedmetadata', 'sp_MSproxiedmetadatabatch', 'sp_MSproxiedmetadatalightweight', 'sp_MSpub_adjust_identity', 'sp_MSpublication_access', 'sp_MSpublicationcleanup', 'sp_MSpublicationview', 'sp_MSquery_syncstates', 'sp_MSquerysubtype', 'sp_MSrecordsnapshotdeliveryprogress', 'sp_MSreenable_check', 'sp_MSrefresh_anonymous', 'sp_MSrefresh_publisher_idrange', 'sp_MSregenerate_mergetriggersprocs', 'sp_MSregisterdynsnapseqno', 'sp_MSregistermergesnappubid', 'sp_MSregistersubscription', 'sp_MSreinit_failed_subscriptions', 'sp_MSreinit_hub', 'sp_MSreinit_subscription', 'sp_MSreinitoverlappingmergepublications', 'sp_MSreleasedynamicsnapshotapplock', 'sp_MSreleasemakegenerationapplock', 'sp_MSreleasemergeadminapplock', 'sp_MSreleaseSlotLock', 'sp_MSreleasesnapshotdeliverysessionlock', 'sp_MSremove_mergereplcommand', 'sp_MSremoveoffloadparameter', 'sp_MSrepl_agentstatussummary', 'sp_MSrepl_backup_complete', 'sp_MSrepl_backup_start', 'sp_MSrepl_check_publisher', 'sp_MSrepl_createdatatypemappings', 'sp_MSrepl_distributionagentstatussummary', 'sp_MSrepl_dropdatatypemappings', 'sp_MSrepl_enumarticlecolumninfo', 'sp_MSrepl_enumpublications', 'sp_MSrepl_enumpublishertables', 'sp_MSrepl_enumsubscriptions', 'sp_MSrepl_enumtablecolumninfo', 'sp_MSrepl_FixPALRole', 'sp_MSrepl_getdistributorinfo', 'sp_MSrepl_getpkfkrelation', 'sp_MSrepl_gettype_mappings', 'sp_MSrepl_helparticlermo', 'sp_MSrepl_init_backup_lsns', 'sp_MSrepl_isdbowner', 'sp_MSrepl_IsLastPubInSharedSubscription', 'sp_MSrepl_IsUserInAnyPAL', _x000D__x000A_'sp_MSrepl_linkedservers_rowset', 'sp_MSrepl_mergeagentstatussummary', 'sp_MSrepl_PAL_rolecheck', 'sp_MSrepl_raiserror', 'sp_MSrepl_schema', 'sp_MSrepl_setNFR', 'sp_MSrepl_snapshot_helparticlecolumns', 'sp_MSrepl_snapshot_helppublication', 'sp_MSrepl_startup_internal', 'sp_MSrepl_subscription_rowset', 'sp_MSrepl_testadminconnection', 'sp_MSrepl_testconnection', 'sp_MSreplagentjobexists', 'sp_MSreplcheck_permission', 'sp_MSreplcheck_pull', 'sp_MSreplcheck_subscribe', 'sp_MSreplcheck_subscribe_withddladmin', 'sp_MSreplcheckoffloadserver', 'sp_MSreplcopyscriptfile', 'sp_MSreplraiserror', 'sp_MSreplremoveuncdir', 'sp_MSreplupdateschema', 'sp_MSrequestreenumeration', 'sp_MSrequestreenumeration_lightweight', 'sp_MSreset_attach_state', 'sp_MSreset_queued_reinit', 'sp_MSreset_subscription', 'sp_MSreset_subscription_seqno', 'sp_MSreset_synctran_bit', 'sp_MSreset_transaction', 'sp_MSresetsnapshotdeliveryprogress', 'sp_MSrestoresavedforeignkeys', 'sp_MSretrieve_publication_attributes', 'sp_MSscript_article_view', 'sp_MSscript_dri', 'sp_MSscript_pub_upd_trig', 'sp_MSscript_sync_del_proc', 'sp_MSscript_sync_del_trig', 'sp_MSscript_sync_ins_proc', 'sp_MSscript_sync_ins_trig', 'sp_MSscript_sync_upd_proc', 'sp_MSscript_sync_upd_trig', 'sp_MSscriptcustomdelproc', 'sp_MSscriptcustominsproc', 'sp_MSscriptcustomupdproc', 'sp_MSscriptdatabase', 'sp_MSscriptdb_worker', 'sp_MSscriptforeignkeyrestore', 'sp_MSscriptsubscriberprocs', 'sp_MSscriptviewproc', 'sp_MSsendtosqlqueue', 'sp_MSset_dynamic_filter_options', 'sp_MSset_logicalrecord_metadata', 'sp_MSset_new_identity_range', 'sp_MSset_oledb_prop', 'sp_MSset_snapshot_x005F_xact_seqno', 'sp_MSset_sub_guid', 'sp_MSset_subscription_properties', 'sp_MSsetaccesslist', 'sp_MSsetartprocs', 'sp_MSsetbit', 'sp_MSsetconflictscript', 'sp_MSsetconflicttable', 'sp_MSsetcontext_bypasswholeddleventbit', 'sp_MSsetcontext_replagent', 'sp_MSsetgentozero', 'sp_MSsetlastrecgen', 'sp_MSsetlastsentgen', 'sp_MSsetreplicainfo', 'sp_MSsetreplicaschemaversion', 'sp_MSsetreplicastatus', 'sp_MSsetrowmetadata', 'sp_MSsetsubscriberinfo', 'sp_MSsetup_identity_range', 'sp_MSsetup_partition_groups', 'sp_MSsetup_use_partition_groups', 'sp_MSsetupbelongs', 'sp_MSsetupnosyncsubwithlsnatdist', 'sp_MSsetupnosyncsubwithlsnatdist_cleanup', 'sp_MSsetupnosyncsubwithlsnatdist_helper', 'sp_MSSharedFixedDisk', 'sp_MSSQLDMO70_version', 'sp_MSSQLDMO80_version', 'sp_MSSQLDMO90_version', 'sp_MSSQLOLE_version', 'sp_MSSQLOLE65_version', 'sp_MSstartdistribution_agent', 'sp_MSstartmerge_agent', 'sp_MSstartsnapshot_agent', 'sp_MSstopdistribution_agent', 'sp_MSstopmerge_agent', 'sp_MSstopsnapshot_agent', 'sp_MSsub_check_identity', 'sp_MSsub_set_identity', 'sp_MSsubscription_status', 'sp_MSsubscriptionvalidated', 'sp_MStablechecks', 'sp_MStablekeys', 'sp_MStablerefs', 'sp_MStablespace', 'sp_MStestbit', 'sp_MStran_ddlrepl', 'sp_MStran_is_snapshot_required', 'sp_MStrypurgingoldsnapshotdeliveryprogress', 'sp_MSuniquename', 'sp_MSunmarkifneeded', 'sp_MSunmarkreplinfo', 'sp_MSunmarkschemaobject', 'sp_MSunregistersubscription', 'sp_MSupdate_agenttype_default', 'sp_MSupdate_singlelogicalrecordmetadata', 'sp_MSupdate_subscriber_info', 'sp_MSupdate_subscriber_schedule', 'sp_MSupdate_subscriber_tracer_history', 'sp_MSupdate_subscription', 'sp_MSupdate_tracer_history', 'sp_MSupdatecachedpeerlsn', 'sp_MSupdategenerations_afterbcp', 'sp_MSupdategenhistory', 'sp_MSupdateinitiallightweightsubscription', 'sp_MSupdatelastsyncinfo', 'sp_MSupdatepeerlsn', 'sp_MSupdaterecgen', 'sp_MSupdatereplicastate', 'sp_MSupdatesysmergearticles', 'sp_MSuplineageversion', 'sp_MSuploadsupportabilitydata', 'sp_MSuselightweightreplication', 'sp_MSvalidate_dest_recgen', 'sp_MSvalidate_subscription', 'sp_MSvalidate_wellpartitioned_articles', 'sp_MSvalidatearticle', 'sp_MSwritemergeperfcounter', 'sp_new_parallel_nested_tran_id', 'sp_objectfilegroup', 'sp_oledb_database', 'sp_oledb_defdb', 'sp_oledb_deflang', 'sp_oledb_language', 'sp_oledb_ro_usrname', 'sp_oledbinfo', 'sp_ORbitmap', 'sp_password', 'sp_peerconflictdetection_tableaug', 'sp_pkeys', 'sp_polybase_join_group', 'sp_polybase_leave_group', 'sp_posttracertoken', 'sp_prepare', 'sp_prepexec', 'sp_prepexecrpc', 'sp_primary_keys_rowset', 'sp_primary_keys_rowset_rmt', 'sp_primary_keys_rowset2', 'sp_primarykeys', 'sp_procedure_params_100_managed', 'sp_procedure_params_100_rowset', 'sp_procedure_params_100_rowset2', 'sp_procedure_params_90_rowset', 'sp_procedure_params_90_rowset2', 'sp_procedure_params_managed', 'sp_procedure_params_rowset', 'sp_procedure_params_rowset2', 'sp_procedures_rowset', 'sp_procedures_rowset2', 'sp_processlogshippingmonitorhistory', 'sp_processlogshippingmonitorprimary', 'sp_processlogshippingmonitorsecondary', 'sp_processlogshippingretentioncleanup', _x000D__x000A_'sp_procoption', 'sp_prop_oledb_provider', 'sp_provider_types_100_rowset', 'sp_provider_types_90_rowset', 'sp_provider_types_rowset', 'sp_publication_validation', 'sp_publicationsummary', 'sp_publishdb', 'sp_publisherproperty', 'sp_query_store_flush_db', 'sp_query_store_force_plan', 'sp_query_store_remove_plan', 'sp_query_store_remove_query', 'sp_query_store_reset_exec_stats', 'sp_query_store_unforce_plan', 'sp_rda_deauthorize_db', 'sp_rda_get_rpo_duration', 'sp_rda_reauthorize_db', 'sp_rda_reconcile_batch', 'sp_rda_reconcile_columns', 'sp_rda_reconcile_indexes', 'sp_rda_set_query_mode', 'sp_rda_set_rpo_duration', 'sp_rda_test_connection', 'sp_readerrorlog', 'sp_recompile', 'sp_redirect_publisher', 'sp_refresh_heterogeneous_publisher', 'sp_refresh_log_shipping_monitor', 'sp_refresh_parameter_encryption', 'sp_refreshsqlmodule', 'sp_refreshsubscriptions', 'sp_refreshview', 'sp_register_custom_scripting', 'sp_registercustomresolver', 'sp_reinitmergepullsubscription', 'sp_reinitmergesubscription', 'sp_reinitpullsubscription', 'sp_reinitsubscription', 'sp_releaseapplock', 'sp_releaseschemalock', 'sp_remote_data_archive_event', 'sp_remoteoption', 'sp_removedbreplication', 'sp_removedistpublisherdbreplication', 'sp_removesrvreplication', 'sp_rename', 'sp_renamedb', 'sp_repl_generate_subscriber_event', 'sp_repl_generateevent', 'sp_repladdcolumn', 'sp_replcleanupccsprocs', 'sp_replcmds', 'sp_replcounters', 'sp_replddlparser', 'sp_repldeletequeuedtran', 'sp_repldone', 'sp_repldropcolumn', 'sp_replflush', 'sp_replgetparsedddlcmd', 'sp_replhelp', 'sp_replica', 'sp_replication_agent_checkup', 'sp_replicationdboption', 'sp_replincrementlsn', 'sp_replmonitorchangepublicationthreshold', 'sp_replmonitorhelpmergesession', 'sp_replmonitorhelpmergesessiondetail', 'sp_replmonitorhelpmergesubscriptionmoreinfo', 'sp_replmonitorhelppublication', 'sp_replmonitorhelppublicationthresholds', 'sp_replmonitorhelppublisher', 'sp_replmonitorhelpsubscription', 'sp_replmonitorrefreshjob', 'sp_replmonitorsubscriptionpendingcmds', 'sp_replpostsyncstatus', 'sp_replqueuemonitor', 'sp_replrestart', 'sp_replrethrow', 'sp_replsendtoqueue', 'sp_replsetoriginator', 'sp_replsetsyncstatus', 'sp_replshowcmds', 'sp_replsqlqgetrows', 'sp_replsync', 'sp_repltrans', 'sp_replwritetovarbin', 'sp_requestpeerresponse', 'sp_requestpeertopologyinfo', 'sp_reserve_http_namespace', 'sp_reset_connection', 'sp_reset_session_context', 'sp_resetsnapshotdeliveryprogress', 'sp_resign_database', 'sp_restoredbreplication', 'sp_restoremergeidentityrange', 'sp_resyncexecute', 'sp_resyncexecutesql', 'sp_resyncmergesubscription', 'sp_resyncprepare', 'sp_resyncuniquetable', 'sp_revoke_publication_access', 'sp_revokedbaccess', 'sp_revokelogin', 'sp_rollback_parallel_nested_tran', 'sp_schemafilter', 'sp_schemata_rowset', 'sp_script_reconciliation_delproc', 'sp_script_reconciliation_insproc', 'sp_script_reconciliation_sinsproc', 'sp_script_reconciliation_vdelproc', 'sp_script_reconciliation_x005F_xdelproc', 'sp_script_synctran_commands', 'sp_scriptdelproc', 'sp_scriptdynamicupdproc', 'sp_scriptinsproc', 'sp_scriptmappedupdproc', 'sp_scriptpublicationcustomprocs', 'sp_scriptsinsproc', 'sp_scriptsubconflicttable', 'sp_scriptsupdproc', 'sp_scriptupdproc', 'sp_scriptvdelproc', 'sp_scriptvupdproc', 'sp_scriptxdelproc', 'sp_scriptxupdproc', 'sp_sequence_get_range', 'sp_server_diagnostics', 'sp_server_info', 'sp_serveroption', 'sp_set_session_context', 'sp_setapprole', 'sp_SetAutoSAPasswordAndDisable', 'sp_setdefaultdatatypemapping', 'sp_setnetname', 'sp_SetOBDCertificate', 'sp_setOraclepackageversion', 'sp_setreplfailovermode', 'sp_setsubscriptionxactseqno', 'sp_settriggerorder', 'sp_setuserbylogin', 'sp_showcolv', 'sp_showlineage', 'sp_showmemo_x005F_xml', 'sp_showpendingchanges', 'sp_showrowreplicainfo', 'sp_sm_detach', 'sp_spaceused', 'sp_spaceused_remote_data_archive', 'sp_sparse_columns_100_rowset', 'sp_special_columns', 'sp_special_columns_100', 'sp_special_columns_90', 'sp_sproc_columns', 'sp_sproc_columns_100', 'sp_sproc_columns_90', 'sp_sqlagent_add_job', 'sp_sqlagent_add_jobstep', 'sp_sqlagent_delete_job', 'sp_sqlagent_help_jobstep', 'sp_sqlagent_log_job_history', 'sp_sqlagent_start_job', 'sp_sqlagent_stop_job', 'sp_sqlagent_verify_database_context', 'sp_sqlagent_write_jobstep_log', 'sp_sqlexec', 'sp_srvrolepermission', 'sp_start_user_instance', 'sp_startmergepullsubscription_agent', 'sp_startmergepushsubscription_agent', 'sp_startpublication_snapshot', 'sp_startpullsubscription_agent', 'sp_startpushsubscription_agent', 'sp_statistics', 'sp_statistics_100', 'sp_statistics_rowset', 'sp_statistics_rowset2', _x000D__x000A_'sp_stopmergepullsubscription_agent', 'sp_stopmergepushsubscription_agent', 'sp_stoppublication_snapshot', 'sp_stoppullsubscription_agent', 'sp_stoppushsubscription_agent', 'sp_stored_procedures', 'sp_subscribe', 'sp_subscription_cleanup', 'sp_subscriptionsummary', 'sp_syspolicy_subscribe_to_policy_category', 'sp_syspolicy_unsubscribe_from_policy_category', 'sp_syspolicy_update_ddl_trigger', 'sp_syspolicy_update_event_notification', 'sp_table_constraints_rowset', 'sp_table_constraints_rowset2', 'sp_table_privileges', 'sp_table_privileges_ex', 'sp_table_privileges_rowset', 'sp_table_privileges_rowset_rmt', 'sp_table_privileges_rowset2', 'sp_table_statistics_rowset', 'sp_table_statistics2_rowset', 'sp_table_type_columns_100', 'sp_table_type_columns_100_rowset', 'sp_table_type_pkeys', 'sp_table_type_primary_keys_rowset', 'sp_table_types', 'sp_table_types_rowset', 'sp_table_validation', 'sp_tablecollations', 'sp_tablecollations_100', 'sp_tablecollations_90', 'sp_tableoption', 'sp_tables', 'sp_tables_ex', 'sp_tables_info_90_rowset', 'sp_tables_info_90_rowset_64', 'sp_tables_info_90_rowset2', 'sp_tables_info_90_rowset2_64', 'sp_tables_info_rowset', 'sp_tables_info_rowset_64', 'sp_tables_info_rowset2', 'sp_tables_info_rowset2_64', 'sp_tables_rowset', 'sp_tables_rowset_rmt', 'sp_tables_rowset2', 'sp_tableswc', 'sp_testlinkedserver', 'sp_trace_create', 'sp_trace_generateevent', 'sp_trace_getdata', 'sp_trace_setevent', 'sp_trace_setfilter', 'sp_trace_setstatus', 'sp_try_set_session_context', 'sp_unbindefault', 'sp_unbindrule', 'sp_unprepare', 'sp_unregister_custom_scripting', 'sp_unregistercustomresolver', 'sp_unsetapprole', 'sp_unsubscribe', 'sp_update_agent_profile', 'sp_update_user_instance', 'sp_updateextendedproperty', 'sp_updatestats', 'sp_upgrade_log_shipping', 'sp_user_counter1', 'sp_user_counter10', 'sp_user_counter2', 'sp_user_counter3', 'sp_user_counter4', 'sp_user_counter5', 'sp_user_counter6', 'sp_user_counter7', 'sp_user_counter8', 'sp_user_counter9', 'sp_usertypes_rowset', 'sp_usertypes_rowset_rmt', 'sp_usertypes_rowset2', 'sp_validate_redirected_publisher', 'sp_validate_replica_hosts_as_publishers', 'sp_validatecache', 'sp_validatelogins', 'sp_validatemergepublication', 'sp_validatemergepullsubscription', 'sp_validatemergesubscription', 'sp_validlang', 'sp_validname', 'sp_verifypublisher', 'sp_views_rowset', 'sp_views_rowset2', 'sp_vupgrade_mergeobjects', 'sp_vupgrade_mergetables', 'sp_vupgrade_replication', 'sp_vupgrade_replsecurity_metadata', 'sp_who', 'sp_who2', 'sp_x005F_xml_preparedocument', 'sp_x005F_xml_removedocument', 'sp_x005F_xml_schema_rowset', 'sp_x005F_xml_schema_rowset2', 'sp_x005F_xtp_bind_db_resource_pool', 'sp_x005F_xtp_checkpoint_force_garbage_collection', 'sp_x005F_xtp_control_proc_exec_stats', 'sp_x005F_xtp_control_query_exec_stats', 'sp_x005F_xtp_flush_temporal_history', 'sp_x005F_xtp_kill_active_transactions', 'sp_x005F_xtp_merge_checkpoint_files', 'sp_x005F_xtp_objects_present', 'sp_x005F_xtp_set_memory_quota', 'sp_x005F_xtp_slo_can_downgrade', 'sp_x005F_xtp_slo_downgrade_finished', 'sp_x005F_xtp_slo_prepare_to_downgrade', 'sp_x005F_xtp_unbind_db_resource_pool', 'xp_dirtree', 'xp_fileexist', 'xp_fixeddrives', 'xp_getnetname', 'xp_grantlogin', 'xp_instance_regread', 'xp_msver', 'xp_qv', 'xp_regread', 'xp_repl_convert_encrypt_sysadmin_wrapper', 'xp_replposteor', 'xp_revokelogin', 'xp_sprintf', 'xp_sscanf')_x000D__x000A_))_x000D__x000A_OR_x000D__x000A_(permission_name = 'SELECT' AND type = 'SL ' AND STATE = 'G' AND grantor_principal_name = 'dbo' AND schema_name = 'sys' AND object_type = 'system_object' AND (_x000D__x000A_object_name IN (_x000D__x000A_'all_columns', 'all_objects', 'all_parameters', 'all_sql_modules', 'all_views', 'allocation_units', 'assemblies', 'assembly_files', 'assembly_modules', 'assembly_references', 'assembly_types', 'asymmetric_keys', 'availability_databases_cluster', 'availability_group_listener_ip_addresses', 'availability_group_listeners', 'availability_groups', 'availability_groups_cluster', 'availability_read_only_routing_lists', 'availability_replicas', 'backup_devices', 'certificates', 'change_tracking_databases', 'change_tracking_tables', 'check_constraints', 'COLUMN_DOMAIN_USAGE', 'column_encryption_key_values', 'column_encryption_keys', 'column_master_key_definitions', 'column_master_keys', 'COLUMN_PRIVILEGES', 'column_store_dictionaries', 'column_store_row_groups', 'column_store_segments', 'column_type_usages', 'column_x005F_xml_schema_collection_usages', 'columns', 'computed_columns', 'configurations', 'CONSTRAINT_COLUMN_USAGE', 'CONSTRAINT_TABLE_USAGE', 'conversation_endpoints', 'conversation_groups', 'conversation_priorities', 'credentials', 'crypt_properties', 'cryptographic_providers', 'data_spaces', 'database_audit_specification_details', 'database_audit_specifications', 'database_credentials', 'database_event_session_actions', 'database_event_session_events', 'database_event_session_fields', 'database_event_session_targets', 'database_event_sessions', 'database_files', 'database_filestream_options', 'database_mirroring', 'database_mirroring_endpoints', 'database_permissions', 'database_principals', 'database_query_store_options', 'database_recovery_status', 'database_resource_governor_workload_groups', 'database_role_members', 'database_scoped_configurations', 'database_scoped_credentials', 'databases', 'default_constraints', 'destination_data_spaces', 'dm_audit_actions', 'dm_audit_class_type_map', 'dm_broker_activated_tasks', 'dm_broker_connections', 'dm_broker_forwarded_messages', 'dm_broker_queue_monitors', 'dm_cdc_errors', 'dm_cdc_log_scan_sessions', 'dm_clr_appdomains', 'dm_clr_loaded_assemblies', 'dm_clr_properties', 'dm_clr_tasks', 'dm_column_store_object_pool', 'dm_cryptographic_provider_algorithms', 'dm_cryptographic_provider_keys', 'dm_cryptographic_provider_properties', 'dm_cryptographic_provider_sessions', 'dm_database_encryption_keys', 'dm_db_column_store_row_group_operational_stats', 'dm_db_column_store_row_group_physical_stats', 'dm_db_database_page_allocations', 'dm_db_file_space_usage', 'dm_db_fts_index_physical_stats', 'dm_db_incremental_stats_properties', 'dm_db_index_operational_stats', 'dm_db_index_physical_stats', 'dm_db_index_usage_stats', 'dm_db_log_space_usage', 'dm_db_mirroring_auto_page_repair', 'dm_db_mirroring_connections', 'dm_db_mirroring_past_actions', 'dm_db_missing_index_columns', 'dm_db_missing_index_details', 'dm_db_missing_index_group_stats', 'dm_db_missing_index_groups', 'dm_db_objects_disabled_on_compatibility_level_change', 'dm_db_partition_stats', 'dm_db_persisted_sku_features', 'dm_db_rda_migration_status', 'dm_db_rda_schema_update_status', 'dm_db_resource_governor_configuration', 'dm_db_script_level', 'dm_db_session_space_usage', 'dm_db_stats_properties', 'dm_db_task_space_usage', 'dm_db_uncontained_entities', 'dm_db_workload_group_resource_stats', 'dm_db_x005F_xtp_checkpoint_files', 'dm_db_x005F_xtp_checkpoint_stats', 'dm_db_x005F_xtp_gc_cycle_stats', 'dm_db_x005F_xtp_hash_index_stats', 'dm_db_x005F_xtp_index_stats', 'dm_db_x005F_xtp_memory_consumers', 'dm_db_x005F_xtp_nonclustered_index_stats', 'dm_db_x005F_xtp_object_stats', 'dm_db_x005F_xtp_table_memory_stats', 'dm_db_x005F_xtp_transactions', 'dm_exec_background_job_queue', 'dm_exec_background_job_queue_stats', 'dm_exec_cached_plan_dependent_objects', 'dm_exec_cached_plans', 'dm_exec_compute_node_errors', 'dm_exec_compute_node_status', 'dm_exec_compute_nodes', 'dm_exec_connections', 'dm_exec_cursors', 'dm_exec_describe_first_result_set', 'dm_exec_describe_first_result_set_for_object', 'dm_exec_distributed_request_steps', 'dm_exec_distributed_requests', 'dm_exec_distributed_sql_requests', 'dm_exec_dms_services', 'dm_exec_dms_workers', 'dm_exec_external_operations', 'dm_exec_external_work', 'dm_exec_function_stats', 'dm_exec_input_buffer', 'dm_exec_plan_attributes', 'dm_exec_procedure_stats', 'dm_exec_query_memory_grants', 'dm_exec_query_optimizer_info', 'dm_exec_query_optimizer_memory_gateways', 'dm_exec_query_parallel_workers', 'dm_exec_query_plan', 'dm_exec_query_profiles', 'dm_exec_query_resource_semaphores', 'dm_exec_query_statistics_x005F_xml', 'dm_exec_query_stats', 'dm_exec_query_transformation_stats', 'dm_exec_requests', 'dm_exec_session_wait_stats', 'dm_exec_sessions', 'dm_exec_sql_text', 'dm_exec_text_query_plan', 'dm_exec_trigger_stats', 'dm_exec_valid_use_hints', 'dm_exec_x005F_xml_handles', 'dm_external_script_execution_stats', 'dm_external_script_requests', _x000D__x000A_'dm_filestream_file_io_handles', 'dm_filestream_file_io_requests', 'dm_filestream_non_transacted_handles', 'dm_fts_active_catalogs', 'dm_fts_fdhosts', 'dm_fts_index_keywords', 'dm_fts_index_keywords_by_document', 'dm_fts_index_keywords_by_property', 'dm_fts_index_keywords_position_by_document', 'dm_fts_index_population', 'dm_fts_memory_buffers', 'dm_fts_memory_pools', 'dm_fts_outstanding_batches', 'dm_fts_parser', 'dm_fts_population_ranges', 'dm_fts_semantic_similarity_population', 'dm_hadr_auto_page_repair', 'dm_hadr_automatic_seeding', 'dm_hadr_availability_group_states', 'dm_hadr_availability_replica_cluster_nodes', 'dm_hadr_availability_replica_cluster_states', 'dm_hadr_availability_replica_states', 'dm_hadr_cluster', 'dm_hadr_cluster_members', 'dm_hadr_cluster_networks', 'dm_hadr_database_replica_cluster_states', 'dm_hadr_database_replica_states', 'dm_hadr_instance_node_map', 'dm_hadr_name_id_map', 'dm_hadr_physical_seeding_stats', 'dm_io_backup_tapes', 'dm_io_cluster_shared_drives', 'dm_io_cluster_valid_path_names', 'dm_io_pending_io_requests', 'dm_io_virtual_file_stats', 'dm_logconsumer_cachebufferrefs', 'dm_logconsumer_privatecachebuffers', 'dm_logpool_consumers', 'dm_logpool_hashentries', 'dm_logpool_sharedcachebuffers', 'dm_logpool_stats', 'dm_logpoolmgr_freepools', 'dm_logpoolmgr_respoolsize', 'dm_logpoolmgr_stats', 'dm_os_buffer_descriptors', 'dm_os_buffer_pool_extension_configuration', 'dm_os_child_instances', 'dm_os_cluster_nodes', 'dm_os_cluster_properties', 'dm_os_dispatcher_pools', 'dm_os_dispatchers', 'dm_os_hosts', 'dm_os_latch_stats', 'dm_os_loaded_modules', 'dm_os_memory_allocations', 'dm_os_memory_broker_clerks', 'dm_os_memory_brokers', 'dm_os_memory_cache_clock_hands', 'dm_os_memory_cache_counters', 'dm_os_memory_cache_entries', 'dm_os_memory_cache_hash_tables', 'dm_os_memory_clerks', 'dm_os_memory_node_access_stats', 'dm_os_memory_nodes', 'dm_os_memory_objects', 'dm_os_memory_pools', 'dm_os_nodes', 'dm_os_performance_counters', 'dm_os_process_memory', 'dm_os_ring_buffers', 'dm_os_schedulers', 'dm_os_server_diagnostics_log_configurations', 'dm_os_spinlock_stats', 'dm_os_stacks', 'dm_os_sublatches', 'dm_os_sys_info', 'dm_os_sys_memory', 'dm_os_tasks', 'dm_os_threads', 'dm_os_virtual_address_dump', 'dm_os_volume_stats', 'dm_os_wait_stats', 'dm_os_waiting_tasks', 'dm_os_windows_info', 'dm_os_worker_local_storage', 'dm_os_workers', 'dm_pdw_component_health_active_alerts', 'dm_pdw_component_health_alerts', 'dm_pdw_component_health_status', 'dm_pdw_diag_processing_stats', 'dm_pdw_dms_cores', 'dm_pdw_dms_external_work', 'dm_pdw_dms_workers', 'dm_pdw_errors', 'dm_pdw_exec_connections', 'dm_pdw_exec_query_profiles', 'dm_pdw_exec_queryplan_profiles', 'dm_pdw_exec_requests', 'dm_pdw_exec_sessions', 'dm_pdw_hadoop_operations', 'dm_pdw_lock_waits', 'dm_pdw_network_credentials', 'dm_pdw_node_status', 'dm_pdw_nodes', 'dm_pdw_nodes_clr_appdomains', 'dm_pdw_nodes_clr_loaded_assemblies', 'dm_pdw_nodes_clr_properties', 'dm_pdw_nodes_clr_tasks', 'dm_pdw_nodes_database_encryption_keys', 'dm_pdw_nodes_db_file_space_usage', 'dm_pdw_nodes_db_index_usage_stats', 'dm_pdw_nodes_db_partition_stats', 'dm_pdw_nodes_db_session_space_usage', 'dm_pdw_nodes_db_task_space_usage', 'dm_pdw_nodes_exec_background_job_queue', 'dm_pdw_nodes_exec_background_job_queue_stats', 'dm_pdw_nodes_exec_cached_plans', 'dm_pdw_nodes_exec_connections', 'dm_pdw_nodes_exec_procedure_stats', 'dm_pdw_nodes_exec_query_memory_grants', 'dm_pdw_nodes_exec_query_optimizer_info', 'dm_pdw_nodes_exec_query_resource_semaphores', 'dm_pdw_nodes_exec_query_stats', 'dm_pdw_nodes_exec_requests', 'dm_pdw_nodes_exec_sessions', 'dm_pdw_nodes_io_cluster_shared_drives', 'dm_pdw_nodes_io_pending_io_requests', 'dm_pdw_nodes_os_buffer_descriptors', 'dm_pdw_nodes_os_child_instances', 'dm_pdw_nodes_os_cluster_nodes', 'dm_pdw_nodes_os_dispatcher_pools', 'dm_pdw_nodes_os_dispatchers', 'dm_pdw_nodes_os_hosts', 'dm_pdw_nodes_os_latch_stats', 'dm_pdw_nodes_os_loaded_modules', 'dm_pdw_nodes_os_memory_brokers', 'dm_pdw_nodes_os_memory_cache_clock_hands', 'dm_pdw_nodes_os_memory_cache_counters', 'dm_pdw_nodes_os_memory_cache_entries', 'dm_pdw_nodes_os_memory_cache_hash_tables', 'dm_pdw_nodes_os_memory_clerks', 'dm_pdw_nodes_os_memory_node_access_stats', 'dm_pdw_nodes_os_memory_nodes', 'dm_pdw_nodes_os_memory_objects', 'dm_pdw_nodes_os_memory_pools', 'dm_pdw_nodes_os_nodes', 'dm_pdw_nodes_os_performance_counters', 'dm_pdw_nodes_os_process_memory', 'dm_pdw_nodes_os_schedulers', 'dm_pdw_nodes_os_spinlock_stats', 'dm_pdw_nodes_os_sys_info', 'dm_pdw_nodes_os_sys_memory', 'dm_pdw_nodes_os_tasks', 'dm_pdw_nodes_os_threads', 'dm_pdw_nodes_os_virtual_address_dump', 'dm_pdw_nodes_os_wait_stats', 'dm_pdw_nodes_os_waiting_tasks', 'dm_pdw_nodes_os_workers', _x000D__x000A_'dm_pdw_nodes_resource_governor_resource_pools', 'dm_pdw_nodes_resource_governor_workload_groups', 'dm_pdw_nodes_tran_active_snapshot_database_transactions', 'dm_pdw_nodes_tran_active_transactions', 'dm_pdw_nodes_tran_commit_table', 'dm_pdw_nodes_tran_current_snapshot', 'dm_pdw_nodes_tran_current_transaction', 'dm_pdw_nodes_tran_database_transactions', 'dm_pdw_nodes_tran_locks', 'dm_pdw_nodes_tran_session_transactions', 'dm_pdw_nodes_tran_top_version_generators', 'dm_pdw_os_event_logs', 'dm_pdw_os_performance_counters', 'dm_pdw_os_threads', 'dm_pdw_query_stats_x005F_xe', 'dm_pdw_query_stats_x005F_xe_file', 'dm_pdw_request_steps', 'dm_pdw_resource_waits', 'dm_pdw_sql_requests', 'dm_pdw_sys_info', 'dm_pdw_wait_stats', 'dm_pdw_waits', 'dm_qn_subscriptions', 'dm_repl_articles', 'dm_repl_schemas', 'dm_repl_tranhash', 'dm_repl_traninfo', 'dm_resource_governor_configuration', 'dm_resource_governor_external_resource_pool_affinity', 'dm_resource_governor_external_resource_pools', 'dm_resource_governor_resource_pool_affinity', 'dm_resource_governor_resource_pool_volumes', 'dm_resource_governor_resource_pools', 'dm_resource_governor_workload_groups', 'dm_server_audit_status', 'dm_server_memory_dumps', 'dm_server_registry', 'dm_server_services', 'dm_sql_referenced_entities', 'dm_sql_referencing_entities', 'dm_tcp_listener_states', 'dm_tran_active_snapshot_database_transactions', 'dm_tran_active_transactions', 'dm_tran_commit_table', 'dm_tran_current_snapshot', 'dm_tran_current_transaction', 'dm_tran_database_transactions', 'dm_tran_global_recovery_transactions', 'dm_tran_global_transactions', 'dm_tran_global_transactions_enlistments', 'dm_tran_global_transactions_log', 'dm_tran_locks', 'dm_tran_session_transactions', 'dm_tran_top_version_generators', 'dm_tran_transactions_snapshot', 'dm_tran_version_store', 'dm_x005F_xe_map_values', 'dm_x005F_xe_object_columns', 'dm_x005F_xe_objects', 'dm_x005F_xe_packages', 'dm_x005F_xe_session_event_actions', 'dm_x005F_xe_session_events', 'dm_x005F_xe_session_object_columns', 'dm_x005F_xe_session_targets', 'dm_x005F_xe_sessions', 'dm_x005F_xtp_gc_queue_stats', 'dm_x005F_xtp_gc_stats', 'dm_x005F_xtp_system_memory_consumers', 'dm_x005F_xtp_threads', 'dm_x005F_xtp_transaction_recent_rows', 'dm_x005F_xtp_transaction_stats', 'DOMAIN_CONSTRAINTS', 'DOMAINS', 'endpoint_webmethods', 'endpoints', 'event_notification_event_types', 'event_notifications', 'events', 'extended_procedures', 'extended_properties', 'external_data_sources', 'external_file_formats', 'external_tables', 'federated_table_columns', 'federation_distributions', 'federation_member_distributions', 'federation_members', 'federations', 'filegroups', 'filetable_system_defined_objects', 'filetables', 'fn_builtin_permissions', 'fn_check_object_signatures', 'fn_column_store_row_groups', 'fn_db_backup_file_snapshots', 'fn_dblog_x005F_xtp', 'fn_dump_dblog', 'fn_dump_dblog_x005F_xtp', 'fn_EnumCurrentPrincipals', 'fn_get_audit_file', 'fn_hadr_distributed_ag_database_replica', 'fn_hadr_distributed_ag_replica', 'fn_helpcollations', 'fn_helpdatatypemap', 'fn_listextendedproperty', 'fn_MSxe_read_event_stream', 'fn_my_permissions', 'fn_PhysLocCracker', 'fn_replgetcolidfrombitmap', 'fn_RowDumpCracker', 'fn_servershareddrives', 'fn_sqlagent_job_history', 'fn_sqlagent_jobs', 'fn_sqlagent_jobsteps', 'fn_sqlagent_jobsteps_logs', 'fn_sqlagent_subsystems', 'fn_stmt_sql_handle_from_sql_stmt', 'fn_trace_geteventinfo', 'fn_trace_getfilterinfo', 'fn_trace_getinfo', 'fn_trace_gettable', 'fn_translate_permissions', 'fn_validate_plan_guide', 'fn_virtualfilestats', 'fn_virtualservernodes', 'fn_x005F_xe_file_target_read_file', 'foreign_key_columns', 'foreign_keys', 'fulltext_catalogs', 'fulltext_document_types', 'fulltext_index_catalog_usages', 'fulltext_index_columns', 'fulltext_index_fragments', 'fulltext_indexes', 'fulltext_languages', 'fulltext_semantic_language_statistics_database', 'fulltext_semantic_languages', 'fulltext_stoplists', 'fulltext_stopwords', 'fulltext_system_stopwords', 'function_order_columns', 'hash_indexes', 'http_endpoints', 'identity_columns', 'index_columns', 'index_resumable_operations', 'indexes', 'internal_partitions', 'internal_tables', 'KEY_COLUMN_USAGE', 'key_constraints', 'key_encryptions', 'linked_logins', 'login_token', 'masked_columns', 'master_files', 'master_key_passwords', 'memory_optimized_tables_internal_attributes', 'message_type_x005F_xml_schema_collection_usages', 'messages', 'module_assembly_usages', 'numbered_procedure_parameters', 'numbered_procedures', 'objects', 'openkeys', 'parameter_type_usages', 'parameter_x005F_xml_schema_collection_usages', 'parameters', 'partition_functions', 'partition_parameters', 'partition_range_values', 'partition_schemes', 'partitions', _x000D__x000A_'pdw_column_distribution_properties', 'pdw_database_mappings', 'pdw_diag_event_properties', 'pdw_diag_events', 'pdw_diag_sessions', 'pdw_distributions', 'pdw_health_alerts', 'pdw_health_component_groups', 'pdw_health_component_properties', 'pdw_health_component_status_mappings', 'pdw_health_components', 'pdw_index_mappings', 'pdw_loader_backup_run_details', 'pdw_loader_backup_runs', 'pdw_loader_run_stages', 'pdw_nodes_column_store_dictionaries', 'pdw_nodes_column_store_row_groups', 'pdw_nodes_column_store_segments', 'pdw_nodes_columns', 'pdw_nodes_indexes', 'pdw_nodes_partitions', 'pdw_nodes_pdw_physical_databases', 'pdw_nodes_tables', 'pdw_physical_databases', 'pdw_table_distribution_properties', 'pdw_table_mappings', 'periods', 'plan_guides', 'procedures', 'query_context_settings', 'query_store_plan', 'query_store_query', 'query_store_query_text', 'query_store_runtime_stats', 'query_store_runtime_stats_interval', 'REFERENTIAL_CONSTRAINTS', 'registered_search_properties', 'registered_search_property_lists', 'remote_data_archive_databases', 'remote_data_archive_tables', 'remote_logins', 'remote_service_bindings', 'resource_governor_configuration', 'resource_governor_external_resource_pool_affinity', 'resource_governor_external_resource_pools', 'resource_governor_resource_pool_affinity', 'resource_governor_resource_pools', 'resource_governor_workload_groups', 'routes', 'ROUTINE_COLUMNS', 'ROUTINES', 'schemas', 'SCHEMATA', 'securable_classes', 'security_policies', 'security_predicates', 'selective_x005F_xml_index_namespaces', 'selective_x005F_xml_index_paths', 'sequences', 'server_assembly_modules', 'server_audit_specification_details', 'server_audit_specifications', 'server_audits', 'server_event_notifications', 'server_event_session_actions', 'server_event_session_events', 'server_event_session_fields', 'server_event_session_targets', 'server_event_sessions', 'server_events', 'server_file_audits', 'server_permissions', 'server_principal_credentials', 'server_principals', 'server_role_members', 'server_sql_modules', 'server_trigger_events', 'server_triggers', 'servers', 'service_broker_endpoints', 'service_contract_message_usages', 'service_contract_usages', 'service_contracts', 'service_message_types', 'service_queue_usages', 'service_queues', 'services', 'soap_endpoints', 'spatial_index_tessellations', 'spatial_indexes', 'spatial_reference_systems', 'sql_dependencies', 'sql_logins', 'sql_modules', 'stats', 'stats_columns', 'symmetric_keys', 'synonyms', 'syscacheobjects', 'syscharsets', 'syscolumns', 'syscomments', 'sysconfigures', 'sysconstraints', 'syscurconfigs', 'syscursorcolumns', 'syscursorrefs', 'syscursors', 'syscursortables', 'sysdatabases', 'sysdepends', 'sysdevices', 'sysfilegroups', 'sysfiles', 'sysforeignkeys', 'sysfulltextcatalogs', 'sysindexes', 'sysindexkeys', 'syslanguages', 'syslockinfo', 'syslogins', 'sysmembers', 'sysmessages', 'sysobjects', 'sysoledbusers', 'sysopentapes', 'sysperfinfo', 'syspermissions', 'sysprocesses', 'sysprotects', 'sysreferences', 'sysremotelogins', 'sysservers', 'system_columns', 'system_components_surface_area_configuration', 'system_objects', 'system_parameters', 'system_sql_modules', 'system_views', 'systypes', 'sysusers', 'TABLE_CONSTRAINTS', 'TABLE_PRIVILEGES', 'table_types', 'tables', 'time_zone_info', 'tcp_endpoints', 'trace_categories', 'trace_columns', 'trace_event_bindings', 'trace_events', 'trace_subclass_values', 'trace_x005F_xe_action_map', 'trace_x005F_xe_event_map', 'traces', 'transmission_queue', 'trigger_event_types', 'trigger_events', 'triggers', 'type_assembly_usages', 'types', 'user_token', 'via_endpoints', 'VIEW_COLUMN_USAGE', 'VIEW_TABLE_USAGE', 'views', 'xml_indexes', 'xml_schema_attributes', 'xml_schema_collections', 'xml_schema_component_placements', 'xml_schema_components', 'xml_schema_elements', 'xml_schema_facets', 'xml_schema_model_groups', 'xml_schema_namespaces', 'xml_schema_types', 'xml_schema_wildcard_namespaces', 'xml_schema_wildcards','database_automatic_tuning_mode','database_automatic_tuning_options','query_store_wait_stats', 'dm_db_stats_histogram'_x000D__x000A_)_x000D__x000A_))_x000D__x000A_OR_x000D__x000A_(permission_name = 'SELECT' AND type = 'SL ' AND STATE = 'G' AND grantor_principal_name = 'dbo' AND schema_name = 'dbo' AND object_type = 'U ' AND (_x000D__x000A_object_name IN ('backupfile', 'backupmediafamily', 'backupmediaset', 'backupset', 'dm_hadr_automatic_seeding_history', 'logmarkhistory', 'restorefile', 'restorefilegroup', 'restorehistory', 'spt_fallback_db', 'spt_fallback_dev', 'spt_fallback_usg', 'spt_monitor', 'suspect_pages', 'sysdac_history_internal', 'sysdac_instances_internal')_x000D__x000A_))_x000D__x000A_OR_x000D__x000A_(permission_name = 'SELECT' AND type = 'SL ' AND STATE = 'G' AND grantor_principal_name = 'dbo' AND schema_name = 'dbo' AND object_type = 'V ' AND (_x000D__x000A_object_name IN (_x000D__x000A_'autoadmin_backup_configuration_summary', 'spt_values', 'sysdac_instances', 'syspolicy_conditions', 'syspolicy_configuration', 'syspolicy_object_sets', 'syspolicy_policies', 'syspolicy_policy_categories', 'syspolicy_policy_category_subscriptions', 'syspolicy_policy_execution_history', 'syspolicy_policy_execution_history_details', 'syspolicy_system_health_state', 'syspolicy_target_set_levels', 'syspolicy_target_sets'_x000D__x000A_)_x000D__x000A_))_x000D__x000A_OR_x000D__x000A_(permission_name = 'SELECT' AND type = 'SL ' AND STATE = 'G' AND grantor_principal_name = 'sys' AND schema_name = 'sys' AND object_type = 'V ' AND (_x000D__x000A_object_name IN ('bandwidth_usage', 'database_connection_stats', 'database_error_stats', 'database_firewall_rules', 'database_usage', 'dm_database_copies', 'elastic_pool_resource_stats', 'event_log', 'firewall_rules', 'geo_replication_links', 'resource_stats')_x000D__x000A_))_x000D__x000A_)_x000D__x000A__x000D__x000A_ORDER BY object_type, schema_name, object_name, type, state</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $0 ON [$1].[$2] FROM PUBLIC</S>
</Props>
</Obj>
<Obj RefId="7">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">d15d2a83-cdf3-484a-988f-e9ac8e98e251</G>
<S N="RuleId">VA1069</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Non-sysadmin permissions to select from system tables and views exist out of the box, and are typically used by tools such as SSMS. This rule enumerates which system tables and views can be accessed by non-sysadmins.</S>
<S N="Title">Permissions to select from system tables and views should be revoked from non-sysadmins</S>
<S N="Query">SELECT [schema_or_class] AS [Schema]_x000D__x000A_ ,[object_name] AS [Object]_x000D__x000A_ ,[grantee_principal_name] AS [Principal]_x000D__x000A_FROM (_x000D__x000A_ SELECT isnull(SCHEMA_NAME(objs.schema_id),'sys') AS [schema_or_class]_x000D__x000A_ ,Object_name(major_id) AS object_name_x000D__x000A_ ,User_name(grantee_principal_id) AS grantee_principal_name_x000D__x000A_ FROM sys.database_permissions perms_x000D__x000A_ LEFT JOIN sys.all_objects objs ON objs.object_id = perms.major_id _x000D__x000A_ WHERE perms.class = 1_x000D__x000A_ AND perms.type = 'SL'_x000D__x000A_ AND major_id < 0_x000D__x000A_ AND NOT Object_name(major_id) IN (_x000D__x000A_ 'all_columns'_x000D__x000A_ ,'all_objects'_x000D__x000A_ ,'all_parameters'_x000D__x000A_ ,'all_sql_modules'_x000D__x000A_ ,'all_views'_x000D__x000A_ ,'allocation_units'_x000D__x000A_ ,'assemblies'_x000D__x000A_ ,'assembly_files'_x000D__x000A_ ,'assembly_modules'_x000D__x000A_ ,'assembly_references'_x000D__x000A_ ,'assembly_types'_x000D__x000A_ ,'asymmetric_keys'_x000D__x000A_ ,'certificates'_x000D__x000A_ ,'change_tracking_tables'_x000D__x000A_ ,'check_constraints'_x000D__x000A_ ,'column_encryption_key_values'_x000D__x000A_ ,'column_encryption_keys'_x000D__x000A_ ,'column_master_keys'_x000D__x000A_ ,'column_store_dictionaries'_x000D__x000A_ ,'column_store_row_groups'_x000D__x000A_ ,'column_store_segments'_x000D__x000A_ ,'column_type_usages'_x000D__x000A_ ,'column_x005F_xml_schema_collection_usages'_x000D__x000A_ ,'columns'_x000D__x000A_ ,'computed_columns'_x000D__x000A_ ,'conversation_endpoints'_x000D__x000A_ ,'conversation_groups'_x000D__x000A_ ,'conversation_priorities'_x000D__x000A_ ,'crypt_properties'_x000D__x000A_ ,'data_spaces'_x000D__x000A_ ,'database_audit_specification_details'_x000D__x000A_ ,'database_audit_specifications'_x000D__x000A_ ,'database_credentials'_x000D__x000A_ ,'database_files'_x000D__x000A_ ,'database_permissions'_x000D__x000A_ ,'database_principals'_x000D__x000A_ ,'database_role_members'_x000D__x000A_ ,'database_scoped_configurations'_x000D__x000A_ ,'database_scoped_credentials'_x000D__x000A_ ,'default_constraints'_x000D__x000A_ ,'destination_data_spaces'_x000D__x000A_ ,'event_notifications'_x000D__x000A_ ,'events'_x000D__x000A_ ,'extended_procedures'_x000D__x000A_ ,'extended_properties'_x000D__x000A_ ,'external_data_sources'_x000D__x000A_ ,'external_file_formats'_x000D__x000A_ ,'external_tables'_x000D__x000A_ ,'filegroups'_x000D__x000A_ ,'filetable_system_defined_objects'_x000D__x000A_ ,'filetables'_x000D__x000A_ ,'foreign_key_columns'_x000D__x000A_ ,'foreign_keys'_x000D__x000A_ ,'fulltext_catalogs'_x000D__x000A_ ,'fulltext_index_catalog_usages'_x000D__x000A_ ,'fulltext_index_columns'_x000D__x000A_ ,'fulltext_index_fragments'_x000D__x000A_ ,'fulltext_indexes'_x000D__x000A_ ,'fulltext_stoplists'_x000D__x000A_ ,'fulltext_stopwords'_x000D__x000A_ ,'function_order_columns'_x000D__x000A_ ,'hash_indexes'_x000D__x000A_ ,'identity_columns'_x000D__x000A_ ,'index_columns'_x000D__x000A_ ,'indexes'_x000D__x000A_ ,'internal_partitions'_x000D__x000A_ ,'internal_tables'_x000D__x000A_ ,'key_constraints'_x000D__x000A_ ,'key_encryptions'_x000D__x000A_ ,'masked_columns'_x000D__x000A_ ,'memory_optimized_tables_internal_attributes'_x000D__x000A_ ,'message_type_x005F_xml_schema_collection_usages'_x000D__x000A_ ,'module_assembly_usages'_x000D__x000A_ ,'numbered_procedure_parameters'_x000D__x000A_ ,'numbered_procedures'_x000D__x000A_ ,'objects'_x000D__x000A_ ,'parameter_type_usages'_x000D__x000A_ ,'parameter_x005F_xml_schema_collection_usages'_x000D__x000A_ ,'parameters'_x000D__x000A_ ,'partition_functions'_x000D__x000A_ ,'partition_parameters'_x000D__x000A_ ,'partition_range_values'_x000D__x000A_ ,'partition_schemes'_x000D__x000A_ ,'partitions'_x000D__x000A_ ,'periods'_x000D__x000A_ ,'plan_guides'_x000D__x000A_ ,'procedures'_x000D__x000A_ ,'query_context_settings'_x000D__x000A_ ,'query_store_plan'_x000D__x000A_ ,'query_store_query'_x000D__x000A_ ,'query_store_query_text'_x000D__x000A_ ,'query_store_runtime_stats'_x000D__x000A_ ,'query_store_runtime_stats_interval'_x000D__x000A_ ,'registered_search_properties'_x000D__x000A_ ,'registered_search_property_lists'_x000D__x000A_ ,'remote_data_archive_databases'_x000D__x000A_ ,'remote_data_archive_tables'_x000D__x000A_ ,'remote_service_bindings'_x000D__x000A_ ,'routes'_x000D__x000A_ ,'schemas'_x000D__x000A_ ,'security_policies'_x000D__x000A_ ,'security_predicates'_x000D__x000A_ ,'selective_x005F_xml_index_namespaces'_x000D__x000A_ ,'selective_x005F_xml_index_paths'_x000D__x000A_ ,'sequences'_x000D__x000A_ ,'service_contract_message_usages'_x000D__x000A_ ,'service_contract_usages'_x000D__x000A_ ,'service_contracts'_x000D__x000A_ ,'service_message_types'_x000D__x000A_ ,'service_queue_usages'_x000D__x000A_ ,'service_queues'_x000D__x000A_ ,'services'_x000D__x000A_ ,'spatial_index_tessellations'_x000D__x000A_ ,'spatial_indexes'_x000D__x000A_ ,'sql_dependencies'_x000D__x000A_ ,'sql_modules'_x000D__x000A_ ,'stats'_x000D__x000A_ ,'stats_columns'_x000D__x000A_ ,'symmetric_keys'_x000D__x000A_ ,'synonyms'_x000D__x000A_ ,'syscolumns'_x000D__x000A_ ,'syscomments'_x000D__x000A_ ,'sysconstraints'_x000D__x000A_ ,'sysdepends'_x000D__x000A_ ,'sysfilegroups'_x000D__x000A_ ,'sysfiles'_x000D__x000A_ ,'sysforeignkeys'_x000D__x000A_ ,'sysfulltextcatalogs'_x000D__x000A_ ,'sysindexes'_x000D__x000A_ ,'sysindexkeys'_x000D__x000A_ ,'sysmembers'_x000D__x000A_ ,'sysobjects'_x000D__x000A_ ,'syspermissions'_x000D__x000A_ ,'sysprotects'_x000D__x000A_ ,'sysreferences'_x000D__x000A_ ,'system_columns'_x000D__x000A_ ,'system_objects'_x000D__x000A_ ,'system_parameters'_x000D__x000A_ ,'system_sql_modules'_x000D__x000A_ ,'system_views'_x000D__x000A_ ,'systypes'_x000D__x000A_ ,'sysusers'_x000D__x000A_ ,'table_types'_x000D__x000A_ ,'tables'_x000D__x000A_ ,'time_zone_info'_x000D__x000A_ ,'transmission_queue'_x000D__x000A_ ,'trigger_events'_x000D__x000A_ ,'triggers'_x000D__x000A_ ,'type_assembly_usages'_x000D__x000A_ ,'types'_x000D__x000A_ ,'views'_x000D__x000A_ ,'xml_indexes'_x000D__x000A_ ,'xml_schema_attributes'_x000D__x000A_ ,'xml_schema_collections'_x000D__x000A_ ,'xml_schema_component_placements'_x000D__x000A_ ,'xml_schema_components'_x000D__x000A_ ,'xml_schema_elements'_x000D__x000A_ ,'xml_schema_facets'_x000D__x000A_ ,'xml_schema_model_groups'_x000D__x000A_ ,'xml_schema_namespaces'_x000D__x000A_ ,'xml_schema_types'_x000D__x000A_ ,'xml_schema_wildcard_namespaces'_x000D__x000A_ ,'xml_schema_wildcards'_x000D__x000A_ ,'dm_pdw_component_health_active_alerts'_x000D__x000A_ ,'dm_pdw_component_health_alerts'_x000D__x000A_ ,'dm_pdw_component_health_status'_x000D__x000A_ ,'dm_pdw_diag_processing_stats'_x000D__x000A_ ,'dm_pdw_dms_cores'_x000D__x000A_ ,'dm_pdw_dms_external_work'_x000D__x000A_ ,'dm_pdw_dms_workers'_x000D__x000A_ ,'dm_pdw_errors'_x000D__x000A_ ,'dm_pdw_exec_connections'_x000D__x000A_ ,'dm_pdw_exec_query_profiles'_x000D__x000A_ ,'dm_pdw_exec_queryplan_profiles'_x000D__x000A_ ,'dm_pdw_exec_requests'_x000D__x000A_ ,'dm_pdw_exec_sessions'_x000D__x000A_ ,'dm_pdw_hadoop_operations'_x000D__x000A_ ,'dm_pdw_lock_waits'_x000D__x000A_ ,'dm_pdw_network_credentials'_x000D__x000A_ ,'dm_pdw_node_status'_x000D__x000A_ ,'dm_pdw_nodes'_x000D__x000A_ ,'dm_pdw_nodes_clr_appdomains'_x000D__x000A_ ,'dm_pdw_nodes_clr_loaded_assemblies'_x000D__x000A_ ,'dm_pdw_nodes_clr_properties'_x000D__x000A_ ,'dm_pdw_nodes_clr_tasks'_x000D__x000A_ ,'dm_pdw_nodes_database_encryption_keys'_x000D__x000A_ ,'dm_pdw_nodes_db_file_space_usage'_x000D__x000A_ ,'dm_pdw_nodes_db_index_usage_stats'_x000D__x000A_ ,'dm_pdw_nodes_db_partition_stats'_x000D__x000A_ ,'dm_pdw_nodes_db_session_space_usage'_x000D__x000A_ ,'dm_pdw_nodes_db_task_space_usage'_x000D__x000A_ ,'dm_pdw_nodes_exec_background_job_queue'_x000D__x000A_ ,'dm_pdw_nodes_exec_background_job_queue_stats'_x000D__x000A_ ,'dm_pdw_nodes_exec_cached_plans'_x000D__x000A_ ,'dm_pdw_nodes_exec_connections'_x000D__x000A_ ,'dm_pdw_nodes_exec_procedure_stats'_x000D__x000A_ ,'dm_pdw_nodes_exec_query_memory_grants'_x000D__x000A_ ,'dm_pdw_nodes_exec_query_optimizer_info'_x000D__x000A_ ,'dm_pdw_nodes_exec_query_resource_semaphores'_x000D__x000A_ ,'dm_pdw_nodes_exec_query_stats'_x000D__x000A_ ,'dm_pdw_nodes_exec_requests'_x000D__x000A_ ,'dm_pdw_nodes_exec_sessions'_x000D__x000A_ ,'dm_pdw_nodes_io_cluster_shared_drives'_x000D__x000A_ ,'dm_pdw_nodes_io_pending_io_requests'_x000D__x000A_ ,'dm_pdw_nodes_os_buffer_descriptors'_x000D__x000A_ ,'dm_pdw_nodes_os_child_instances'_x000D__x000A_ ,'dm_pdw_nodes_os_cluster_nodes'_x000D__x000A_ ,'dm_pdw_nodes_os_dispatcher_pools'_x000D__x000A_ ,'dm_pdw_nodes_os_dispatchers'_x000D__x000A_ ,'dm_pdw_nodes_os_hosts'_x000D__x000A_ ,'dm_pdw_nodes_os_latch_stats'_x000D__x000A_ ,'dm_pdw_nodes_os_loaded_modules'_x000D__x000A_ ,'dm_pdw_nodes_os_memory_brokers'_x000D__x000A_ ,'dm_pdw_nodes_os_memory_cache_clock_hands'_x000D__x000A_ ,'dm_pdw_nodes_os_memory_cache_counters'_x000D__x000A_ ,'dm_pdw_nodes_os_memory_cache_entries'_x000D__x000A_ ,'dm_pdw_nodes_os_memory_cache_hash_tables'_x000D__x000A_ ,'dm_pdw_nodes_os_memory_clerks'_x000D__x000A_ ,'dm_pdw_nodes_os_memory_node_access_stats'_x000D__x000A_ ,'dm_pdw_nodes_os_memory_nodes'_x000D__x000A_ ,'dm_pdw_nodes_os_memory_objects'_x000D__x000A_ ,'dm_pdw_nodes_os_memory_pools'_x000D__x000A_ ,'dm_pdw_nodes_os_nodes'_x000D__x000A_ ,'dm_pdw_nodes_os_performance_counters'_x000D__x000A_ ,'dm_pdw_nodes_os_process_memory'_x000D__x000A_ ,'dm_pdw_nodes_os_schedulers'_x000D__x000A_ ,'dm_pdw_nodes_os_spinlock_stats'_x000D__x000A_ ,'dm_pdw_nodes_os_sys_info'_x000D__x000A_ ,'dm_pdw_nodes_os_sys_memory'_x000D__x000A_ ,'dm_pdw_nodes_os_tasks'_x000D__x000A_ ,'dm_pdw_nodes_os_threads'_x000D__x000A_ ,'dm_pdw_nodes_os_virtual_address_dump'_x000D__x000A_ ,'dm_pdw_nodes_os_wait_stats'_x000D__x000A_ ,'dm_pdw_nodes_os_waiting_tasks'_x000D__x000A_ ,'dm_pdw_nodes_os_workers'_x000D__x000A_ ,'dm_pdw_nodes_resource_governor_resource_pools'_x000D__x000A_ ,'dm_pdw_nodes_resource_governor_workload_groups'_x000D__x000A_ ,'dm_pdw_nodes_tran_active_snapshot_database_transactions'_x000D__x000A_ ,'dm_pdw_nodes_tran_active_transactions'_x000D__x000A_ ,'dm_pdw_nodes_tran_commit_table'_x000D__x000A_ ,'dm_pdw_nodes_tran_current_snapshot'_x000D__x000A_ ,'dm_pdw_nodes_tran_current_transaction'_x000D__x000A_ ,'dm_pdw_nodes_tran_database_transactions'_x000D__x000A_ ,'dm_pdw_nodes_tran_locks'_x000D__x000A_ ,'dm_pdw_nodes_tran_session_transactions'_x000D__x000A_ ,'dm_pdw_nodes_tran_top_version_generators'_x000D__x000A_ ,'dm_pdw_os_event_logs'_x000D__x000A_ ,'dm_pdw_os_performance_counters'_x000D__x000A_ ,'dm_pdw_os_threads'_x000D__x000A_ ,'dm_pdw_query_stats_x005F_xe'_x000D__x000A_ ,'dm_pdw_query_stats_x005F_xe_file'_x000D__x000A_ ,'dm_pdw_request_steps'_x000D__x000A_ ,'dm_pdw_resource_waits'_x000D__x000A_ ,'dm_pdw_sql_requests'_x000D__x000A_ ,'dm_pdw_sys_info'_x000D__x000A_ ,'dm_pdw_wait_stats'_x000D__x000A_ ,'dm_pdw_waits'_x000D__x000A_ ,'pdw_column_distribution_properties'_x000D__x000A_ ,'pdw_database_mappings'_x000D__x000A_ ,'pdw_diag_event_properties'_x000D__x000A_ ,'pdw_diag_events'_x000D__x000A_ ,'pdw_diag_sessions'_x000D__x000A_ ,'pdw_distributions'_x000D__x000A_ ,'pdw_health_alerts'_x000D__x000A_ ,'pdw_health_component_groups'_x000D__x000A_ ,'pdw_health_component_properties'_x000D__x000A_ ,'pdw_health_component_status_mappings'_x000D__x000A_ ,'pdw_health_components'_x000D__x000A_ ,'pdw_index_mappings'_x000D__x000A_ ,'pdw_loader_backup_run_details'_x000D__x000A_ ,'pdw_loader_backup_runs'_x000D__x000A_ ,'pdw_loader_run_stages'_x000D__x000A_ ,'pdw_nodes_column_store_dictionaries'_x000D__x000A_ ,'pdw_nodes_column_store_row_groups'_x000D__x000A_ ,'pdw_nodes_column_store_segments'_x000D__x000A_ ,'pdw_nodes_columns'_x000D__x000A_ ,'pdw_nodes_indexes'_x000D__x000A_ ,'pdw_nodes_partitions'_x000D__x000A_ ,'pdw_nodes_pdw_physical_databases'_x000D__x000A_ ,'pdw_nodes_tables'_x000D__x000A_ ,'pdw_physical_databases'_x000D__x000A_ ,'pdw_table_distribution_properties'_x000D__x000A_ ,'pdw_table_mappings'_x000D__x000A_ )_x000D__x000A_ _x000D__x000A_ UNION_x000D__x000A_ _x000D__x000A_ SELECT class_desc AS [schema_or_class]_x000D__x000A_ ,Object_name(major_id) AS object_name_x000D__x000A_ ,User_name(grantee_principal_id) AS grantee_principal_name_x000D__x000A_ FROM sys.database_permissions perms_x000D__x000A_ WHERE perms.class != 1_x000D__x000A_ AND type = 'SL'_x000D__x000A_ AND major_id < 0_x000D__x000A_ ) A_x000D__x000A_ORDER BY A.[schema_or_class]_x000D__x000A_ ,A.object_name</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE SELECT ON OBJECT::[$0].[$1] FROM [$2]</S>
</Props>
</Obj>
<Obj RefId="8">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">7fb52e4c-2eba-4f8e-84ec-38277faf33da</G>
<S N="RuleId">VA1070</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Database users may share the same name as a server login. This rule validates that there are no such users.</S>
<S N="Title">Database users shouldn't share the same name as a server login.</S>
<S N="Query">SELECT dp.NAME AS [Principal] _x000D__x000A_FROM sys.database_principals dp, _x000D__x000A_ sys.server_principals sp _x000D__x000A_WHERE dp.NAME = sp.NAME COLLATE database_default _x000D__x000A_ AND dp.sid != sp.sid _x000D__x000A_ AND dp.authentication_type = 2 _x000D__x000A_ORDER BY dp.NAME</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">*You must rename the affected users or logins to avoid the confusion, updating all affected applications as well.*</S>
</Props>
</Obj>
<Obj RefId="9">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">d0dec3fc-2f11-4600-a4ef-beddc231c22a</G>
<S N="RuleId">VA1094</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Permissions are rules associated with a securable object to regulate which users can gain access to the object. This rule checks that there are no DB permissions granted directly to users.</S>
<S N="Title">Database permissions shouldn't be granted directly to principals</S>
<S N="Query">SELECT permission_name AS [Permission], _x000D__x000A_ Replace(dp.class_desc, '_', ' ') AS [Permission Class], _x000D__x000A_ CASE _x000D__x000A_ WHEN dp.class = 0 THEN Db_name() -- database _x000D__x000A_ WHEN dp.class = 3 THEN Schema_name(major_id) -- schema _x000D__x000A_ WHEN dp.class = 4 THEN printarget.NAME -- principal _x000D__x000A_ WHEN dp.class = 5 THEN asm.NAME -- assembly _x000D__x000A_ WHEN dp.class = 6 THEN Type_name(major_id) -- type _x000D__x000A_ WHEN dp.class = 10 THEN xmlsc.NAME -- xml schema _x000D__x000A_ WHEN dp.class = 15 THEN msgt.NAME COLLATE database_default -- message types _x000D__x000A_ WHEN dp.class = 16 THEN svcc.NAME COLLATE database_default -- service contracts _x000D__x000A_ WHEN dp.class = 17 THEN svcs.NAME COLLATE database_default -- services _x000D__x000A_ WHEN dp.class = 18 THEN rsb.NAME COLLATE database_default -- remote service bindings _x000D__x000A_ WHEN dp.class = 19 THEN rts.NAME COLLATE database_default -- routes _x000D__x000A_ WHEN dp.class = 23 THEN ftc.NAME -- full text catalog _x000D__x000A_ WHEN dp.class = 24 THEN sym.NAME -- symmetric key _x000D__x000A_ WHEN dp.class = 25 THEN crt.NAME -- certificate _x000D__x000A_ WHEN dp.class = 26 THEN asym.NAME -- assymetric key _x000D__x000A_ END AS [Object], _x000D__x000A_ prin.NAME AS [Principal] _x000D__x000A_FROM sys.database_permissions AS dp _x000D__x000A_ LEFT JOIN sys.database_principals prin _x000D__x000A_ ON dp.grantee_principal_id = prin.principal_id _x000D__x000A_ LEFT JOIN sys.assemblies asm _x000D__x000A_ ON dp.major_id = asm.assembly_id _x000D__x000A_ LEFT JOIN sys.xml_schema_collections xmlsc _x000D__x000A_ ON dp.major_id = xmlsc.xml_collection_id _x000D__x000A_ LEFT JOIN sys.service_message_types msgt _x000D__x000A_ ON dp.major_id = msgt.message_type_id _x000D__x000A_ LEFT JOIN sys.service_contracts svcc _x000D__x000A_ ON dp.major_id = svcc.service_contract_id _x000D__x000A_ LEFT JOIN sys.services svcs _x000D__x000A_ ON dp.major_id = svcs.service_id _x000D__x000A_ LEFT JOIN sys.remote_service_bindings rsb _x000D__x000A_ ON dp.major_id = rsb.remote_service_binding_id _x000D__x000A_ LEFT JOIN sys.routes rts _x000D__x000A_ ON dp.major_id = rts.route_id _x000D__x000A_ LEFT JOIN sys.database_principals printarget _x000D__x000A_ ON dp.major_id = printarget.principal_id _x000D__x000A_ LEFT JOIN sys.symmetric_keys sym _x000D__x000A_ ON dp.major_id = sym.symmetric_key_id _x000D__x000A_ LEFT JOIN sys.asymmetric_keys asym _x000D__x000A_ ON dp.major_id = asym.asymmetric_key_id _x000D__x000A_ LEFT JOIN sys.certificates crt _x000D__x000A_ ON dp.major_id = crt.certificate_id _x000D__x000A_ LEFT JOIN sys.fulltext_catalogs ftc _x000D__x000A_ ON dp.major_id = ftc.fulltext_catalog_id _x000D__x000A_WHERE ( prin.type = 'S' _x000D__x000A_ OR prin.type = 'W' ) _x000D__x000A_ AND dp.type != 'CO' _x000D__x000A_ AND prin.NAME NOT IN ( '##MS_PolicyEventProcessingLogin##', _x000D__x000A_ '##MS_PolicyTsqlExecutionLogin##' ) _x000D__x000A_ AND dp.class != 1 _x000D__x000A_ORDER BY class_desc, _x000D__x000A_ Object_name(major_id), _x000D__x000A_ permission_name, _x000D__x000A_ prin.NAME;</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $0 ON $1::[$2] FROM [$3]</S>
</Props>
</Obj>
<Obj RefId="10">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">18673d8c-2bdd-4bf3-88f7-2defa9edd5db</G>
<S N="RuleId">VA1095</S>
<S N="Severity">Medium</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. This displays a list of all permissions that are granted to the PUBLIC role.</S>
<S N="Title">Excessive permissions should not be granted to PUBLIC role</S>
<S N="Query">SELECT REPLACE(perms.class_desc, '_', ' ') AS [Permission Class]_x000D__x000A_ ,CASE _x000D__x000A_ WHEN perms.class = 0_x000D__x000A_ THEN db_name() -- database_x000D__x000A_ WHEN perms.class = 3_x000D__x000A_ THEN schema_name(major_id) -- schema_x000D__x000A_ WHEN perms.class = 4_x000D__x000A_ THEN printarget.NAME -- principal_x000D__x000A_ WHEN perms.class = 5_x000D__x000A_ THEN asm.NAME -- assembly_x000D__x000A_ WHEN perms.class = 6_x000D__x000A_ THEN type_name(major_id) -- type_x000D__x000A_ WHEN perms.class = 10_x000D__x000A_ THEN xmlsc.NAME -- xml schema_x000D__x000A_ WHEN perms.class = 15_x000D__x000A_ THEN msgt.NAME COLLATE DATABASE_DEFAULT -- message types_x000D__x000A_ WHEN perms.class = 16_x000D__x000A_ THEN svcc.NAME COLLATE DATABASE_DEFAULT -- service contracts_x000D__x000A_ WHEN perms.class = 17_x000D__x000A_ THEN svcs.NAME COLLATE DATABASE_DEFAULT -- services_x000D__x000A_ WHEN perms.class = 18_x000D__x000A_ THEN rsb.NAME COLLATE DATABASE_DEFAULT -- remote service bindings_x000D__x000A_ WHEN perms.class = 19_x000D__x000A_ THEN rts.NAME COLLATE DATABASE_DEFAULT -- routes_x000D__x000A_ WHEN perms.class = 23_x000D__x000A_ THEN ftc.NAME -- full text catalog_x000D__x000A_ WHEN perms.class = 24_x000D__x000A_ THEN sym.NAME -- symmetric key_x000D__x000A_ WHEN perms.class = 25_x000D__x000A_ THEN crt.NAME -- certificate_x000D__x000A_ WHEN perms.class = 26_x000D__x000A_ THEN asym.NAME -- assymetric key_x000D__x000A_ END AS [Object]_x000D__x000A_ ,perms.permission_name AS Permission_x000D__x000A_FROM sys.database_permissions AS perms_x000D__x000A_LEFT JOIN sys.database_principals prin ON perms.grantee_principal_id = prin.principal_id_x000D__x000A_LEFT JOIN sys.assemblies asm ON perms.major_id = asm.assembly_id_x000D__x000A_LEFT JOIN sys.xml_schema_collections xmlsc ON perms.major_id = xmlsc.xml_collection_id_x000D__x000A_LEFT JOIN sys.service_message_types msgt ON perms.major_id = msgt.message_type_id_x000D__x000A_LEFT JOIN sys.service_contracts svcc ON perms.major_id = svcc.service_contract_id_x000D__x000A_LEFT JOIN sys.services svcs ON perms.major_id = svcs.service_id_x000D__x000A_LEFT JOIN sys.remote_service_bindings rsb ON perms.major_id = rsb.remote_service_binding_id_x000D__x000A_LEFT JOIN sys.routes rts ON perms.major_id = rts.route_id_x000D__x000A_LEFT JOIN sys.database_principals printarget ON perms.major_id = printarget.principal_id_x000D__x000A_LEFT JOIN sys.symmetric_keys sym ON perms.major_id = sym.symmetric_key_id_x000D__x000A_LEFT JOIN sys.asymmetric_keys asym ON perms.major_id = asym.asymmetric_key_id_x000D__x000A_LEFT JOIN sys.certificates crt ON perms.major_id = crt.certificate_id_x000D__x000A_LEFT JOIN sys.fulltext_catalogs ftc ON perms.major_id = ftc.fulltext_catalog_id_x000D__x000A_WHERE perms.grantee_principal_id = DATABASE_PRINCIPAL_ID('public')_x000D__x000A_ AND class != 1 -- Object or Columns (class = 1) are handled by VA1054 and have different remediation syntax_x000D__x000A_ AND NOT (_x000D__x000A_ perms.class = 0_x000D__x000A_ AND prin.NAME = 'public'_x000D__x000A_ AND perms.major_id = 0_x000D__x000A_ AND perms.minor_id = 0_x000D__x000A_ AND permission_name IN (_x000D__x000A_ 'VIEW ANY COLUMN ENCRYPTION KEY DEFINITION'_x000D__x000A_ ,'VIEW ANY COLUMN MASTER KEY DEFINITION'_x000D__x000A_ )_x000D__x000A_ )_x000D__x000A_ORDER BY perms.class_x000D__x000A_ ,object_name(perms.major_id)_x000D__x000A_ ,perms.grantor_principal_id_x000D__x000A_ ,perms.STATE</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $2 ON $0::[$1] FROM PUBLIC</S>
</Props>
</Obj>
<Obj RefId="11">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">270bedd7-3e7a-4cb1-8481-d45c5ad70d14</G>
<S N="RuleId">VA1096</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database, but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user.</S>
<S N="Title">Principal GUEST should not be granted permissions in the database</S>
<S N="Query">SELECT perms.permission_name AS Permission_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND grantee_principal_id = DATABASE_PRINCIPAL_ID('guest') _x000D__x000A_ AND perms.class = 0</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $0 FROM GUEST</S>
</Props>
</Obj>
<Obj RefId="12">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">9c5dcb9f-b9fc-4167-be3a-f1ae98e1c3bb</G>
<S N="RuleId">VA1097</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database, but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user.</S>
<S N="Title">Principal GUEST should not be granted permissions on objects or columns</S>
<S N="Query">SELECT object_schema_name(major_id) as [Schema Name], object_name(major_id) as [Object], perms.permission_name AS Permission_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND grantee_principal_id = DATABASE_PRINCIPAL_ID('guest') _x000D__x000A_ AND perms.class = 1</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $2 ON [$0].[$1] FROM GUEST</S>
</Props>
</Obj>
<Obj RefId="13">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">943193cb-4831-4704-97b5-dcb116fde611</G>
<S N="RuleId">VA1098</S>
<S N="Severity">High</S>
<S N="Category">DataProtection</S>
<S N="Description">Service Broker and Mirroring endpoints support different encryption algorithms, including no-encryption. This rule checks that any existing endpoint requires AES encryption.</S>
<S N="Title">Any Existing SSB or Mirroring endpoint should require AES connection</S>
<S N="Query">SELECT ep.NAME AS [Name], _x000D__x000A_ ep.type_desc AS [Type] _x000D__x000A_FROM sys.database_mirroring_endpoints dme, _x000D__x000A_ sys.endpoints ep _x000D__x000A_WHERE dme.endpoint_id = ep.endpoint_id _x000D__x000A_ AND dme.encryption_algorithm <> 2 _x000D__x000A_ AND ep.type BETWEEN 3 AND 4 _x000D__x000A_UNION _x000D__x000A_SELECT ep.NAME AS [Name], _x000D__x000A_ ep.type_desc AS [Type] _x000D__x000A_FROM sys.service_broker_endpoints sbe, _x000D__x000A_ sys.endpoints ep _x000D__x000A_WHERE sbe.endpoint_id = ep.endpoint_id _x000D__x000A_ AND sbe.encryption_algorithm <> 2 _x000D__x000A_ AND ep.type BETWEEN 3 AND 4</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">ALTER ENDPOINT [$0] FOR $1 ( ENCRYPTION = REQUIRED ALGORITHM AES )</S>
</Props>
</Obj>
<Obj RefId="14">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">78bbc492-9957-460b-9976-4f10fd8eba75</G>
<S N="RuleId">VA1099</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database, but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user.</S>
<S N="Title">GUEST user should not be granted permissions on database securables</S>
<S N="Query">SELECT REPLACE(perms.class_desc, '_', ' ') AS [Permission Class], _x000D__x000A__x0009_CASE _x000D__x000A__x0009__x0009_WHEN perms.class=3 THEN schema_name(major_id) -- schema_x000D__x000A__x0009__x0009_WHEN perms.class=4 THEN printarget.name -- principal_x000D__x000A__x0009__x0009_WHEN perms.class=5 THEN asm.name -- assembly_x000D__x000A__x0009__x0009_WHEN perms.class=6 THEN type_name(major_id) -- type_x000D__x000A__x0009__x0009_WHEN perms.class=10 THEN xmlsc.name -- xml schema_x000D__x000A_ WHEN perms.class=15 THEN msgt.name COLLATE DATABASE_DEFAULT -- message types_x000D__x000A_ WHEN perms.class=16 THEN svcc.name COLLATE DATABASE_DEFAULT -- service contracts_x000D__x000A_ WHEN perms.class=17 THEN svcs.name COLLATE DATABASE_DEFAULT -- services_x000D__x000A_ WHEN perms.class=18 THEN rsb.name COLLATE DATABASE_DEFAULT -- remote service bindings_x000D__x000A_ WHEN perms.class=19 THEN rts.name COLLATE DATABASE_DEFAULT -- routes_x000D__x000A__x0009__x0009_WHEN perms.class=23 THEN ftc.name -- full text catalog_x000D__x000A__x0009__x0009_WHEN perms.class=24 then sym.name -- symmetric key_x000D__x000A__x0009__x0009_WHEN perms.class=25 then crt.name -- certificate_x000D__x000A__x0009__x0009_WHEN perms.class=26 then asym.name -- assymetric key_x000D__x000A__x0009_END AS [Object],_x000D__x000A__x0009_perms.permission_name AS Permission_x000D__x000A_FROM sys.database_permissions perms_x000D__x000A_LEFT JOIN_x000D__x000A__x0009_sys.database_principals prin_x000D__x000A__x0009_ON perms.grantee_principal_id = prin.principal_id_x000D__x000A_LEFT JOIN _x000D__x000A__x0009_sys.assemblies asm_x000D__x000A__x0009_ON perms.major_id = asm.assembly_id_x000D__x000A_LEFT JOIN _x000D__x000A__x0009_sys.xml_schema_collections xmlsc_x000D__x000A__x0009_ON perms.major_id = xmlsc.xml_collection_id_x000D__x000A_LEFT JOIN _x000D__x000A__x0009_sys.service_message_types msgt_x000D__x000A__x0009_ON perms.major_id = msgt.message_type_id_x000D__x000A_LEFT JOIN _x000D__x000A__x0009_sys.service_contracts svcc_x000D__x000A__x0009_ON perms.major_id = svcc.service_contract_id_x000D__x000A_LEFT JOIN _x000D__x000A__x0009_sys.services svcs_x000D__x000A__x0009_ON perms.major_id = svcs.service_id_x000D__x000A_LEFT JOIN _x000D__x000A__x0009_sys.remote_service_bindings rsb_x000D__x000A__x0009_ON perms.major_id = rsb.remote_service_binding_id_x000D__x000A_LEFT JOIN _x000D__x000A__x0009_sys.routes rts_x000D__x000A__x0009_ON perms.major_id = rts.route_id_x000D__x000A_LEFT JOIN_x000D__x000A__x0009_sys.database_principals printarget_x000D__x000A__x0009_ON perms.major_id = printarget.principal_id_x000D__x000A_LEFT JOIN_x0009__x000D__x000A__x0009_sys.symmetric_keys sym_x000D__x000A__x0009_On perms.major_id = sym.symmetric_key_id_x000D__x000A_LEFT JOIN_x000D__x000A__x0009_sys.asymmetric_keys asym_x000D__x000A__x0009_ON perms.major_id = asym.asymmetric_key_id_x000D__x000A__x0009_LEFT JOIN_x000D__x000A__x0009_sys.certificates crt_x000D__x000A__x0009_ON perms.major_id = crt.certificate_id_x000D__x000A_LEFT JOIN_x000D__x000A__x0009_sys.fulltext_catalogs ftc_x000D__x000A__x0009_ON perms.major_id = ftc.fulltext_catalog_id_x000D__x000A_WHERE _x000D__x000A_ grantee_principal_id = DATABASE_PRINCIPAL_ID('guest') _x000D__x000A_ AND class in (3,4,5,6,10,15,16,17,18,19,23,24,25,26)</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $2 ON $0::[$1] FROM GUEST</S>
</Props>
</Obj>
<Obj RefId="15">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">a2b664f4-f1bd-407b-b9e5-4d48cf02a5d6</G>
<S N="RuleId">VA1102</S>
<S N="Severity">High</S>
<S N="Category">SurfaceAreaReduction</S>
<S N="Description">The TRUSTWORTHY database property is used to indicate whether the instance of SQL Server trusts the database and the contents within it. If this option is enabled, database modules (for example, user-defined functions or stored procedures) that use an impersonation context can access resources outside the database. This rule verifies that the TRUSTWORTHY bit is disabled on all databases, except MSDB.</S>
<S N="Title">The Trustworthy bit should be disabled on all databases except MSDB</S>
<S N="Query">SELECT CASE _x000D__x000A_ WHEN EXISTS (SELECT * _x000D__x000A_ FROM sys.databases _x000D__x000A_ WHERE NAME = Db_name() _x000D__x000A_ AND is_trustworthy_on = 1) THEN 1 _x000D__x000A_ ELSE 0 _x000D__x000A_ END AS Violation, _x000D__x000A_ Db_name() AS [Database]</S>
<S N="ExpectedResult">0</S>
<S N="RemedSkeleton">ALTER DATABASE [$1] SET TRUSTWORTHY OFF</S>
</Props>
</Obj>
<Obj RefId="16">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">e13acc68-e138-4270-a7bd-b0f809dbd9d0</G>
<S N="RuleId">VA1143</S>
<S N="Severity">Medium</S>
<S N="Category">SurfaceAreaReduction</S>
<S N="Description">The 'dbo', or database owner, is a user account that has implied permissions to perform all activities in the database. Members of the sysadmin fixed server role are automatically mapped to dbo. This rule checks that dbo is not the only account allowed to access this database. Please note that on a newly created clean database this rule will fail until additional roles are created.</S>
<S N="Title">'dbo' user should not be used for normal service operation</S>
<S N="Query">IF((SELECT count(*) from sys.database_principals WHERE principal_id >= 5 AND principal_id < 16384 ) > 0) SELECT 0 AS Violation_x000D__x000A_ELSE SELECT 1 AS Violation</S>
<S N="ExpectedResult">0</S>
<S N="RemedSkeleton">*Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions.*</S>
</Props>
</Obj>
<Obj RefId="17">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">95cc2f4e-7925-4204-8236-490f972dcf7a</G>
<S N="RuleId">VA1219</S>
<S N="Severity">Medium</S>
<S N="Category">DataProtection</S>
<S N="Description">Transparent data encryption (TDE) helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application. This rule checks that TDE is enabled on the database.</S>
<S N="Title">Transparent data encryption should be enabled</S>
<S N="Query">SELECT CASE WHEN EXISTS_x000D__x000A_( SELECT *_x000D__x000A__x0009_FROM sys.databases _x000D__x000A__x0009_WHERE name = db_name() _x000D__x000A__x0009_AND is_encrypted = 0)_x000D__x000A_THEN 1_x000D__x000A_ELSE 0_x000D__x000A_END AS [Violation]</S>
<S N="ExpectedResult">0</S>
<S N="RemedSkeleton">*Enable TDE on the affected database. Please follow the instructions on https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption*</S>
</Props>
</Obj>
<Obj RefId="18">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">241ebe26-e360-4b32-ba36-6d6cff594096</G>
<S N="RuleId">VA1221</S>
<S N="Severity">High</S>
<S N="Category">DataProtection</S>
<S N="Description">SQL Server uses encryption keys to help secure data, credentials, and connection information that is stored in a server database. SQL Server has two kinds of keys: symmetric and asymmetric. This rule checks that Database Encryption Symmetric Keys use AES algorithm.</S>
<S N="Title">Database Encryption Symmetric Keys should use AES algorithm</S>
<S N="Query">SELECT db_name(database_id) as db_name, encryption_state, key_algorithm, key_length, encryptor_type _x000D__x000A_FROM sys.dm_database_encryption_keys _x000D__x000A_WHERE key_algorithm != 'AES' _x000D__x000A_ORDER BY db_name(database_id), encryption_state, key_algorithm, key_length, encryptor_type</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">*Regenerate the DEK using AES*</S>
</Props>
</Obj>
<Obj RefId="19">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">204a856b-b7d3-4568-afe8-42ceae90a4e5</G>
<S N="RuleId">VA1222</S>
<S N="Severity">High</S>
<S N="Category">DataProtection</S>
<S N="Description">Cell-Level Encryption (CLE) allows you to encrypt your data using symmetric and asymmetric keys. This rule checks that Cell-Level Encryption symmetric keys use AES algorithm.</S>
<S N="Title">Cell-Level Encryption keys should use AES algorithm</S>
<S N="Query">SELECT NAME AS [Name], _x000D__x000A_ algorithm_desc AS [Algorithm] _x000D__x000A_FROM sys.symmetric_keys _x000D__x000A_WHERE key_algorithm NOT IN ( 'A1', 'A2', 'A3' ) _x000D__x000A_ORDER BY NAME, _x000D__x000A_ algorithm_desc</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">*Create AES keys, re-encrypt the data using the new key, and drop the affected keys.*</S>
</Props>
</Obj>
<Obj RefId="20">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">f6318527-f848-46da-8fd0-a2bc256657da</G>
<S N="RuleId">VA1223</S>
<S N="Severity">High</S>
<S N="Category">DataProtection</S>
<S N="Description">Certificate keys are used in RSA and other encryption algorithms to protect data. These keys need to be of enough length to secure the user's data. This rule checks that the key's length is at least 2048 bits for all certificates.</S>
<S N="Title">Certificate keys should use at least 2048 bits</S>
<S N="Query">SELECT name, issuer_name, cert_serial_number, subject, thumbprint _x000D__x000A_FROM sys.certificates _x000D__x000A_WHERE key_length < 2048</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">*Create new certificates, re-encrypt the data/sign-data using the new key, and drop the affected keys.*</S>
</Props>
</Obj>
<Obj RefId="21">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">269152b7-b386-4085-8521-8b47759eedb4</G>
<S N="RuleId">VA1224</S>
<S N="Severity">High</S>
<S N="Category">DataProtection</S>
<S N="Description">Database asymmetric keys are used in many encryption algorithms, these keys need to be of enough length to secure the encrypted data, this rule checks that all asymmetric keys stored in the database are of length of at least 2048 bits</S>
<S N="Title">Asymmetric keys' length should be at least 2048 bits</S>
<S N="Query">SELECT name, pvt_key_encryption_type_desc, algorithm_desc _x000D__x000A_FROM sys.asymmetric_keys _x000D__x000A_WHERE key_length < 2048 _x000D__x000A_AND NOT (DB_NAME() = 'master' AND name = 'MS_SQLEnableSystemAssemblyLoadingKey') _x000D__x000A_ORDER BY name, pvt_key_encryption_type_desc, algorithm_desc</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">*Create new asymmetric Keys, re-encrypt the data/sign-data using the new key, and drop the affected keys.*</S>
</Props>
</Obj>
<Obj RefId="22">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">11185ee8-bba0-4831-a39e-734b96f516a1</G>
<S N="RuleId">VA1244</S>
<S N="Severity">Medium</S>
<S N="Category">SurfaceAreaReduction</S>
<S N="Description">A database user that exists on a database, but has no corresponding login in master database or as an external resource (i.e. Windows user) is referred to as an orphaned user and it should either be removed or remapped to a valid login. This rule checks that there are no orphaned users.</S>
<S N="Title">Orphaned users should be removed from SQL server databases</S>
<S N="Query">SELECT NAME AS Principal_x000D__x000A_FROM sys.database_principals _x000D__x000A_WHERE sid NOT IN (SELECT sid _x000D__x000A_ FROM sys.server_principals) _x000D__x000A_ AND authentication_type < 2 _x000D__x000A_ AND type = 'S' _x000D__x000A_ AND principal_id != 2 _x000D__x000A__x0009_ AND DATALENGTH(sid) <=28_x000D__x000A_ORDER BY NAME</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">DROP USER [$0]</S>
</Props>
</Obj>
<Obj RefId="23">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">86c86408-8573-408f-8b4d-25a2f9abf076</G>
<S N="RuleId">VA1245</S>
<S N="Severity">High</S>
<S N="Category">SurfaceAreaReduction</S>
<S N="Description">There is redundant information about the dbo identity for any database: metadata stored in the database itself and metadata stored in master DB. This rule checks that this information is consistent between the target DB and master.</S>
<S N="Title">The dbo information should be consistent between the target DB and master</S>
<S N="Query">SELECT CASE _x000D__x000A_ WHEN EXISTS (SELECT * _x000D__x000A_ FROM sys.database_principals dbprs, _x000D__x000A_ sys.databases dbs _x000D__x000A_ WHERE dbprs.sid != dbs.owner_sid _x000D__x000A_ AND dbs.database_id = Db_id() _x000D__x000A_ AND dbprs.principal_id = 1) THEN 1 _x000D__x000A_ ELSE 0 _x000D__x000A_ END AS [Violation]</S>
<S N="ExpectedResult">0</S>
<S N="RemedSkeleton">ALTER AUTHORIZATION ON DATABASE::[$1] TO sa;</S>
</Props>
</Obj>
<Obj RefId="24">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">faea87d5-8478-495e-a684-47e3e89b41ee</G>
<S N="RuleId">VA1246</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">An application role is a database principal that enables an application to run with its own user-like permissions. Application roles enable that only users connecting through a particular application can access specific data. Application roles are password-based (which applications typically hardcode) and not permission based, which exposes the database to approle impersonation by password-guessing. This rule checks that no application roles are defined in the database.</S>
<S N="Title">Application roles should not be used</S>
<S N="Query">SELECT name_x000D__x000A_FROM sys.database_principals _x000D__x000A_WHERE type = 'A' _x000D__x000A_ORDER BY name</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">DROP APPLICATION ROLE [$0]</S>
</Props>
</Obj>
<Obj RefId="25">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">cdbc6770-f178-4d85-b135-87ace4c6ea46</G>
<S N="RuleId">VA1248</S>
<S N="Severity">Medium</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">To easily manage the permissions in your databases, SQL Server provides several roles which are security principals that group other principals. They are like groups in the Microsoft Windows operating system. Database accounts and other SQL Server roles can be added into database-level roles. Each member of a fixed-database role can add other users to that same role. This rule checks that no user-defined roles are members of fixed roles</S>
<S N="Title">User-defined database roles should not be members of fixed roles</S>
<S N="Query">SELECT user_name(roles.role_principal_id) as role, user_name(roles.member_principal_id) as member _x000D__x000A_FROM sys.database_role_members roles, sys.database_principals users _x000D__x000A_WHERE roles.member_principal_id = users.principal_id _x000D__x000A_AND ( roles.role_principal_id >= 16384 AND roles.role_principal_id <= 16393) _x000D__x000A_AND users.type = 'R' _x000D__x000A_ORDER BY user_name(roles.role_principal_id), user_name(roles.member_principal_id)</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">ALTER ROLE [$0] DROP MEMBER [$1]</S>
</Props>
</Obj>
<Obj RefId="26">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">e5efcd5b-85dc-4bc9-9bdb-f167ca90cf11</G>
<S N="RuleId">VA1253</S>
<S N="Severity">Low</S>
<S N="Category">AuditingAndLogging</S>
<S N="Description">Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. This rule displays a comprehensive list of all events currently being audited (i.e. linked to an audit that is enabled) that are DB-specific managed.</S>
<S N="Title">List of DB-scoped events being audited and centrally managed via server audit specifications.</S>
<S N="Query">SELECT dbadtspecs.NAME AS [Name],_x000D__x000A__x0009_dbadtspecdtls.audit_action_name AS [Audit Action Name],_x000D__x000A__x0009_audited_result AS [Audit Result] _x000D__x000A_FROM sys.server_audits adts, _x000D__x000A_ sys.database_audit_specifications dbadtspecs, _x000D__x000A_ sys.database_audit_specification_details dbadtspecdtls _x000D__x000A_WHERE adts.audit_guid = dbadtspecs.audit_guid _x000D__x000A_ AND adts.is_state_enabled = 1 _x000D__x000A_ AND dbadtspecs.is_state_enabled = 1 _x000D__x000A_ AND dbadtspecdtls.audited_result = 'SUCCESS AND FAILURE' _x000D__x000A_ORDER BY dbadtspecdtls.audit_action_name, _x000D__x000A_ class_desc, _x000D__x000A_ major_id, _x000D__x000A_ minor_id, _x000D__x000A_ audited_principal_id</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">*Review the list of events and make sure they match your needs. For more details visit https://msdn.microsoft.com/en-us/library/cc280386.aspx.*</S>
</Props>
</Obj>
<Obj RefId="27">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">78eff52e-0255-4789-837d-0f7246436507</G>
<S N="RuleId">VA1256</S>
<S N="Severity">High</S>
<S N="Category">SurfaceAreaReduction</S>
<S N="Description">CLR assemblies can be used to execute arbitrary code on SQL Server process. This rule checks that there are no user-defined CLR assemblies in the database</S>
<S N="Title">User CLR assemblies should not be defined in the database</S>
<S N="Query">SELECT name FROM sys.assemblies WHERE is_user_defined != 0</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">DROP ASSEMBLY [$0]</S>
</Props>
</Obj>
<Obj RefId="28">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">a284d84f-a5c6-4f64-8105-52b1430775d2</G>
<S N="RuleId">VA1265</S>
<S N="Severity">Medium</S>
<S N="Category">AuditingAndLogging</S>
<S N="Description">SQL Server auditing configuration enables adminstrators to track users logging to SQL Server instances that they're responsible for. This rules checks that auditing is enabled for both successful and failed login attempts for contained DB authentication.</S>
<S N="Title">Auditing of both successful and failed login attempts for contained DB authentication should be enabled</S>
<S N="Query">DECLARE @check_results INT = 0; _x000D__x000A_DECLARE @violation INT = 1; _x000D__x000A__x000D__x000A_SELECT @check_results = containment _x000D__x000A_FROM sys.databases _x000D__x000A_WHERE database_id = Db_id(); _x000D__x000A__x000D__x000A_PRINT @check_results _x000D__x000A__x000D__x000A_IF( @check_results != 0 ) _x000D__x000A_ BEGIN _x000D__x000A_ DECLARE @success_logon_event INT = 0; _x000D__x000A_ DECLARE @fail_logon_event INT = 0; _x000D__x000A__x000D__x000A_ SELECT @success_logon_event = Count(*) _x000D__x000A_ FROM sys.server_audits adts, _x000D__x000A_ sys.server_audit_specifications srvadtspecs, _x000D__x000A_ sys.server_audit_specification_details srvadtspecdtls _x000D__x000A_ WHERE adts.audit_guid = srvadtspecs.audit_guid _x000D__x000A_ AND adts.is_state_enabled = 1 _x000D__x000A_ AND srvadtspecs.is_state_enabled = 1 _x000D__x000A_ AND srvadtspecdtls.audited_result = 'SUCCESS AND FAILURE' _x000D__x000A_ AND srvadtspecdtls.audit_action_id = 'DAGS'; _x000D__x000A__x000D__x000A_ SELECT @fail_logon_event = Count(*) _x000D__x000A_ FROM sys.server_audits adts, _x000D__x000A_ sys.server_audit_specifications srvadtspecs, _x000D__x000A_ sys.server_audit_specification_details srvadtspecdtls _x000D__x000A_ WHERE adts.audit_guid = srvadtspecs.audit_guid _x000D__x000A_ AND adts.is_state_enabled = 1 _x000D__x000A_ AND srvadtspecs.is_state_enabled = 1 _x000D__x000A_ AND srvadtspecdtls.audited_result = 'SUCCESS AND FAILURE' _x000D__x000A_ AND srvadtspecdtls.audit_action_id = 'DAGF'; _x000D__x000A__x000D__x000A_ DECLARE @db_success_logon_event INT = 0; _x000D__x000A_ DECLARE @db_fail_logon_event INT = 0; _x000D__x000A__x000D__x000A_ SELECT @db_success_logon_event = Count(*) _x000D__x000A_ FROM sys.server_audits adts, _x000D__x000A_ sys.database_audit_specifications dbadtspecs, _x000D__x000A_ sys.database_audit_specification_details dbadtspecdtls _x000D__x000A_ WHERE adts.audit_guid = dbadtspecs.audit_guid _x000D__x000A_ AND adts.is_state_enabled = 1 _x000D__x000A_ AND dbadtspecs.is_state_enabled = 1 _x000D__x000A_ AND dbadtspecdtls.audited_result = 'SUCCESS AND FAILURE' _x000D__x000A_ AND dbadtspecdtls.audit_action_id = 'DAGS'; _x000D__x000A__x000D__x000A_ SELECT @db_fail_logon_event = Count(*) _x000D__x000A_ FROM sys.server_audits adts, _x000D__x000A_ sys.database_audit_specifications dbadtspecs, _x000D__x000A_ sys.database_audit_specification_details dbadtspecdtls _x000D__x000A_ WHERE adts.audit_guid = dbadtspecs.audit_guid _x000D__x000A_ AND adts.is_state_enabled = 1 _x000D__x000A_ AND dbadtspecs.is_state_enabled = 1 _x000D__x000A_ AND dbadtspecdtls.audited_result = 'SUCCESS AND FAILURE' _x000D__x000A_ AND dbadtspecdtls.audit_action_id = 'DAGF'; _x000D__x000A__x000D__x000A_ IF( ( @success_logon_event _x000D__x000A_ + @db_success_logon_event ) > 0 _x000D__x000A_ AND ( @fail_logon_event + @db_fail_logon_event ) > 0 ) _x000D__x000A_ SET @violation = 0; _x000D__x000A_ END _x000D__x000A_ELSE _x000D__x000A_ BEGIN _x000D__x000A_ SET @violation = 0; -- ignore if DB is not contained _x000D__x000A_ END _x000D__x000A__x000D__x000A_SELECT @violation AS [Violation];</S>
<S N="ExpectedResult">0</S>
<S N="RemedSkeleton">CREATE DATABASE AUDIT SPECIFICATION [DbAuditSpec_db_logon_information_failed_succeessful]_x000D__x000A_ FOR SERVER AUDIT [<REPLACE WITH VALID AUDIT SPECIFICATION NAME>]_x000D__x000A_ADD (FAILED_DATABASE_AUTHENTICATION_GROUP),_x000D__x000A_ADD (SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP)_x000D__x000A_WITH (STATE = ON)</S>
</Props>
</Obj>
<Obj RefId="29">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">e3f0764a-a948-4647-8b60-6a374acb4658</G>
<S N="RuleId">VA1267</S>
<S N="Severity">Medium</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Contained users are users that exist within the database, and do not require a login mapping. This rule checks that contained users use Windows Authentication.</S>
<S N="Title">Contained users should use Windows Authentication</S>
<S N="Query">SELECT NAME AS [Principal]_x000D__x000A_FROM sys.database_principals _x000D__x000A_WHERE authentication_type = 2 _x000D__x000A_ORDER BY NAME, _x000D__x000A_ type_desc, _x000D__x000A_ authentication_type</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">DROP USER [$0];</S>
</Props>
</Obj>
<Obj RefId="30">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">81ce8484-74a7-4aee-bde6-9d3c11324aa6</G>
<S N="RuleId">VA1277</S>
<S N="Severity">High</S>
<S N="Category">SurfaceAreaReduction</S>
<S N="Description">PolyBase is a technology that accesses and combines both non-relational and relational data, all from within SQL Server. Polybase network encryption option configures SQL Server to encrypt control and data channels when using Polybase. This rule verifies that this option is enabled.</S>
<S N="Title">Polybase network encryption should be enabled</S>
<S N="Query">SELECT CASE _x000D__x000A_ WHEN EXISTS (SELECT * _x000D__x000A_ FROM sys.configurations _x000D__x000A_ WHERE NAME = 'polybase network encryption' _x000D__x000A_ AND Cast(value AS INT) = 0) THEN 1 _x000D__x000A_ ELSE 0 _x000D__x000A_ END AS Violation</S>
<S N="ExpectedResult">0</S>
<S N="RemedSkeleton">EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;_x000D__x000A_EXECUTE sp_configure 'ad hoc distributed queries', 1; RECONFIGURE;_x000D__x000A_EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;</S>
</Props>
</Obj>
<Obj RefId="31">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">b0a3a057-c584-41ce-9fab-f531321ef0b3</G>
<S N="RuleId">VA1281</S>
<S N="Severity">Medium</S>
<S N="Category">AuditingAndLogging</S>
<S N="Description">User-defined roles are security principals defined by the user to group principals to easily manage permissions. Monitoring these roles is important to avoid having excessive permissions. Create a baseline which defines expected membership for each user-defined role. This rule checks whether all memberships for user-defined roles are as defined in the baseline</S>
<S N="Title">All memberships for user-defined roles should be intended</S>
<S N="Query">SELECT user_name(role_principal_id) as role_name, user_name(member_principal_id) as member_name _x000D__x000A_FROM sys.database_role_members _x000D__x000A_WHERE role_principal_id NOT IN (16384,16385,16386,16387,16389,16390,16391,16392,16393) _x000D__x000A_ORDER BY role_principal_id, member_principal_id</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">ALTER ROLE [$0] DROP MEMBER [$1]</S>
</Props>
</Obj>
<Obj RefId="32">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">dcac3045-4abb-4d8f-9175-3c99dbe96281</G>
<S N="RuleId">VA1282</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Orphan roles are user-defined roles that have no members. It is recommended to eliminate orphaned roles as they are not needed on the system. This rule checks whether there are any orphan roles</S>
<S N="Title">Orphan roles should be removed</S>
<S N="Query">SELECT name FROM sys.database_principals _x000D__x000A_WHERE type = 'R' _x000D__x000A_AND principal_id not in (0,16384,16385,16386,16387,16389,16390,16391,16392,16393) _x000D__x000A_AND principal_id not in ( SELECT distinct role_principal_id _x000D__x000A_FROM sys.database_role_members )</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">DROP ROLE [$0]</S>
</Props>
</Obj>
<Obj RefId="33">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">2928555d-095d-4819-80b0-69faa7483d85</G>
<S N="RuleId">VA1285</S>
<S N="Severity">Medium</S>
<S N="Category">DataProtection</S>
<S N="Description">This rule identifies potentially sensitive data in the database. For each column identified as potentially containing sensitive data, this rule also lists which protective measures, if any, are applied to them.</S>
<S N="Title">Sensitive data columns should be identified</S>
<S N="Query">SELECT s.name AS SchemaName, _x000D__x000A_ t.name AS TableName, _x000D__x000A_ c.name AS ColumnName, _x000D__x000A_ CASE WHEN c.name LIKE '%username%' _x000D__x000A_ OR c.name LIKE '%pwd%' _x000D__x000A_ OR c.name LIKE '%password%' _x000D__x000A_ OR c.name LIKE '%email%' _x000D__x000A_ OR c.name LIKE '%lastname%' _x000D__x000A_ OR c.name LIKE '%firstname%' _x000D__x000A_ OR c.name LIKE '%surname%' _x000D__x000A_ OR c.name LIKE '%addr%' _x000D__x000A_ OR c.name LIKE '%phone%' _x000D__x000A_ OR c.name LIKE '%resetcode%' _x000D__x000A_ OR c.name LIKE '%socialsec%' _x000D__x000A_ OR c.name LIKE '%birthday%' _x000D__x000A_ OR c.name = 'ssn' _x000D__x000A_ OR c.name LIKE '%ss_num%' _x000D__x000A_ OR c.name LIKE '%ssnum%' _x000D__x000A_ OR c.name LIKE '%employeessn%' _x000D__x000A_ OR c.name LIKE '%passport%' _x000D__x000A_ OR c.name LIKE '%social security%' _x000D__x000A_ OR c.name LIKE '%security%' _x000D__x000A_ OR c.name = 'ssid' _x000D__x000A_ OR c.name LIKE '%taxid%' _x000D__x000A_ OR c.name = 'itin' _x000D__x000A_ OR c.name LIKE '%driver%' _x000D__x000A_ OR c.name LIKE '%pass%' _x000D__x000A_ OR c.name LIKE '%personal%' _x000D__x000A_ OR c.name LIKE '%identification%' _x000D__x000A_ OR c.name LIKE '%postal%' _x000D__x000A_ OR c.name LIKE '%zip%' _x000D__x000A_ OR c.name LIKE '%identificationnumber%' THEN 'Personal' _x000D__x000A_ WHEN c.name LIKE '%credit%' _x000D__x000A_ OR c.name LIKE '%card%' _x000D__x000A_ OR c.name LIKE '%account%' _x000D__x000A_ OR c.name LIKE '%tax%' _x000D__x000A_ OR c.name LIKE '%paypal%' _x000D__x000A_ OR c.name LIKE '%payment%' _x000D__x000A_ OR c.name LIKE '%banking%' _x000D__x000A_ OR c.name LIKE '%insurance%' _x000D__x000A_ OR c.name LIKE '%ccn%' _x000D__x000A_ OR c.name LIKE '%debit%' _x000D__x000A_ OR c.name = 'visa' _x000D__x000A_ OR c.name LIKE '%mastercard%' _x000D__x000A_ OR c.name LIKE '%pmt%' _x000D__x000A_ OR c.name LIKE '%cvv%' _x000D__x000A_ OR c.name LIKE '%amount%' _x000D__x000A_ OR c.name LIKE '%amt%' _x000D__x000A_ OR c.name LIKE '%compensation%' _x000D__x000A_ OR c.name LIKE '%currency%' _x000D__x000A_ OR c.name LIKE '%iban%' _x000D__x000A_ OR c.name LIKE '%routingnumber%' _x000D__x000A_ OR c.name LIKE '%routingno%' _x000D__x000A_ OR c.name = 'aba' _x000D__x000A_ OR c.name LIKE '%expyear%' _x000D__x000A_ OR c.name LIKE '%expmonth%' _x000D__x000A_ OR c.name LIKE '%invoice%' THEN 'Financial' _x000D__x000A_ WHEN c.name LIKE '%clinic%' _x000D__x000A_ OR c.name LIKE '%medical%' _x000D__x000A_ OR c.name LIKE '%treatment%' _x000D__x000A_ OR c.name LIKE '%healthcondition%' _x000D__x000A_ OR c.name LIKE '%patient%' _x000D__x000A_ OR c.name LIKE '%medication%' _x000D__x000A_ OR c.name LIKE '%health%' _x000D__x000A_ OR c.name LIKE '%prescription%' THEN 'Health' _x000D__x000A_ ELSE 'General' _x000D__x000A_ END AS DataCategory, _x000D__x000A_ CASE WHEN (is_masked = 1) THEN 'Dynamic Data Masking' _x000D__x000A_ WHEN (encryption_type IS NOT NULL) THEN 'Always Encrypted' _x000D__x000A_ WHEN (p.predicate_type IS NOT NULL) THEN 'Row Level Security' _x000D__x000A_ ELSE '! Unprotected !' _x000D__x000A_ END AS ProtectionStatus _x000D__x000A_ FROM sys.schemas s _x000D__x000A_ INNER JOIN sys.tables t _x000D__x000A_ ON s.schema_id = t.schema_id inner join sys.columns c _x000D__x000A_ ON t.object_id = c.object_id left outer join sys.security_predicates p _x000D__x000A_ ON c.object_id = p.target_object_id and p.predicate_definition LIKE '%[[]' + c.name + ']%' _x000D__x000A_ WHERE c.name LIKE '%username%' _x000D__x000A_ OR c.name LIKE '%pwd%' _x000D__x000A_ OR c.name LIKE '%password%' _x000D__x000A_ OR c.name LIKE '%email%' _x000D__x000A_ OR c.name LIKE '%lastname%' _x000D__x000A_ OR c.name LIKE '%firstname%' _x000D__x000A_ OR c.name LIKE '%surname%' _x000D__x000A_ OR c.name LIKE '%addr%' _x000D__x000A_ OR c.name LIKE '%phone%' _x000D__x000A_ OR c.name LIKE '%resetcode%' _x000D__x000A_ OR c.name LIKE '%socialsec%' _x000D__x000A_ OR c.name LIKE '%birthday%' _x000D__x000A_ OR c.name = 'ssn' _x000D__x000A_ OR c.name LIKE '%ss_num%' _x000D__x000A_ OR c.name LIKE '%ssnum%' _x000D__x000A_ OR c.name LIKE '%employeessn%' _x000D__x000A_ OR c.name LIKE '%passport%' _x000D__x000A_ OR c.name LIKE '%social security%' _x000D__x000A_ OR c.name LIKE '%security%' _x000D__x000A_ OR c.name = 'ssid' _x000D__x000A_ OR c.name LIKE '%taxid%' _x000D__x000A_ OR c.name = 'itin' _x000D__x000A_ OR c.name LIKE '%driver%' _x000D__x000A_ OR c.name LIKE '%pass%' _x000D__x000A_ OR c.name LIKE '%personal%' _x000D__x000A_ OR c.name LIKE '%identification%' _x000D__x000A_ OR c.name LIKE '%postal%' _x000D__x000A_ OR c.name LIKE '%zip%' _x000D__x000A_ OR c.name LIKE '%identificationnumber%' _x000D__x000A_ OR c.name LIKE '%credit%' _x000D__x000A_ OR c.name LIKE '%card%' _x000D__x000A_ OR c.name LIKE '%account%' _x000D__x000A_ OR c.name LIKE '%tax%' _x000D__x000A_ OR c.name LIKE '%paypal%' _x000D__x000A_ OR c.name LIKE '%payment%' _x000D__x000A_ OR c.name LIKE '%banking%' _x000D__x000A_ OR c.name LIKE '%insurance%' _x000D__x000A_ OR c.name LIKE '%ccn%' _x000D__x000A_ OR c.name LIKE '%debit%' _x000D__x000A_ OR c.name = 'visa' _x000D__x000A_ OR c.name LIKE '%mastercard%' _x000D__x000A_ OR c.name LIKE '%pmt%' _x000D__x000A_ OR c.name LIKE '%cvv%' _x000D__x000A_ OR c.name LIKE '%amount%' _x000D__x000A_ OR c.name LIKE '%amt%' _x000D__x000A_ OR c.name LIKE '%compensation%' _x000D__x000A_ OR c.name LIKE '%currency%' _x000D__x000A_ OR c.name LIKE '%iban%' _x000D__x000A_ OR c.name LIKE '%routingnumber%' _x000D__x000A_ OR c.name LIKE '%routingno%' _x000D__x000A_ OR c.name = 'aba' _x000D__x000A_ OR c.name LIKE '%expyear%' _x000D__x000A_ OR c.name LIKE '%expmonth%' _x000D__x000A_ OR c.name LIKE '%invoice%' _x000D__x000A_ OR c.name LIKE '%clinic%' _x000D__x000A_ OR c.name LIKE '%medical%' _x000D__x000A_ OR c.name LIKE '%treatment%' _x000D__x000A_ OR c.name LIKE '%healthcondition%' _x000D__x000A_ OR c.name LIKE '%patient%' _x000D__x000A_ OR c.name LIKE '%medication%' _x000D__x000A_ OR c.name LIKE '%health%' _x000D__x000A_ OR c.name LIKE '%prescription%'</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">*Apply column-level data protection security measures where appropriate:_x000D__x000A_Always Encrypted -- keeps sensitive data columns encrypted on the server side ('https://msdn.microsoft.com/en-us/library/mt163865.aspx')_x000D__x000A_Dynamic Data Masking -- limit sensitive data exposure by dynamically masking it to non-privileged users when data is returned from the server to the client ('https://msdn.microsoft.com/en-us/library/mt130841.aspx')_x000D__x000A_Row Level Security -- restrict access to data rows by creating a security policy on top of a sensitive column ('https://msdn.microsoft.com/en-us/library/dn765131.aspx')*</S>
</Props>
</Obj>
<Obj RefId="34">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">c001c738-0edf-42d8-9dad-4023e2419256</G>
<S N="RuleId">VA1286</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Permissions are rules associated with an securable object to regulate which users can gain access to the object. This rule checks that there are no DB permissions granted directly to users.</S>
<S N="Title">Database permissions shouldn't be granted directly to principals (OBJECT or COLUMN)</S>
<S N="Query">SELECT permission_name AS [Permission], _x000D__x000A_ Schema_name(objs.schema_id) AS [Schema], _x000D__x000A_ objs.NAME AS [Object], _x000D__x000A_ prin.NAME AS [Principal] _x000D__x000A_FROM sys.database_permissions AS dp _x000D__x000A_ LEFT JOIN sys.all_objects AS objs _x000D__x000A_ ON objs.object_id = dp.major_id _x000D__x000A_ LEFT JOIN sys.database_principals prin _x000D__x000A_ ON dp.grantee_principal_id = prin.principal_id _x000D__x000A_WHERE ( prin.type = 'S' _x000D__x000A_ OR prin.type = 'W' ) _x000D__x000A_ AND dp.type != 'CO' _x000D__x000A_ AND prin.NAME NOT IN ( '##MS_PolicyEventProcessingLogin##', _x000D__x000A_ '##MS_PolicyTsqlExecutionLogin##' ) _x000D__x000A_ AND dp.class = 1 _x000D__x000A_ORDER BY class_desc, _x000D__x000A_ Object_name(major_id), _x000D__x000A_ permission_name, _x000D__x000A_ prin.NAME;</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $0 ON [$1].[$2] FROM [$3]</S>
</Props>
</Obj>
<Obj RefId="35">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">c1580de4-9ccc-4932-80be-b9cb27ccfe07</G>
<S N="RuleId">VA2000</S>
<S N="Severity">High</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted high impact database-scoped permissions.</S>
<S N="Title">Minimal set of principals should be granted high impact database-scoped permissions</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name IN ('CONTROL', 'AUTHENTICATE', 'TAKE OWNERSHIP', 'ALTER ANY ASSEMBLY', 'ALTER ANY DATABASE DDL TRIGGER', 'CREATE DATABASE DDL EVENT NOTIFICATION', _x000D__x000A_ 'KILL DATABASE CONNECTION', 'CREATE DATABASE', 'BACKUP DATABASE', 'BACKUP LOG', 'CREATE REMOTE SERVICE BINDING', 'CREATE ROUTE', _x000D__x000A_ 'CREATE FULLTEXT CATALOG', 'CREATE ASSEMBLY', 'REFERENCES') _x000D__x000A_ AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 0</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $1 FROM [$3]</S>
</Props>
</Obj>
<Obj RefId="36">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">396f9f53-94fb-460d-a5b1-7396f849b28f</G>
<S N="RuleId">VA2001</S>
<S N="Severity">High</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted high impact database-scoped permissions on objects or columns.</S>
<S N="Title">Minimal set of principals should be granted high impact database-scoped permissions on objects or columns</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], object_schema_name(major_id) as [Schema Name], object_name(major_id) as [Object], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name IN ('CONTROL', 'TAKE OWNERSHIP', 'REFERENCES') _x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 1</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $3 ON [$1].[$2] FROM [$5]</S>
</Props>
</Obj>
<Obj RefId="37">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">74c9b6e5-b254-453f-8787-d1e6101bfceb</G>
<S N="RuleId">VA2002</S>
<S N="Severity">High</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted high impact database-scoped permissions on various securables.</S>
<S N="Title">Minimal set of principals should be granted high impact database-scoped permissions on various securables</S>
<S N="Query">SELECT REPLACE(perms.class_desc, '_', ' ') AS [Permission Class], _x000D__x000A_ CASE _x000D__x000A_ WHEN perms.class=3 THEN schema_name(major_id) -- schema_x000D__x000A_ WHEN perms.class=4 THEN printarget.name -- principal_x000D__x000A_ WHEN perms.class=5 THEN asm.name -- assembly_x000D__x000A_ WHEN perms.class=6 THEN type_name(major_id) -- type_x000D__x000A_ WHEN perms.class=10 THEN xmlsc.name -- xml schema_x000D__x000A_ WHEN perms.class=15 THEN msgt.name COLLATE DATABASE_DEFAULT -- message types_x000D__x000A_ WHEN perms.class=16 THEN svcc.name COLLATE DATABASE_DEFAULT -- service contracts_x000D__x000A_ WHEN perms.class=17 THEN svcs.name COLLATE DATABASE_DEFAULT -- services_x000D__x000A_ WHEN perms.class=18 THEN rsb.name COLLATE DATABASE_DEFAULT -- remote service bindings_x000D__x000A_ WHEN perms.class=19 THEN rts.name COLLATE DATABASE_DEFAULT -- routes_x000D__x000A_ WHEN perms.class=23 THEN ftc.name -- full text catalog_x000D__x000A_ WHEN perms.class=24 then sym.name -- symmetric key_x000D__x000A_ WHEN perms.class=25 then crt.name -- certificate_x000D__x000A_ WHEN perms.class=26 then asym.name -- assymetric key_x000D__x000A_ END AS [Object],_x000D__x000A_ perms.permission_name AS Permission, _x000D__x000A_ prin.type_desc AS [Principal Type], _x000D__x000A_ prin.name AS Principal_x000D__x000A_FROM sys.database_permissions perms_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.database_principals prin_x000D__x000A_ ON perms.grantee_principal_id = prin.principal_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.assemblies asm_x000D__x000A_ ON perms.major_id = asm.assembly_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.xml_schema_collections xmlsc_x000D__x000A_ ON perms.major_id = xmlsc.xml_collection_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.service_message_types msgt_x000D__x000A_ ON perms.major_id = msgt.message_type_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.service_contracts svcc_x000D__x000A_ ON perms.major_id = svcc.service_contract_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.services svcs_x000D__x000A_ ON perms.major_id = svcs.service_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.remote_service_bindings rsb_x000D__x000A_ ON perms.major_id = rsb.remote_service_binding_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.routes rts_x000D__x000A_ ON perms.major_id = rts.route_id_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.database_principals printarget_x000D__x000A_ ON perms.major_id = printarget.principal_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.symmetric_keys sym_x000D__x000A_ On perms.major_id = sym.symmetric_key_id_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.asymmetric_keys asym_x000D__x000A_ ON perms.major_id = asym.asymmetric_key_id_x000D__x000A_ LEFT JOIN_x000D__x000A_ sys.certificates crt_x000D__x000A_ ON perms.major_id = crt.certificate_id_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.fulltext_catalogs ftc_x000D__x000A_ ON perms.major_id = ftc.fulltext_catalog_id_x000D__x000A_WHERE _x000D__x000A_ permission_name IN ('CONTROL', 'TAKE OWNERSHIP', 'REFERENCES') _x000D__x000A_ AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND class in (3,4,5,6,10,15,16,17,18,19,23,24,25,26)</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $2 ON $0::[$1] FROM [$4]</S>
</Props>
</Obj>
<Obj RefId="38">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">3ed93882-8d6e-4365-a1f5-bf17323f5861</G>
<S N="RuleId">VA2010</S>
<S N="Severity">Medium</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted medium impact database-scoped permissions.</S>
<S N="Title">Minimal set of principals should be granted medium impact database-scoped permissions</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name IN ('ALTER ANY ROLE', 'ALTER ANY APPLICATION ROLE', 'ALTER ANY SCHEMA', 'ALTER ANY DATASPACE', 'ALTER ANY MESSAGE TYPE', _x000D__x000A_ 'ALTER ANY CONTRACT', 'ALTER ANY SERVICE', 'ALTER ANY REMOTE SERVICE BINDING', 'ALTER ANY ROUTE', 'ALTER ANY FULLTEXT CATALOG', _x000D__x000A_ 'ALTER ANY SYMMETRIC KEY', 'ALTER ANY ASYMMETRIC KEY', 'ALTER ANY CERTIFICATE', 'ALTER ANY DATABASE EVENT NOTIFICATION', _x000D__x000A_ 'ALTER ANY DATABASE AUDIT', 'ALTER ANY DATABASE EVENT SESSION', 'SHOWPLAN', 'CONNECT REPLICATION', 'CHECKPOINT', 'SUBSCRIBE QUERY NOTIFICATIONS', _x000D__x000A_ 'VIEW DATABASE STATE', 'CREATE TABLE', 'CREATE VIEW', 'CREATE PROCEDURE', 'CREATE FUNCTION', 'CREATE RULE', 'CREATE DEFAULT', _x000D__x000A_ 'CREATE TYPE', 'CREATE XML SCHEMA COLLECTION', 'CREATE SCHEMA', 'CREATE SYNONYM', 'CREATE AGGREGATE', 'CREATE ROLE', _x000D__x000A_ 'CREATE MESSAGE TYPE', 'CREATE SERVICE', 'CREATE CONTRACT', 'CREATE QUEUE', 'CREATE SYMMETRIC KEY', 'CREATE ASYMMETRIC KEY', _x000D__x000A_ 'CREATE CERTIFICATE') _x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 0</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $1 FROM [$3]</S>
</Props>
</Obj>
<Obj RefId="39">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">d44a674f-84e3-421c-babc-85168eacecac</G>
<S N="RuleId">VA2020</S>
<S N="Severity">High</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted ALTER or ALTER ANY USER database-scoped permissions.</S>
<S N="Title">Minimal set of principals should be granted ALTER or ALTER ANY USER database-scoped permissions</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name IN ('ALTER', 'ALTER ANY USER')_x000D__x000A_ AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 0_x000D__x000A_ AND NOT (prin.type = 'S' AND prin.name = 'dbo' AND prin.authentication_type = 1 AND prin.owning_principal_id IS NULL)</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $1 FROM [$3]</S>
</Props>
</Obj>
<Obj RefId="40">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">3dd07a13-c58b-482a-bfe8-d8bf58dd4115</G>
<S N="RuleId">VA2021</S>
<S N="Severity">High</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted ALTER database-scoped permissions on objects or colums.</S>
<S N="Title">Minimal set of principals should be granted database-scoped ALTER permissions on objects or columns</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], object_schema_name(major_id) as [Schema Name], object_name(major_id) as [Object], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name = 'ALTER'_x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 1_x000D__x000A_ AND NOT (prin.type = 'S' AND prin.name = 'dbo' AND prin.authentication_type = 1 AND prin.owning_principal_id IS NULL)</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $3 ON [$1].[$2] FROM [$5]</S>
</Props>
</Obj>
<Obj RefId="41">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">65a6f320-f649-4b15-847d-b4ecf1dda44a</G>
<S N="RuleId">VA2022</S>
<S N="Severity">High</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped ALTER permissions on various securables.</S>
<S N="Title">Minimal set of principals should be granted database-scoped ALTER permission on various securables</S>
<S N="Query">SELECT REPLACE(perms.class_desc, '_', ' ') AS [Permission Class], _x000D__x000A_ CASE _x000D__x000A_ WHEN perms.class=3 THEN schema_name(major_id) -- schema_x000D__x000A_ WHEN perms.class=4 THEN printarget.name -- principal_x000D__x000A_ WHEN perms.class=5 THEN asm.name -- assembly_x000D__x000A_ WHEN perms.class=6 THEN type_name(major_id) -- type_x000D__x000A_ WHEN perms.class=10 THEN xmlsc.name -- xml schema_x000D__x000A_ WHEN perms.class=15 THEN msgt.name COLLATE DATABASE_DEFAULT -- message types_x000D__x000A_ WHEN perms.class=16 THEN svcc.name COLLATE DATABASE_DEFAULT -- service contracts_x000D__x000A_ WHEN perms.class=17 THEN svcs.name COLLATE DATABASE_DEFAULT -- services_x000D__x000A_ WHEN perms.class=18 THEN rsb.name COLLATE DATABASE_DEFAULT -- remote service bindings_x000D__x000A_ WHEN perms.class=19 THEN rts.name COLLATE DATABASE_DEFAULT -- routes_x000D__x000A_ WHEN perms.class=23 THEN ftc.name -- full text catalog_x000D__x000A_ WHEN perms.class=24 then sym.name -- symmetric key_x000D__x000A_ WHEN perms.class=25 then crt.name -- certificate_x000D__x000A_ WHEN perms.class=26 then asym.name -- assymetric key_x000D__x000A_ ELSE ''_x000D__x000A_ END AS [Object],_x000D__x000A_ perms.permission_name AS Permission, _x000D__x000A_ prin.type_desc AS [Principal Type], _x000D__x000A_ prin.name AS Principal_x000D__x000A_FROM sys.database_permissions perms_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.database_principals prin_x000D__x000A_ ON perms.grantee_principal_id = prin.principal_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.assemblies asm_x000D__x000A_ ON perms.major_id = asm.assembly_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.xml_schema_collections xmlsc_x000D__x000A_ ON perms.major_id = xmlsc.xml_collection_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.service_message_types msgt_x000D__x000A_ ON perms.major_id = msgt.message_type_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.service_contracts svcc_x000D__x000A_ ON perms.major_id = svcc.service_contract_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.services svcs_x000D__x000A_ ON perms.major_id = svcs.service_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.remote_service_bindings rsb_x000D__x000A_ ON perms.major_id = rsb.remote_service_binding_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.routes rts_x000D__x000A_ ON perms.major_id = rts.route_id_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.database_principals printarget_x000D__x000A_ ON perms.major_id = printarget.principal_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.symmetric_keys sym_x000D__x000A_ On perms.major_id = sym.symmetric_key_id_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.asymmetric_keys asym_x000D__x000A_ ON perms.major_id = asym.asymmetric_key_id_x000D__x000A_ LEFT JOIN_x000D__x000A_ sys.certificates crt_x000D__x000A_ ON perms.major_id = crt.certificate_id_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.fulltext_catalogs ftc_x000D__x000A_ ON perms.major_id = ftc.fulltext_catalog_id_x000D__x000A_WHERE _x000D__x000A_ permission_name = 'ALTER'_x000D__x000A_ AND class in (3,4,5,6,10,15,16,17,18,19,23,24,25,26)_x000D__x000A_ AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND NOT (prin.type = 'S' AND prin.name = 'dbo' AND prin.authentication_type = 1 AND prin.owning_principal_id IS NULL)</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $2 ON $0::[$1] FROM [$4]</S>
</Props>
</Obj>
<Obj RefId="42">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">8b183da7-f835-4b20-a5b1-99d58a1fc9ca</G>
<S N="RuleId">VA2030</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped SELECT or EXECUTE permissions.</S>
<S N="Title">Minimal set of principals should be granted database-scoped SELECT or EXECUTE permissions</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name IN ('SELECT', 'EXECUTE')_x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 0_x000D__x000A_ AND NOT (prin.type = 'C' AND prin.name = '##MS_AgentSigningCertificate##' _x000D__x000A_ AND perms.class = 0 AND perms.type = 'EX' _x000D__x000A_ AND user_name(grantor_principal_id) = 'dbo' _x000D__x000A_ AND state_desc = 'GRANT' _x000D__x000A_ AND major_id = 0)</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $1 FROM [$3]</S>
</Props>
</Obj>
<Obj RefId="43">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">1256fcf4-a0dc-4be5-b70d-8767c108c8f2</G>
<S N="RuleId">VA2031</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped SELECT permission on objects or columns.</S>
<S N="Title">Minimal set of principals should be granted database-scoped SELECT permission on objects or columns</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], object_schema_name(major_id) as [Schema Name], object_name(major_id) as [Object], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name = 'SELECT' _x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 1_x000D__x000A_ AND NOT (state_desc = 'GRANT' AND_x000D__x000A_ ((prin.type = 'R' AND prin.name = 'loginmanager' AND user_name(grantor_principal_id) = 'sys' AND object_name(major_id) IN ('sql_logins'))_x000D__x000A_ OR (prin.type = 'R' AND prin.name = 'public' AND user_name(grantor_principal_id) = 'sys' AND object_name(major_id) IN ('bandwidth_usage', 'database_connection_stats', 'database_error_stats', 'database_firewall_rules', 'database_usage', 'dm_database_copies', 'elastic_pool_resource_stats', 'event_log', 'firewall_rules', 'geo_replication_links', 'resource_stats'))_x000D__x000A_ OR (prin.type = 'R' AND prin.name = 'public' AND user_name(grantor_principal_id) = 'dbo' AND object_name(major_id) IN (_x000D__x000A_ 'all_columns', 'all_objects', 'all_parameters', 'all_sql_modules', 'all_views', 'allocation_units', 'assemblies', 'assembly_files', 'assembly_modules', 'assembly_references', 'assembly_types', 'asymmetric_keys', 'availability_databases_cluster', 'availability_group_listener_ip_addresses', 'availability_group_listeners', 'availability_groups', 'availability_groups_cluster', 'availability_read_only_routing_lists', 'availability_replicas', 'backup_devices', 'certificates', 'change_tracking_databases', 'change_tracking_tables', 'check_constraints', 'COLUMN_DOMAIN_USAGE', 'column_encryption_key_values', 'column_encryption_keys', 'column_master_key_definitions', 'column_master_keys', 'COLUMN_PRIVILEGES', 'column_store_dictionaries', 'column_store_row_groups', 'column_store_segments', 'column_type_usages', 'column_x005F_xml_schema_collection_usages', 'columns', 'computed_columns', 'configurations', 'CONSTRAINT_COLUMN_USAGE', 'CONSTRAINT_TABLE_USAGE', 'conversation_endpoints', 'conversation_groups', 'conversation_priorities', 'credentials', 'crypt_properties', 'cryptographic_providers', 'data_spaces', 'database_audit_specification_details', 'database_audit_specifications', 'database_credentials', 'database_event_session_actions', 'database_event_session_events', 'database_event_session_fields', 'database_event_session_targets', 'database_event_sessions', 'database_files', 'database_filestream_options', 'database_mirroring', 'database_mirroring_endpoints', 'database_permissions', 'database_principals', 'database_query_store_options', 'database_recovery_status', 'database_resource_governor_workload_groups', 'database_role_members', 'database_scoped_configurations', 'database_scoped_credentials', 'databases', 'default_constraints', 'destination_data_spaces', 'dm_audit_actions', 'dm_audit_class_type_map', 'dm_broker_activated_tasks', 'dm_broker_connections', 'dm_broker_forwarded_messages', 'dm_broker_queue_monitors', 'dm_cdc_errors', 'dm_cdc_log_scan_sessions', 'dm_clr_appdomains', 'dm_clr_loaded_assemblies', 'dm_clr_properties', 'dm_clr_tasks', 'dm_column_store_object_pool', 'dm_cryptographic_provider_algorithms', 'dm_cryptographic_provider_keys', 'dm_cryptographic_provider_properties', 'dm_cryptographic_provider_sessions', 'dm_database_encryption_keys', _x000D__x000A_ 'dm_db_column_store_row_group_operational_stats', 'dm_db_column_store_row_group_physical_stats', 'dm_db_database_page_allocations', 'dm_db_file_space_usage', 'dm_db_fts_index_physical_stats', 'dm_db_incremental_stats_properties', 'dm_db_index_operational_stats', 'dm_db_index_physical_stats', 'dm_db_index_usage_stats', 'dm_db_log_space_usage', 'dm_db_mirroring_auto_page_repair', 'dm_db_mirroring_connections', 'dm_db_mirroring_past_actions', 'dm_db_missing_index_columns', 'dm_db_missing_index_details', 'dm_db_missing_index_group_stats', 'dm_db_missing_index_groups', 'dm_db_objects_disabled_on_compatibility_level_change', 'dm_db_partition_stats', 'dm_db_persisted_sku_features', 'dm_db_rda_migration_status', 'dm_db_rda_schema_update_status', 'dm_db_resource_governor_configuration', 'dm_db_script_level', 'dm_db_session_space_usage', 'dm_db_stats_properties', 'dm_db_task_space_usage', 'dm_db_uncontained_entities', 'dm_db_workload_group_resource_stats', 'dm_db_x005F_xtp_checkpoint_files', 'dm_db_x005F_xtp_checkpoint_stats', 'dm_db_x005F_xtp_gc_cycle_stats', 'dm_db_x005F_xtp_hash_index_stats', 'dm_db_x005F_xtp_index_stats', 'dm_db_x005F_xtp_memory_consumers', 'dm_db_x005F_xtp_nonclustered_index_stats', 'dm_db_x005F_xtp_object_stats', 'dm_db_x005F_xtp_table_memory_stats', 'dm_db_x005F_xtp_transactions', 'dm_exec_background_job_queue', 'dm_exec_background_job_queue_stats', 'dm_exec_cached_plan_dependent_objects', 'dm_exec_cached_plans', 'dm_exec_compute_node_errors', 'dm_exec_compute_node_status', 'dm_exec_compute_nodes', 'dm_exec_connections', 'dm_exec_cursors', 'dm_exec_describe_first_result_set', 'dm_exec_describe_first_result_set_for_object', 'dm_exec_distributed_request_steps', 'dm_exec_distributed_requests', 'dm_exec_distributed_sql_requests', 'dm_exec_dms_services', 'dm_exec_dms_workers', 'dm_exec_external_operations', 'dm_exec_external_work', 'dm_exec_function_stats', 'dm_exec_input_buffer', 'dm_exec_plan_attributes', 'dm_exec_procedure_stats', 'dm_exec_query_memory_grants', 'dm_exec_query_optimizer_info', 'dm_exec_query_optimizer_memory_gateways', 'dm_exec_query_parallel_workers', 'dm_exec_query_plan', 'dm_exec_query_profiles', 'dm_exec_query_resource_semaphores', 'dm_exec_query_statistics_x005F_xml', 'dm_exec_query_stats', 'dm_exec_query_transformation_stats', 'dm_exec_requests', 'dm_exec_session_wait_stats', 'dm_exec_sessions', 'dm_exec_sql_text', 'dm_exec_text_query_plan', 'dm_exec_trigger_stats', 'dm_exec_valid_use_hints', 'dm_exec_x005F_xml_handles', 'dm_external_script_execution_stats', 'dm_external_script_requests', 'dm_filestream_file_io_handles', 'dm_filestream_file_io_requests', 'dm_filestream_non_transacted_handles', 'dm_fts_active_catalogs', 'dm_fts_fdhosts', 'dm_fts_index_keywords', 'dm_fts_index_keywords_by_document', 'dm_fts_index_keywords_by_property', 'dm_fts_index_keywords_position_by_document', _x000D__x000A_ 'dm_fts_index_population', 'dm_fts_memory_buffers', 'dm_fts_memory_pools', 'dm_fts_outstanding_batches', 'dm_fts_parser', 'dm_fts_population_ranges', 'dm_fts_semantic_similarity_population', 'dm_hadr_auto_page_repair', 'dm_hadr_automatic_seeding', 'dm_hadr_availability_group_states', 'dm_hadr_availability_replica_cluster_nodes', 'dm_hadr_availability_replica_cluster_states', 'dm_hadr_availability_replica_states', 'dm_hadr_cluster', 'dm_hadr_database_replica_cluster_states', 'dm_hadr_cluster_members', 'dm_hadr_cluster_networks', 'dm_hadr_database_replica_cluster_states', 'dm_hadr_database_replica_states', 'dm_hadr_instance_node_map', 'dm_hadr_name_id_map', 'dm_hadr_physical_seeding_stats', 'dm_io_backup_tapes', 'dm_io_cluster_shared_drives', 'dm_io_cluster_valid_path_names', 'dm_io_pending_io_requests', 'dm_io_virtual_file_stats', 'dm_logconsumer_cachebufferrefs', 'dm_logconsumer_privatecachebuffers', 'dm_logpool_consumers', 'dm_logpool_hashentries', 'dm_logpool_sharedcachebuffers', 'dm_logpool_stats', 'dm_logpoolmgr_freepools', 'dm_logpoolmgr_respoolsize', 'dm_logpoolmgr_stats', 'dm_os_buffer_descriptors', 'dm_os_buffer_pool_extension_configuration', 'dm_os_child_instances', 'dm_os_cluster_nodes', 'dm_os_cluster_properties', 'dm_os_dispatcher_pools', 'dm_os_dispatchers', 'dm_os_hosts', 'dm_os_latch_stats', 'dm_os_loaded_modules', 'dm_os_memory_allocations', 'dm_os_memory_broker_clerks', 'dm_os_memory_brokers', 'dm_os_memory_cache_clock_hands', 'dm_os_memory_cache_counters', 'dm_os_memory_cache_entries', 'dm_os_memory_cache_hash_tables', 'dm_os_memory_clerks', 'dm_os_memory_node_access_stats', 'dm_os_memory_nodes', 'dm_os_memory_objects', 'dm_os_memory_pools', 'dm_os_nodes', 'dm_os_performance_counters', 'dm_os_process_memory', 'dm_os_ring_buffers', 'dm_os_schedulers', 'dm_os_server_diagnostics_log_configurations', 'dm_os_spinlock_stats', 'dm_os_stacks', 'dm_os_sublatches', 'dm_os_sys_info', 'dm_os_sys_memory', 'dm_os_tasks', 'dm_os_threads', 'dm_os_virtual_address_dump', 'dm_os_volume_stats', 'dm_os_wait_stats', 'dm_os_waiting_tasks', 'dm_os_windows_info', 'dm_os_worker_local_storage', 'dm_os_workers', _x000D__x000A_ 'dm_pdw_component_health_active_alerts', 'dm_pdw_component_health_alerts', 'dm_pdw_component_health_status', 'dm_pdw_diag_processing_stats', 'dm_pdw_dms_cores', 'dm_pdw_dms_external_work', 'dm_pdw_dms_workers', 'dm_pdw_errors', 'dm_pdw_exec_connections', 'dm_pdw_exec_query_profiles', 'dm_pdw_exec_queryplan_profiles', 'dm_pdw_exec_requests', 'dm_pdw_exec_sessions', 'dm_pdw_hadoop_operations', 'dm_pdw_lock_waits', 'dm_pdw_network_credentials', 'dm_pdw_node_status', 'dm_pdw_nodes', 'dm_pdw_nodes_clr_appdomains', 'dm_pdw_nodes_clr_loaded_assemblies', 'dm_pdw_nodes_clr_properties', 'dm_pdw_nodes_clr_tasks', 'dm_pdw_nodes_database_encryption_keys', 'dm_pdw_nodes_db_file_space_usage', 'dm_pdw_nodes_db_index_usage_stats', 'dm_pdw_nodes_db_partition_stats', 'dm_pdw_nodes_db_session_space_usage', 'dm_pdw_nodes_db_task_space_usage', 'dm_pdw_nodes_exec_background_job_queue', 'dm_pdw_nodes_exec_background_job_queue_stats', 'dm_pdw_nodes_exec_cached_plans', 'dm_pdw_nodes_exec_connections', 'dm_pdw_nodes_exec_procedure_stats', 'dm_pdw_nodes_exec_query_memory_grants', 'dm_pdw_nodes_exec_query_optimizer_info', 'dm_pdw_nodes_exec_query_resource_semaphores', 'dm_pdw_nodes_exec_query_stats', 'dm_pdw_nodes_exec_requests', 'dm_pdw_nodes_exec_sessions', 'dm_pdw_nodes_io_cluster_shared_drives', 'dm_pdw_nodes_io_pending_io_requests', 'dm_pdw_nodes_os_buffer_descriptors', 'dm_pdw_nodes_os_child_instances', 'dm_pdw_nodes_os_cluster_nodes', 'dm_pdw_nodes_os_dispatcher_pools', 'dm_pdw_nodes_os_dispatchers', 'dm_pdw_nodes_os_hosts', 'dm_pdw_nodes_os_latch_stats', 'dm_pdw_nodes_os_loaded_modules', 'dm_pdw_nodes_os_memory_brokers', 'dm_pdw_nodes_os_memory_cache_clock_hands', 'dm_pdw_nodes_os_memory_cache_counters', 'dm_pdw_nodes_os_memory_cache_entries', 'dm_pdw_nodes_os_memory_cache_hash_tables', 'dm_pdw_nodes_os_memory_clerks', 'dm_pdw_nodes_os_memory_node_access_stats', 'dm_pdw_nodes_os_memory_nodes', 'dm_pdw_nodes_os_memory_objects', 'dm_pdw_nodes_os_memory_pools', 'dm_pdw_nodes_os_nodes', 'dm_pdw_nodes_os_performance_counters', 'dm_pdw_nodes_os_process_memory', 'dm_pdw_nodes_os_schedulers', 'dm_pdw_nodes_os_spinlock_stats', 'dm_pdw_nodes_os_sys_info', 'dm_pdw_nodes_os_sys_memory', 'dm_pdw_nodes_os_tasks', 'dm_pdw_nodes_os_threads', 'dm_pdw_nodes_os_virtual_address_dump', 'dm_pdw_nodes_os_wait_stats', 'dm_pdw_nodes_os_waiting_tasks', 'dm_pdw_nodes_os_workers', 'dm_pdw_nodes_resource_governor_resource_pools', 'dm_pdw_nodes_resource_governor_workload_groups', 'dm_pdw_nodes_tran_active_snapshot_database_transactions', 'dm_pdw_nodes_tran_active_transactions', 'dm_pdw_nodes_tran_commit_table', 'dm_pdw_nodes_tran_current_snapshot', 'dm_pdw_nodes_tran_current_transaction', 'dm_pdw_nodes_tran_database_transactions', 'dm_pdw_nodes_tran_locks', 'dm_pdw_nodes_tran_session_transactions', 'dm_pdw_nodes_tran_top_version_generators', _x000D__x000A_ 'dm_pdw_os_event_logs', 'dm_pdw_os_performance_counters', 'dm_pdw_os_threads', 'dm_pdw_query_stats_x005F_xe', 'dm_pdw_query_stats_x005F_xe_file', 'dm_pdw_request_steps', 'dm_pdw_resource_waits', 'dm_pdw_sql_requests', 'dm_pdw_sys_info', 'dm_pdw_wait_stats', 'dm_pdw_waits', 'dm_qn_subscriptions', 'dm_repl_articles', 'dm_repl_schemas', 'dm_repl_tranhash', 'dm_repl_traninfo', 'dm_resource_governor_configuration', 'dm_resource_governor_external_resource_pool_affinity', 'dm_resource_governor_external_resource_pools', 'dm_resource_governor_resource_pool_affinity', 'dm_resource_governor_resource_pool_volumes', 'dm_resource_governor_resource_pools', 'dm_resource_governor_workload_groups', 'dm_server_audit_status', 'dm_server_memory_dumps', 'dm_server_registry', 'dm_server_services', 'dm_sql_referenced_entities', 'dm_sql_referencing_entities', 'dm_tcp_listener_states', 'dm_tran_active_snapshot_database_transactions', 'dm_tran_active_transactions', 'dm_tran_commit_table', 'dm_tran_current_snapshot', 'dm_tran_current_transaction', 'dm_tran_database_transactions', 'dm_tran_global_recovery_transactions', 'dm_tran_global_transactions', 'dm_tran_global_transactions_enlistments', 'dm_tran_global_transactions_log', 'dm_tran_locks', 'dm_tran_session_transactions', 'dm_tran_top_version_generators', 'dm_tran_transactions_snapshot', 'dm_tran_version_store', 'dm_x005F_xe_map_values', 'dm_x005F_xe_object_columns', 'dm_x005F_xe_objects', 'dm_x005F_xe_packages', 'dm_x005F_xe_session_event_actions', 'dm_x005F_xe_session_events', 'dm_x005F_xe_session_object_columns', 'dm_x005F_xe_session_targets', 'dm_x005F_xe_sessions', 'dm_x005F_xtp_gc_queue_stats', 'dm_x005F_xtp_gc_stats', 'dm_x005F_xtp_system_memory_consumers', 'dm_x005F_xtp_threads', 'dm_x005F_xtp_transaction_recent_rows', 'dm_x005F_xtp_transaction_stats', 'DOMAIN_CONSTRAINTS', 'DOMAINS', 'endpoint_webmethods', 'endpoints', 'event_notification_event_types', 'event_notifications', 'events', 'extended_procedures', 'extended_properties', 'external_data_sources', 'external_file_formats', 'external_tables', 'federated_table_columns', 'federation_distributions', 'federation_member_distributions', 'federation_members', 'federations', 'filegroups', 'filetable_system_defined_objects', 'filetables', _x000D__x000A_ 'fn_builtin_permissions', 'fn_check_object_signatures', 'fn_column_store_row_groups', 'fn_db_backup_file_snapshots', 'fn_dblog_x005F_xtp', 'fn_dump_dblog', 'fn_dump_dblog_x005F_xtp', 'fn_EnumCurrentPrincipals', 'fn_get_audit_file', 'fn_hadr_distributed_ag_database_replica', 'fn_hadr_distributed_ag_replica', 'fn_helpcollations', 'fn_helpdatatypemap', 'fn_listextendedproperty', 'fn_MSxe_read_event_stream', 'fn_my_permissions', 'fn_PhysLocCracker', 'fn_PhysLocCracker', 'fn_replgetcolidfrombitmap', 'fn_RowDumpCracker', 'fn_servershareddrives', 'fn_sqlagent_job_history', 'fn_sqlagent_jobs', 'fn_sqlagent_jobsteps', 'fn_sqlagent_jobsteps_logs', 'fn_sqlagent_subsystems', 'fn_stmt_sql_handle_from_sql_stmt', 'fn_trace_geteventinfo', 'fn_trace_getfilterinfo', 'fn_trace_getinfo', 'fn_trace_gettable', 'fn_translate_permissions', 'fn_validate_plan_guide', 'fn_virtualfilestats', 'fn_virtualservernodes', 'fn_x005F_xe_file_target_read_file', 'foreign_key_columns', 'foreign_keys', 'fulltext_catalogs', 'fulltext_document_types', 'fulltext_index_catalog_usages', 'fulltext_index_columns', 'fulltext_index_fragments', 'fulltext_indexes', 'fulltext_languages', 'fulltext_semantic_language_statistics_database', 'fulltext_semantic_languages', 'fulltext_stoplists', 'fulltext_stopwords', 'fulltext_system_stopwords', 'function_order_columns', 'hash_indexes', 'http_endpoints', 'identity_columns', 'index_columns', 'index_resumable_operations', 'indexes', 'internal_partitions', 'internal_tables', 'KEY_COLUMN_USAGE', 'key_constraints', 'key_encryptions', 'linked_logins', 'login_token', 'masked_columns', 'master_files', 'master_key_passwords', 'memory_optimized_tables_internal_attributes', 'message_type_x005F_xml_schema_collection_usages', 'messages', 'module_assembly_usages', 'numbered_procedure_parameters', 'numbered_procedures', 'objects', 'openkeys', 'parameter_type_usages', 'parameter_x005F_xml_schema_collection_usages', 'parameters', 'partition_functions', 'partition_parameters', 'partition_range_values', 'partition_schemes', 'partitions', 'pdw_column_distribution_properties', 'pdw_database_mappings', 'pdw_diag_event_properties', 'pdw_diag_events', 'pdw_diag_sessions', 'pdw_distributions', 'pdw_health_alerts', 'pdw_health_component_groups', 'pdw_health_component_properties', 'pdw_health_component_status_mappings', 'pdw_health_components', 'pdw_index_mappings', 'pdw_loader_backup_run_details', 'pdw_loader_backup_runs', 'pdw_loader_run_stages', 'pdw_nodes_column_store_dictionaries', 'pdw_nodes_column_store_row_groups', 'pdw_nodes_column_store_segments', 'pdw_nodes_columns', 'pdw_nodes_indexes', 'pdw_nodes_partitions', 'pdw_nodes_pdw_physical_databases', 'pdw_nodes_tables', 'pdw_physical_databases', 'pdw_table_distribution_properties', 'pdw_table_mappings', 'periods', 'plan_guides', 'procedures', 'query_context_settings', 'query_store_plan', _x000D__x000A_ 'query_store_query', 'query_store_query_text', 'query_store_runtime_stats', 'query_store_runtime_stats_interval', 'REFERENTIAL_CONSTRAINTS', 'registered_search_properties', 'registered_search_property_lists', 'remote_data_archive_databases', 'remote_data_archive_tables', 'remote_logins', 'remote_service_bindings', 'resource_governor_configuration', 'resource_governor_external_resource_pool_affinity', 'resource_governor_external_resource_pools', 'resource_governor_resource_pool_affinity', 'resource_governor_resource_pools', 'resource_governor_workload_groups', 'routes', 'ROUTINE_COLUMNS', 'ROUTINES', 'schemas', 'SCHEMATA', 'securable_classes', 'security_policies', 'security_predicates', 'selective_x005F_xml_index_namespaces', 'selective_x005F_xml_index_paths', 'sequences', 'server_assembly_modules', 'server_audit_specification_details', 'server_audit_specifications', 'server_audits', 'server_event_notifications', 'server_event_session_actions', 'server_event_session_actions', 'server_event_session_events', 'server_event_session_fields', 'server_event_session_targets', 'server_event_sessions', 'server_events', 'server_file_audits', 'server_permissions', 'server_principal_credentials', 'server_principals', 'server_role_members', 'server_sql_modules', 'server_trigger_events', 'server_triggers', 'servers', 'service_broker_endpoints', 'service_contract_message_usages', 'service_contract_usages', 'service_contracts', 'service_message_types', 'service_queue_usages', 'service_queues', 'services', 'soap_endpoints', 'spatial_index_tessellations', 'spatial_indexes', 'spatial_reference_systems', 'spt_fallback_db', 'spt_fallback_dev', 'spt_fallback_usg', 'spt_monitor', 'spt_values', 'sql_dependencies', 'sql_logins', 'sql_modules', 'stats', 'stats_columns', 'symmetric_keys', 'synonyms', 'syscacheobjects', 'syscharsets', 'syscolumns', 'syscomments', 'sysconfigures', 'sysconstraints', 'syscurconfigs', 'syscursorcolumns', 'syscursorrefs', 'syscursors', 'syscursortables', 'sysdac_history_internal', 'sysdac_instances', 'sysdac_instances_internal', 'sysdatabases', 'sysdepends', 'sysdevices', 'sysfilegroups', 'sysfiles', 'sysforeignkeys', 'sysfulltextcatalogs', 'sysindexes', 'sysindexkeys', 'syslanguages', 'syslockinfo', 'syslogins', 'sysmembers', 'sysmessages', 'sysobjects', 'sysoledbusers', 'sysopentapes', 'sysperfinfo', 'syspermissions', 'sysprocesses', 'sysprotects', 'sysreferences', 'sysremotelogins', 'sysservers', 'system_columns', 'system_components_surface_area_configuration', 'system_objects', 'system_parameters', 'system_sql_modules', 'system_views', 'systypes', 'sysusers', 'TABLE_CONSTRAINTS', 'TABLE_PRIVILEGES', 'table_types', 'tables', 'tcp_endpoints', 'time_zone_info', _x000D__x000A_ 'trace_categories', 'trace_columns', 'trace_event_bindings', 'trace_events', 'trace_subclass_values', 'trace_x005F_xe_action_map', 'trace_x005F_xe_event_map', 'traces', 'transmission_queue', 'trigger_event_types', 'trigger_events', 'triggers', 'type_assembly_usages', 'types', 'user_token', 'via_endpoints', 'VIEW_COLUMN_USAGE', 'VIEW_TABLE_USAGE', 'views', 'xml_indexes', 'xml_schema_attributes', 'xml_schema_collections', 'xml_schema_component_placements', 'xml_schema_components', 'xml_schema_elements', 'xml_schema_facets', 'xml_schema_model_groups', 'xml_schema_namespaces', 'xml_schema_types', 'xml_schema_wildcard_namespaces', 'xml_schema_wildcards', 'database_automatic_tuning_mode', 'database_automatic_tuning_options','query_store_wait_stats'_x000D__x000A_ ))_x000D__x000A_ OR (prin.type = 'S' AND prin.name = 'dbo' AND prin.authentication_type = 1 AND prin.owning_principal_id IS NULL AND user_name(grantor_principal_id) = 'sys' AND object_name(major_id) = ('sql_logins'))))</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $3 ON [$1].[$2] FROM [$5]</S>
</Props>
</Obj>
<Obj RefId="44">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">99c08571-ba69-4fd8-bd77-ad3938667f12</G>
<S N="RuleId">VA2032</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped SELECT or EXECUTE permissions on schema.</S>
<S N="Title">Minimal set of principals should be granted database-scoped SELECT or EXECUTE permissions on schema</S>
<S N="Query">select perms.class_desc AS [Permission Class], _x000D__x000A_ schema_name(major_id) AS [Object],_x000D__x000A_ perms.permission_name AS Permission, _x000D__x000A_ prin.type_desc AS [Principal Type], _x000D__x000A_ prin.name AS Principal_x000D__x000A_FROM sys.database_permissions perms_x000D__x000A_LEFT JOIN_x000D__x000A__x0009_sys.database_principals prin_x000D__x000A__x0009_ON perms.grantee_principal_id = prin.principal_id_x000D__x000A_WHERE _x000D__x000A_ perms.class = '3' _x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND permission_name IN ('SELECT', 'EXECUTE')</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $2 ON $0::[$1] FROM [$4]</S>
</Props>
</Obj>
<Obj RefId="45">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">68f03616-5728-479a-8fc8-def2cc0630dc</G>
<S N="RuleId">VA2033</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped EXECUTE permission on objects or columns.</S>
<S N="Title">Minimal set of principals should be granted database-scoped EXECUTE permission on objects or columns</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], object_schema_name(major_id) as [Schema Name], object_name(major_id) as [Object], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name IN ('EXECUTE') _x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 1_x000D__x000A_ AND NOT ((prin.type = 'R' AND prin.name = 'public' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN (_x000D__x000A__x0009__x0009_'fn_cColvEntries_80', 'fn_cdc_check_parameters', 'fn_cdc_decrement_lsn', 'fn_cdc_get_column_ordinal', 'fn_cdc_get_max_lsn', 'fn_cdc_get_min_lsn', 'fn_cdc_has_column_changed', 'fn_cdc_hexstrtobin', 'fn_cdc_increment_lsn', 'fn_cdc_is_bit_set', 'fn_cdc_map_lsn_to_time', 'fn_cdc_map_time_to_lsn', 'fn_fIsColTracked', 'fn_GetCurrentPrincipal', 'fn_GetRowsetIdFromRowDump', 'fn_hadr_backup_is_preferred_replica', 'fn_hadr_is_primary_replica', 'fn_hadr_is_same_replica', 'fn_IsBitSetInBitmask', 'fn_isrolemember', 'fn_MapSchemaType', 'fn_MSdayasnumber', 'fn_MSgeneration_downloadonly', 'fn_MSget_dynamic_filter_login', 'fn_MSorbitmaps', 'fn_MSrepl_map_resolver_clsid', 'fn_MStestbit', 'fn_MSvector_downloadonly', 'fn_numberOf1InBinaryAfterLoc', 'fn_numberOf1InVarBinary', 'fn_PhysLocFormatter', 'fn_repl_hash_binary', 'fn_repladjustcolumnmap', 'fn_repldecryptver4', 'fn_replformatdatetime', 'fn_replgetparsedddlcmd', 'fn_replp2pversiontotranid', 'fn_replreplacesinglequote', 'fn_replreplacesinglequoteplusprotectstring', 'fn_repluniquename', 'fn_replvarbintoint', 'fn_sqlvarbasetostr', 'fn_sysdac_get_currentusername', 'fn_sysdac_get_username', 'fn_sysdac_is_currentuser_sa', 'fn_sysdac_is_dac_creator', 'fn_sysdac_is_login_creator', 'fn_syspolicy_is_automation_enabled', 'fn_varbintohexstr', 'fn_varbintohexsubstring', 'fn_yukonsecuritymodelrequired', 'GeographyCollectionAggregate', 'GeographyConvexHullAggregate', 'GeographyEnvelopeAggregate', 'GeographyUnionAggregate', 'GeometryCollectionAggregate', 'GeometryConvexHullAggregate', 'GeometryEnvelopeAggregate', 'GeometryUnionAggregate', 'ORMask', 'sp_add_agent_parameter', 'sp_add_agent_profile', 'sp_add_log_shipping_alert_job', 'sp_add_log_shipping_primary_database', 'sp_add_log_shipping_primary_secondary', 'sp_add_log_shipping_secondary_database', 'sp_add_log_shipping_secondary_primary', 'sp_addapprole', 'sp_addarticle', 'sp_adddatatype', 'sp_adddatatypemapping', 'sp_adddistpublisher', 'sp_adddistributiondb', 'sp_adddistributor', 'sp_adddynamicsnapshot_job', 'sp_addextendedproperty', 'sp_AddFunctionalUnitToComponent', 'sp_addlinkedserver', 'sp_addlinkedsrvlogin', 'sp_addlogin', 'sp_addlogreader_agent', 'sp_addmergealternatepublisher', 'sp_addmergearticle', 'sp_addmergefilter', 'sp_addmergelogsettings', 'sp_addmergepartition', 'sp_addmergepublication', 'sp_addmergepullsubscription', 'sp_addmergepullsubscription_agent', 'sp_addmergepushsubscription_agent', 'sp_addmergesubscription', 'sp_addmessage', 'sp_addpublication', 'sp_addpublication_snapshot', 'sp_addpullsubscription', 'sp_addpullsubscription_agent', 'sp_addpushsubscription_agent', 'sp_addqreader_agent', 'sp_addqueued_artinfo', 'sp_addremotelogin', 'sp_addrole', 'sp_addrolemember', 'sp_addscriptexec', 'sp_addserver', 'sp_addsrvrolemember', 'sp_addsubscriber', 'sp_addsubscriber_schedule', 'sp_addsubscription', 'sp_addsynctriggers', 'sp_addsynctriggerscore', 'sp_addtabletocontents', 'sp_addtype', 'sp_addumpdevice', 'sp_adduser', 'sp_adjustpublisheridentityrange', 'sp_altermessage', 'sp_approlepassword', 'sp_article_validation', 'sp_articlecolumn', 'sp_articlefilter', 'sp_articleview', 'sp_assemblies_rowset', 'sp_assemblies_rowset_rmt', 'sp_assemblies_rowset2', 'sp_assembly_dependencies_rowset', 'sp_assembly_dependencies_rowset_rmt', 'sp_assembly_dependencies_rowset2', 'sp_attach_db', 'sp_attach_single_file_db', 'sp_attachsubscription', 'sp_audit_write', 'sp_autostats', 'sp_availability_group_command_internal', 'sp_bcp_dbcmptlevel', 'sp_begin_parallel_nested_tran', 'sp_bindefault', 'sp_bindrule', 'sp_bindsession', 'sp_browsemergesnapshotfolder', 'sp_browsereplcmds', 'sp_browsesnapshotfolder', 'sp_can_tlog_be_applied', 'sp_catalogs', 'sp_catalogs_rowset', 'sp_catalogs_rowset_rmt', 'sp_catalogs_rowset2', 'sp_cdc_add_job', 'sp_cdc_change_job', 'sp_cdc_cleanup_change_table', 'sp_cdc_dbsnapshotLSN', 'sp_cdc_disable_db', 'sp_cdc_disable_table', 'sp_cdc_drop_job', 'sp_cdc_enable_db', 'sp_cdc_enable_table', 'sp_cdc_generate_wrapper_function', 'sp_cdc_get_captured_columns', 'sp_cdc_get_ddl_history', 'sp_cdc_help_change_data_capture', 'sp_cdc_help_jobs', 'sp_cdc_restoredb', 'sp_cdc_scan', 'sp_cdc_start_job', 'sp_cdc_stop_job', 'sp_cdc_vupgrade', 'sp_cdc_vupgrade_databases', _x000D__x000A__x0009__x0009_'sp_change_agent_parameter', 'sp_change_agent_profile', 'sp_change_log_shipping_primary_database', 'sp_change_log_shipping_secondary_database', 'sp_change_log_shipping_secondary_primary', 'sp_change_subscription_properties', 'sp_change_tracking_waitforchanges', 'sp_change_users_login', 'sp_changearticle', 'sp_changearticlecolumndatatype', 'sp_changedbowner', 'sp_changedistpublisher', 'sp_changedistributiondb', 'sp_changedistributor_password', 'sp_changedistributor_property', 'sp_changedynamicsnapshot_job', 'sp_changelogreader_agent', 'sp_changemergearticle', 'sp_changemergefilter', 'sp_changemergelogsettings', 'sp_changemergepublication', 'sp_changemergepullsubscription', 'sp_changemergesubscription', 'sp_changeobjectowner', 'sp_changepublication', 'sp_changepublication_snapshot', 'sp_changeqreader_agent', 'sp_changereplicationserverpasswords', 'sp_changesubscriber', 'sp_changesubscriber_schedule', 'sp_changesubscription', 'sp_changesubscriptiondtsinfo', 'sp_changesubstatus', 'sp_check_constbytable_rowset', 'sp_check_constbytable_rowset2', 'sp_check_constraints_rowset', 'sp_check_constraints_rowset2', 'sp_check_dynamic_filters', 'sp_check_for_sync_trigger', 'sp_check_join_filter', 'sp_check_log_shipping_monitor_alert', 'sp_check_publication_access', 'sp_check_subset_filter', 'sp_check_sync_trigger', 'sp_checkinvalidivarticle', 'sp_checkOraclepackageversion', 'sp_clean_db_file_free_space', 'sp_clean_db_free_space', 'sp_cleanmergelogfiles', 'sp_cleanup_log_shipping_history', 'sp_cleanup_temporal_history', 'sp_cleanupdbreplication', 'sp_column_privileges', 'sp_column_privileges_ex', 'sp_column_privileges_rowset', 'sp_column_privileges_rowset_rmt', 'sp_column_privileges_rowset2', 'sp_columns', 'sp_columns_100', 'sp_columns_100_rowset', 'sp_columns_100_rowset2', 'sp_columns_90', 'sp_columns_90_rowset', 'sp_columns_90_rowset_rmt', 'sp_columns_90_rowset2', 'sp_columns_ex', 'sp_columns_ex_100', 'sp_columns_ex_90', 'sp_columns_managed', 'sp_columns_rowset', 'sp_columns_rowset_rmt', 'sp_columns_rowset2', 'sp_commit_parallel_nested_tran', 'sp_configure', 'sp_configure_peerconflictdetection', 'sp_constr_col_usage_rowset', 'sp_constr_col_usage_rowset2', 'sp_control_dbmasterkey_password', 'sp_control_plan_guide', 'sp_copymergesnapshot', 'sp_copysnapshot', 'sp_copysubscription', 'sp_create_plan_guide', 'sp_create_plan_guide_from_handle', 'sp_createmergepalrole', 'sp_createorphan', 'sp_createstats', 'sp_createtranpalrole', 'sp_cursor', 'sp_cursor_list', 'sp_cursorclose', 'sp_cursorexecute', 'sp_cursorfetch', 'sp_cursoropen', 'sp_cursoroption', 'sp_cursorprepare', 'sp_cursorprepexec', 'sp_cursorunprepare', 'sp_databases', 'sp_datatype_info', 'sp_datatype_info_100', 'sp_datatype_info_90', 'sp_db_ebcdic277_2', 'sp_db_increased_partitions', 'sp_db_selective_x005F_xml_index', 'sp_db_vardecimal_storage_format', 'sp_dbcmptlevel', 'sp_dbfixedrolepermission', 'sp_dbmmonitoraddmonitoring', 'sp_dbmmonitorchangealert', 'sp_dbmmonitorchangemonitoring', 'sp_dbmmonitordropalert', 'sp_dbmmonitordropmonitoring', 'sp_dbmmonitorhelpalert', 'sp_dbmmonitorhelpmonitoring', 'sp_dbmmonitorresults', 'sp_dbmmonitorupdate', 'sp_ddopen', 'sp_defaultdb', 'sp_defaultlanguage', 'sp_delete_backup', 'sp_delete_backup_file_snapshot', 'sp_delete_http_namespace_reservation', 'sp_delete_log_shipping_alert_job', 'sp_delete_log_shipping_primary_database', 'sp_delete_log_shipping_primary_secondary', 'sp_delete_log_shipping_secondary_database', 'sp_delete_log_shipping_secondary_primary', 'sp_deletemergeconflictrow', 'sp_deletepeerrequesthistory', 'sp_deletetracertokenhistory', 'sp_denylogin', 'sp_depends', 'sp_describe_cursor', 'sp_describe_cursor_columns', 'sp_describe_cursor_tables', 'sp_describe_first_result_set', 'sp_describe_parameter_encryption', 'sp_describe_undeclared_parameters', 'sp_detach_db', 'sp_disableagentoffload', 'sp_distcounters', 'sp_drop_agent_parameter', 'sp_drop_agent_profile', 'sp_dropanonymousagent', 'sp_dropanonymoussubscription', 'sp_dropapprole', 'sp_droparticle', 'sp_dropdatatypemapping', 'sp_dropdevice', 'sp_dropdistpublisher', 'sp_dropdistributiondb', 'sp_dropdistributor', 'sp_dropdynamicsnapshot_job', 'sp_dropextendedproperty', 'sp_droplinkedsrvlogin', 'sp_droplogin', 'sp_dropmergealternatepublisher', 'sp_dropmergearticle', 'sp_dropmergefilter', 'sp_dropmergelogsettings', 'sp_dropmergepartition', 'sp_dropmergepublication', 'sp_dropmergepullsubscription', 'sp_dropmergesubscription', 'sp_dropmessage', 'sp_droporphans', 'sp_droppublication', 'sp_droppublisher', 'sp_droppullsubscription', 'sp_dropremotelogin', 'sp_dropreplsymmetrickey', 'sp_droprole', 'sp_droprolemember', 'sp_dropserver', 'sp_dropsrvrolemember', 'sp_dropsubscriber', 'sp_dropsubscription', 'sp_droptype', 'sp_dropuser', _x000D__x000A__x0009__x0009_'sp_dsninfo', 'sp_enable_heterogeneous_subscription', 'sp_enableagentoffload', 'sp_enum_oledb_providers', 'sp_enumcustomresolvers', 'sp_enumdsn', 'sp_enumeratependingschemachanges', 'sp_enumerrorlogs', 'sp_enumfullsubscribers', 'sp_enumoledbdatasources', 'sp_estimate_data_compression_savings', 'sp_estimated_rowsize_reduction_for_vardecimal', 'sp_execute', 'sp_execute_external_script', 'sp_executesql', 'sp_expired_subscription_cleanup', 'sp_filestream_force_garbage_collection', 'sp_filestream_recalculate_container_size', 'sp_firstonly_bitmap', 'sp_fkeys', 'sp_flush_commit_table', 'sp_flush_commit_table_on_demand', 'sp_flush_CT_internal_table_on_demand', 'sp_flush_log', 'sp_foreign_keys_rowset', 'sp_foreign_keys_rowset_rmt', 'sp_foreign_keys_rowset2', 'sp_foreign_keys_rowset3', 'sp_foreignkeys', 'sp_fulltext_catalog', 'sp_fulltext_column', 'sp_fulltext_database', 'sp_fulltext_keymappings', 'sp_fulltext_load_thesaurus_file', 'sp_fulltext_pendingchanges', 'sp_fulltext_recycle_crawl_log', 'sp_fulltext_semantic_register_language_statistics_db', 'sp_fulltext_semantic_unregister_language_statistics_db', 'sp_fulltext_service', 'sp_fulltext_table', 'sp_FuzzyLookupTableMaintenanceInstall', 'sp_FuzzyLookupTableMaintenanceInvoke', 'sp_FuzzyLookupTableMaintenanceUninstall', 'sp_generate_agent_parameter', 'sp_generatefilters', 'sp_get_database_scoped_credential', 'sp_get_distributor', 'sp_get_job_status_mergesubscription_agent', 'sp_get_mergepublishedarticleproperties', 'sp_get_Oracle_publisher_metadata', 'sp_get_query_template', 'sp_get_redirected_publisher', 'sp_getagentparameterlist', 'sp_getapplock', 'sp_getbindtoken', 'sp_getdefaultdatatypemapping', 'sp_getmergedeletetype', 'sp_getProcessorUsage', 'sp_getpublisherlink', 'sp_getqueuedarticlesynctraninfo', 'sp_getqueuedrows', 'sp_getschemalock', 'sp_getsqlqueueversion', 'sp_getsubscription_status_hsnapshot', 'sp_getsubscriptiondtspackagename', 'sp_gettopologyinfo', 'sp_getVolumeFreeSpace', 'sp_grant_publication_access', 'sp_grantdbaccess', 'sp_grantlogin', 'sp_help', 'sp_help_agent_default', 'sp_help_agent_parameter', 'sp_help_agent_profile', 'sp_help_datatype_mapping', 'sp_help_fulltext_catalog_components', 'sp_help_fulltext_catalogs', 'sp_help_fulltext_catalogs_cursor', 'sp_help_fulltext_columns', 'sp_help_fulltext_columns_cursor', 'sp_help_fulltext_system_components', 'sp_help_fulltext_tables', 'sp_help_fulltext_tables_cursor', 'sp_help_log_shipping_alert_job', 'sp_help_log_shipping_monitor', 'sp_help_log_shipping_monitor_primary', 'sp_help_log_shipping_monitor_secondary', 'sp_help_log_shipping_primary_database', 'sp_help_log_shipping_primary_secondary', 'sp_help_log_shipping_secondary_database', 'sp_help_log_shipping_secondary_primary', 'sp_help_peerconflictdetection', 'sp_help_publication_access', 'sp_help_spatial_geography_histogram', 'sp_help_spatial_geography_index', 'sp_help_spatial_geography_index_x005F_xml', 'sp_help_spatial_geometry_histogram', 'sp_help_spatial_geometry_index', 'sp_help_spatial_geometry_index_x005F_xml', 'sp_helpallowmerge_publication', 'sp_helparticle', 'sp_helparticlecolumns', 'sp_helparticledts', 'sp_helpconstraint', 'sp_helpdatatypemap', 'sp_helpdb', 'sp_helpdbfixedrole', 'sp_helpdevice', 'sp_helpdistpublisher', 'sp_helpdistributiondb', 'sp_helpdistributor', 'sp_helpdistributor_properties', 'sp_helpdynamicsnapshot_job', 'sp_helpextendedproc', 'sp_helpfile', 'sp_helpfilegroup', 'sp_helpindex', 'sp_helplanguage', 'sp_helplinkedsrvlogin', 'sp_helplogins', 'sp_helplogreader_agent', 'sp_helpmergealternatepublisher', 'sp_helpmergearticle', 'sp_helpmergearticlecolumn', 'sp_helpmergearticleconflicts', 'sp_helpmergeconflictrows', 'sp_helpmergedeleteconflictrows', 'sp_helpmergefilter', 'sp_helpmergelogfiles', 'sp_helpmergelogfileswithdata', 'sp_helpmergelogsettings', 'sp_helpmergepartition', 'sp_helpmergepublication', 'sp_helpmergepullsubscription', 'sp_helpmergesubscription', 'sp_helpntgroup', 'sp_helppeerrequests', 'sp_helppeerresponses', 'sp_helppublication', 'sp_helppublication_snapshot', 'sp_helppublicationsync', 'sp_helppullsubscription', 'sp_helpqreader_agent', 'sp_helpremotelogin', 'sp_helpreplfailovermode', 'sp_helpreplicationdb', 'sp_helpreplicationdboption', 'sp_helpreplicationoption', 'sp_helprole', 'sp_helprolemember', 'sp_helprotect', 'sp_helpserver', 'sp_helpsort', 'sp_helpsrvrole', 'sp_helpsrvrolemember', 'sp_helpstats', 'sp_helpsubscriberinfo', 'sp_helpsubscription', 'sp_helpsubscription_properties', 'sp_helpsubscriptionerrors', 'sp_helptext', 'sp_helptracertokenhistory', 'sp_helptracertokens', 'sp_helptrigger', 'sp_helpuser', 'sp_helpxactsetjob', _x000D__x000A__x0009__x0009_'sp_http_generate_wsdl_complex', 'sp_http_generate_wsdl_defaultcomplexorsimple', 'sp_http_generate_wsdl_defaultsimpleorcomplex', 'sp_http_generate_wsdl_simple', 'sp_identitycolumnforreplication', 'sp_IH_LR_GetCacheData', 'sp_IHadd_sync_command', 'sp_IHarticlecolumn', 'sp_IHget_loopback_detection', 'sp_IHScriptIdxFile', 'sp_IHScriptSchFile', 'sp_IHValidateRowFilter', 'sp_IHXactSetJob', 'sp_indexcolumns_managed', 'sp_indexes', 'sp_indexes_100_rowset', 'sp_indexes_100_rowset2', 'sp_indexes_90_rowset', 'sp_indexes_90_rowset_rmt', 'sp_indexes_90_rowset2', 'sp_indexes_managed', 'sp_indexes_rowset', 'sp_indexes_rowset_rmt', 'sp_indexes_rowset2', 'sp_indexoption', 'sp_invalidate_textptr', 'sp_is_makegeneration_needed', 'sp_ivindexhasnullcols', 'sp_kill_filestream_non_transacted_handles', 'sp_kill_oldest_transaction_on_secondary', 'sp_lightweightmergemetadataretentioncleanup', 'sp_link_publication', 'sp_linkedservers', 'sp_linkedservers_rowset', 'sp_linkedservers_rowset2', 'sp_lock', 'sp_logshippinginstallmetadata', 'sp_lookupcustomresolver', 'sp_mapdown_bitmap', 'sp_markpendingschemachange', 'sp_marksubscriptionvalidation', 'sp_memory_optimized_cs_migration', 'sp_mergearticlecolumn', 'sp_mergecleanupmetadata', 'sp_mergedummyupdate', 'sp_mergemetadataretentioncleanup', 'sp_mergesubscription_cleanup', 'sp_mergesubscriptionsummary', 'sp_migrate_user_to_contained', 'sp_MS_replication_installed', 'sp_MSacquireHeadofQueueLock', 'sp_MSacquireserverresourcefordynamicsnapshot', 'sp_MSacquireSlotLock', 'sp_MSacquiresnapshotdeliverysessionlock', 'sp_MSactivate_auto_sub', 'sp_MSactivatelogbasedarticleobject', 'sp_MSactivateprocedureexecutionarticleobject', 'sp_MSadd_anonymous_agent', 'sp_MSadd_article', 'sp_MSadd_compensating_cmd', 'sp_MSadd_distribution_agent', 'sp_MSadd_distribution_history', 'sp_MSadd_dynamic_snapshot_location', 'sp_MSadd_filteringcolumn', 'sp_MSadd_log_shipping_error_detail', 'sp_MSadd_log_shipping_history_detail', 'sp_MSadd_logreader_agent', 'sp_MSadd_logreader_history', 'sp_MSadd_merge_agent', 'sp_MSadd_merge_anonymous_agent', 'sp_MSadd_merge_history', 'sp_MSadd_merge_history90', 'sp_MSadd_merge_subscription', 'sp_MSadd_mergereplcommand', 'sp_MSadd_mergesubentry_indistdb', 'sp_MSadd_publication', 'sp_MSadd_qreader_agent', 'sp_MSadd_qreader_history', 'sp_MSadd_repl_alert', 'sp_MSadd_repl_command', 'sp_MSadd_repl_commands27hp', 'sp_MSadd_repl_error', 'sp_MSadd_replcmds_mcit', 'sp_MSadd_replmergealert', 'sp_MSadd_snapshot_agent', 'sp_MSadd_snapshot_history', 'sp_MSadd_subscriber_info', 'sp_MSadd_subscriber_schedule', 'sp_MSadd_subscription', 'sp_MSadd_subscription_3rd', 'sp_MSadd_tracer_history', 'sp_MSadd_tracer_token', 'sp_MSaddanonymousreplica', 'sp_MSadddynamicsnapshotjobatdistributor', 'sp_MSaddguidcolumn', 'sp_MSaddguidindex', 'sp_MSaddinitialarticle', 'sp_MSaddinitialpublication', 'sp_MSaddinitialschemaarticle', 'sp_MSaddinitialsubscription', 'sp_MSaddlightweightmergearticle', 'sp_MSaddmergedynamicsnapshotjob', 'sp_MSaddmergetriggers', 'sp_MSaddmergetriggers_from_template', 'sp_MSaddmergetriggers_internal', 'sp_MSaddpeerlsn', 'sp_MSaddsubscriptionarticles', 'sp_MSadjust_pub_identity', 'sp_MSagent_retry_stethoscope', 'sp_MSagent_stethoscope', 'sp_MSallocate_new_identity_range', 'sp_MSalreadyhavegeneration', 'sp_MSanonymous_status', 'sp_MSarticlecleanup', 'sp_MSbrowsesnapshotfolder', 'sp_MScache_agent_parameter', 'sp_MScdc_capture_job', 'sp_MScdc_cleanup_job', 'sp_MScdc_db_ddl_event', 'sp_MScdc_ddl_event', 'sp_MScdc_logddl', 'sp_MSchange_article', 'sp_MSchange_distribution_agent_properties', 'sp_MSchange_logreader_agent_properties', 'sp_MSchange_merge_agent_properties', 'sp_MSchange_mergearticle', 'sp_MSchange_mergepublication', 'sp_MSchange_originatorid', 'sp_MSchange_priority', 'sp_MSchange_publication', 'sp_MSchange_retention', 'sp_MSchange_retention_period_unit', 'sp_MSchange_snapshot_agent_properties', 'sp_MSchange_subscription_dts_info', 'sp_MSchangearticleresolver', 'sp_MSchangedynamicsnapshotjobatdistributor', 'sp_MSchangedynsnaplocationatdistributor', 'sp_MSchangeobjectowner', 'sp_MScheck_agent_instance', 'sp_MScheck_dropobject', 'sp_MScheck_Jet_Subscriber', 'sp_MScheck_logicalrecord_metadatamatch', 'sp_MScheck_merge_subscription_count', 'sp_MScheck_pub_identity', 'sp_MScheck_pull_access', 'sp_MScheck_snapshot_agent', 'sp_MScheck_subscription', 'sp_MScheck_subscription_expiry', 'sp_MScheck_subscription_partition', 'sp_MScheck_tran_retention', 'sp_MScheckexistsgeneration', 'sp_MScheckexistsrecguid', 'sp_MScheckfailedprevioussync', 'sp_MScheckidentityrange', 'sp_MScheckIsPubOfSub', 'sp_MSchecksharedagentforpublication', 'sp_MSchecksnapshotstatus', _x000D__x000A__x0009__x0009_'sp_MScleanup_agent_entry', 'sp_MScleanup_conflict', 'sp_MScleanup_publication_ADinfo', 'sp_MScleanup_subscription_distside_entry', 'sp_MScleanupdynamicsnapshotfolder', 'sp_MScleanupdynsnapshotvws', 'sp_MSCleanupForPullReinit', 'sp_MScleanupmergepublisher_internal', 'sp_MSclear_dynamic_snapshot_location', 'sp_MSclearresetpartialsnapshotprogressbit', 'sp_MScomputelastsentgen', 'sp_MScomputemergearticlescreationorder', 'sp_MScomputemergeunresolvedrefs', 'sp_MSconflicttableexists', 'sp_MScreate_all_article_repl_views', 'sp_MScreate_article_repl_views', 'sp_MScreate_dist_tables', 'sp_MScreate_logical_record_views', 'sp_MScreate_sub_tables', 'sp_MScreate_tempgenhistorytable', 'sp_MScreatedisabledmltrigger', 'sp_MScreatedummygeneration', 'sp_MScreateglobalreplica', 'sp_MScreatelightweightinsertproc', 'sp_MScreatelightweightmultipurposeproc', 'sp_MScreatelightweightprocstriggersconstraints', 'sp_MScreatelightweightupdateproc', 'sp_MScreatemergedynamicsnapshot', 'sp_MScreateretry', 'sp_MSdbuseraccess', 'sp_MSdbuserpriv', 'sp_MSdefer_check', 'sp_MSdelete_tracer_history', 'sp_MSdeletefoldercontents', 'sp_MSdeletemetadataactionrequest', 'sp_MSdeletepeerconflictrow', 'sp_MSdeleteretry', 'sp_MSdeletetranconflictrow', 'sp_MSdelgenzero', 'sp_MSdelrow', 'sp_MSdelrowsbatch', 'sp_MSdelrowsbatch_downloadonly', 'sp_MSdelsubrows', 'sp_MSdelsubrowsbatch', 'sp_MSdependencies', 'sp_MSdetect_nonlogged_shutdown', 'sp_MSdetectinvalidpeerconfiguration', 'sp_MSdetectinvalidpeersubscription', 'sp_MSdist_activate_auto_sub', 'sp_MSdist_adjust_identity', 'sp_MSdistpublisher_cleanup', 'sp_MSdistribution_counters', 'sp_MSdistributoravailable', 'sp_MSdodatabasesnapshotinitiation', 'sp_MSdopartialdatabasesnapshotinitiation', 'sp_MSdrop_6x_publication', 'sp_MSdrop_6x_replication_agent', 'sp_MSdrop_anonymous_entry', 'sp_MSdrop_article', 'sp_MSdrop_distribution_agent', 'sp_MSdrop_distribution_agentid_dbowner_proxy', 'sp_MSdrop_dynamic_snapshot_agent', 'sp_MSdrop_logreader_agent', 'sp_MSdrop_merge_agent', 'sp_MSdrop_merge_subscription', 'sp_MSdrop_publication', 'sp_MSdrop_qreader_history', 'sp_MSdrop_snapshot_agent', 'sp_MSdrop_snapshot_dirs', 'sp_MSdrop_subscriber_info', 'sp_MSdrop_subscription', 'sp_MSdrop_subscription_3rd', 'sp_MSdrop_tempgenhistorytable', 'sp_MSdroparticleconstraints', 'sp_MSdroparticletombstones', 'sp_MSdropconstraints', 'sp_MSdropdynsnapshotvws', 'sp_MSdropfkreferencingarticle', 'sp_MSdropmergearticle', 'sp_MSdropmergedynamicsnapshotjob', 'sp_MSdropobsoletearticle', 'sp_MSdropretry', 'sp_MSdroptemptable', 'sp_MSdummyupdate', 'sp_MSdummyupdate_logicalrecord', 'sp_MSdummyupdate90', 'sp_MSdummyupdatelightweight', 'sp_MSdynamicsnapshotjobexistsatdistributor', 'sp_MSenable_publication_for_het_sub', 'sp_MSensure_single_instance', 'sp_MSenum_distribution', 'sp_MSenum_distribution_s', 'sp_MSenum_distribution_sd', 'sp_MSenum_logicalrecord_changes', 'sp_MSenum_logreader', 'sp_MSenum_logreader_s', 'sp_MSenum_logreader_sd', 'sp_MSenum_merge', 'sp_MSenum_merge_agent_properties', 'sp_MSenum_merge_s', 'sp_MSenum_merge_sd', 'sp_MSenum_merge_subscriptions', 'sp_MSenum_merge_subscriptions_90_publication', 'sp_MSenum_merge_subscriptions_90_publisher', 'sp_MSenum_metadataaction_requests', 'sp_MSenum_qreader', 'sp_MSenum_qreader_s', 'sp_MSenum_qreader_sd', 'sp_MSenum_replication_agents', 'sp_MSenum_replication_job', 'sp_MSenum_replqueues', 'sp_MSenum_replsqlqueues', 'sp_MSenum_snapshot', 'sp_MSenum_snapshot_s', 'sp_MSenum_snapshot_sd', 'sp_MSenum_subscriptions', 'sp_MSenumallpublications', 'sp_MSenumallsubscriptions', 'sp_MSenumarticleslightweight', 'sp_MSenumchanges', 'sp_MSenumchanges_belongtopartition', 'sp_MSenumchanges_notbelongtopartition', 'sp_MSenumchangesdirect', 'sp_MSenumchangeslightweight', 'sp_MSenumcolumns', 'sp_MSenumcolumnslightweight', 'sp_MSenumdeletes_forpartition', 'sp_MSenumdeleteslightweight', 'sp_MSenumdeletesmetadata', 'sp_MSenumdistributionagentproperties', 'sp_MSenumerate_PAL', 'sp_MSenumgenerations', 'sp_MSenumgenerations90', 'sp_MSenumpartialchanges', 'sp_MSenumpartialchangesdirect', 'sp_MSenumpartialdeletes', 'sp_MSenumpubreferences', 'sp_MSenumreplicas', 'sp_MSenumreplicas90', 'sp_MSenumretries', 'sp_MSenumschemachange', 'sp_MSenumsubscriptions', 'sp_MSenumthirdpartypublicationvendornames', 'sp_MSestimatemergesnapshotworkload', 'sp_MSestimatesnapshotworkload', 'sp_MSevalsubscriberinfo', 'sp_MSevaluate_change_membership_for_all_articles_in_pubid', 'sp_MSevaluate_change_membership_for_pubid', 'sp_MSevaluate_change_membership_for_row', 'sp_MSexecwithlsnoutput', 'sp_MSfast_delete_trans', 'sp_MSfetchAdjustidentityrange', 'sp_MSfetchidentityrange', 'sp_MSfillupmissingcols', 'sp_MSfilterclause', 'sp_MSfix_6x_tasks', 'sp_MSfixlineageversions', 'sp_MSFixSubColumnBitmaps', 'sp_MSfixupbeforeimagetables', 'sp_MSflush_access_cache', 'sp_MSforce_drop_distribution_jobs', 'sp_MSforcereenumeration', 'sp_MSforeach_worker', 'sp_MSforeachdb', 'sp_MSforeachtable', _x000D__x000A__x0009__x0009_'sp_MSgenerateexpandproc', 'sp_MSget_agent_names', 'sp_MSget_attach_state', 'sp_MSget_DDL_after_regular_snapshot', 'sp_MSget_dynamic_snapshot_location', 'sp_MSget_identity_range_info', 'sp_MSget_jobstate', 'sp_MSget_last_transaction', 'sp_MSget_latest_peerlsn', 'sp_MSget_load_hint', 'sp_MSget_log_shipping_new_sessionid', 'sp_MSget_logicalrecord_lineage', 'sp_MSget_max_used_identity', 'sp_MSget_min_seqno', 'sp_MSget_MSmerge_rowtrack_colinfo', 'sp_MSget_new_x005F_xact_seqno', 'sp_MSget_oledbinfo', 'sp_MSget_partitionid_eval_proc', 'sp_MSget_publication_from_taskname', 'sp_MSget_publisher_rpc', 'sp_MSget_repl_cmds_anonymous', 'sp_MSget_repl_commands', 'sp_MSget_repl_error', 'sp_MSget_session_statistics', 'sp_MSget_shared_agent', 'sp_MSget_snapshot_history', 'sp_MSget_subscriber_partition_id', 'sp_MSget_subscription_dts_info', 'sp_MSget_subscription_guid', 'sp_MSget_synctran_commands', 'sp_MSget_type_wrapper', 'sp_MSgetagentoffloadinfo', 'sp_MSgetalternaterecgens', 'sp_MSgetarticlereinitvalue', 'sp_MSgetchangecount', 'sp_MSgetconflictinsertproc', 'sp_MSgetconflicttablename', 'sp_MSGetCurrentPrincipal', 'sp_MSgetdatametadatabatch', 'sp_MSgetdbversion', 'sp_MSgetdynamicsnapshotapplock', 'sp_MSgetdynsnapvalidationtoken', 'sp_MSgetgenstatus4rows', 'sp_MSgetisvalidwindowsloginfromdistributor', 'sp_MSgetlastrecgen', 'sp_MSgetlastsentgen', 'sp_MSgetlastsentrecgens', 'sp_MSgetlastupdatedtime', 'sp_MSgetlightweightmetadatabatch', 'sp_MSgetmakegenerationapplock', 'sp_MSgetmakegenerationapplock_90', 'sp_MSgetmaxbcpgen', 'sp_MSgetmaxsnapshottimestamp', 'sp_MSgetmergeadminapplock', 'sp_MSgetmetadata_changedlogicalrecordmembers', 'sp_MSgetmetadatabatch', 'sp_MSgetmetadatabatch90', 'sp_MSgetmetadatabatch90new', 'sp_MSgetonerow', 'sp_MSgetonerowlightweight', 'sp_MSgetpeerconflictrow', 'sp_MSgetpeerlsns', 'sp_MSgetpeertopeercommands', 'sp_MSgetpeerwinnerrow', 'sp_MSgetpubinfo', 'sp_MSgetreplicainfo', 'sp_MSgetreplicastate', 'sp_MSgetrowmetadata', 'sp_MSgetrowmetadatalightweight', 'sp_MSGetServerProperties', 'sp_MSgetsetupbelong_cost', 'sp_MSgetsubscriberinfo', 'sp_MSgetsupportabilitysettings', 'sp_MSgettrancftsrcrow', 'sp_MSgettranconflictrow', 'sp_MSgetversion', 'sp_MSgrantconnectreplication', 'sp_MShaschangeslightweight', 'sp_MShasdbaccess', 'sp_MShelp_article', 'sp_MShelp_distdb', 'sp_MShelp_distribution_agentid', 'sp_MShelp_identity_property', 'sp_MShelp_logreader_agentid', 'sp_MShelp_merge_agentid', 'sp_MShelp_profile', 'sp_MShelp_profilecache', 'sp_MShelp_publication', 'sp_MShelp_repl_agent', 'sp_MShelp_replication_status', 'sp_MShelp_replication_table', 'sp_MShelp_snapshot_agent', 'sp_MShelp_snapshot_agentid', 'sp_MShelp_subscriber_info', 'sp_MShelp_subscription', 'sp_MShelp_subscription_status', 'sp_MShelpcolumns', 'sp_MShelpconflictpublications', 'sp_MShelpcreatebeforetable', 'sp_MShelpdestowner', 'sp_MShelpdynamicsnapshotjobatdistributor', 'sp_MShelpfulltextindex', 'sp_MShelpfulltextscript', 'sp_MShelpindex', 'sp_MShelplogreader_agent', 'sp_MShelpmergearticles', 'sp_MShelpmergeconflictcounts', 'sp_MShelpmergedynamicsnapshotjob', 'sp_MShelpmergeidentity', 'sp_MShelpmergeschemaarticles', 'sp_MShelpobjectpublications', 'sp_MShelpreplicationtriggers', 'sp_MShelpsnapshot_agent', 'sp_MShelpsummarypublication', 'sp_MShelptracertokenhistory', 'sp_MShelptracertokens', 'sp_MShelptranconflictcounts', 'sp_MShelptype', 'sp_MShelpvalidationdate', 'sp_MSIfExistsSubscription', 'sp_MSindexspace', 'sp_MSinit_publication_access', 'sp_MSinit_subscription_agent', 'sp_MSinitdynamicsubscriber', 'sp_MSinsert_identity', 'sp_MSinsertdeleteconflict', 'sp_MSinserterrorlineage', 'sp_MSinsertgenerationschemachanges', 'sp_MSinsertgenhistory', 'sp_MSinsertlightweightschemachange', 'sp_MSinsertschemachange', 'sp_MSinvalidate_snapshot', 'sp_MSisnonpkukupdateinconflict', 'sp_MSispeertopeeragent', 'sp_MSispkupdateinconflict', 'sp_MSispublicationqueued', 'sp_MSisreplmergeagent', 'sp_MSissnapshotitemapplied', 'sp_MSkilldb', 'sp_MSlock_auto_sub', 'sp_MSlock_distribution_agent', 'sp_MSlocktable', 'sp_MSloginmappings', 'sp_MSmakearticleprocs', 'sp_MSmakebatchinsertproc', 'sp_MSmakebatchupdateproc', 'sp_MSmakeconflictinsertproc', 'sp_MSmakectsview', 'sp_MSmakedeleteproc', 'sp_MSmakedynsnapshotvws', 'sp_MSmakeexpandproc', 'sp_MSmakegeneration', 'sp_MSmakeinsertproc', 'sp_MSmakemetadataselectproc', 'sp_MSmakeselectproc', 'sp_MSmakesystableviews', 'sp_MSmakeupdateproc', 'sp_MSmap_partitionid_to_generations', 'sp_MSmarkreinit', 'sp_MSmatchkey', 'sp_MSmerge_alterschemaonly', 'sp_MSmerge_altertrigger', 'sp_MSmerge_alterview', 'sp_MSmerge_ddldispatcher', 'sp_MSmerge_getgencount', 'sp_MSmerge_getgencur_public', 'sp_MSmerge_is_snapshot_required', 'sp_MSmerge_log_identity_range_allocations', 'sp_MSmerge_parsegenlist', 'sp_MSmerge_upgrade_subscriber', 'sp_MSmergesubscribedb', 'sp_MSmergeupdatelastsyncinfo', 'sp_MSneedmergemetadataretentioncleanup', 'sp_MSNonSQLDDL', 'sp_MSNonSQLDDLForSchemaDDL', 'sp_MSobjectprivs', _x000D__x000A__x0009__x0009_'sp_MSpeerapplyresponse', 'sp_MSpeerapplytopologyinfo', 'sp_MSpeerconflictdetection_statuscollection_applyresponse', 'sp_MSpeerconflictdetection_statuscollection_sendresponse', 'sp_MSpeerconflictdetection_topology_applyresponse', 'sp_MSpeerdbinfo', 'sp_MSpeersendresponse', 'sp_MSpeersendtopologyinfo', 'sp_MSpeertopeerfwdingexec', 'sp_MSpost_auto_proc', 'sp_MSpostapplyscript_forsubscriberprocs', 'sp_MSprep_exclusive', 'sp_MSprepare_mergearticle', 'sp_MSprofile_in_use', 'sp_MSproxiedmetadata', 'sp_MSproxiedmetadatabatch', 'sp_MSproxiedmetadatalightweight', 'sp_MSpub_adjust_identity', 'sp_MSpublication_access', 'sp_MSpublicationcleanup', 'sp_MSpublicationview', 'sp_MSquery_syncstates', 'sp_MSquerysubtype', 'sp_MSrecordsnapshotdeliveryprogress', 'sp_MSreenable_check', 'sp_MSrefresh_anonymous', 'sp_MSrefresh_publisher_idrange', 'sp_MSregenerate_mergetriggersprocs', 'sp_MSregisterdynsnapseqno', 'sp_MSregistermergesnappubid', 'sp_MSregistersubscription', 'sp_MSreinit_failed_subscriptions', 'sp_MSreinit_hub', 'sp_MSreinit_subscription', 'sp_MSreinitoverlappingmergepublications', 'sp_MSreleasedynamicsnapshotapplock', 'sp_MSreleasemakegenerationapplock', 'sp_MSreleasemergeadminapplock', 'sp_MSreleaseSlotLock', 'sp_MSreleasesnapshotdeliverysessionlock', 'sp_MSremove_mergereplcommand', 'sp_MSremoveoffloadparameter', 'sp_MSrepl_agentstatussummary', 'sp_MSrepl_backup_complete', 'sp_MSrepl_backup_start', 'sp_MSrepl_check_publisher', 'sp_MSrepl_createdatatypemappings', 'sp_MSrepl_distributionagentstatussummary', 'sp_MSrepl_dropdatatypemappings', 'sp_MSrepl_enumarticlecolumninfo', 'sp_MSrepl_enumpublications', 'sp_MSrepl_enumpublishertables', 'sp_MSrepl_enumsubscriptions', 'sp_MSrepl_enumtablecolumninfo', 'sp_MSrepl_FixPALRole', 'sp_MSrepl_getdistributorinfo', 'sp_MSrepl_getpkfkrelation', 'sp_MSrepl_gettype_mappings', 'sp_MSrepl_helparticlermo', 'sp_MSrepl_init_backup_lsns', 'sp_MSrepl_isdbowner', 'sp_MSrepl_IsLastPubInSharedSubscription', 'sp_MSrepl_IsUserInAnyPAL', 'sp_MSrepl_linkedservers_rowset', 'sp_MSrepl_mergeagentstatussummary', 'sp_MSrepl_PAL_rolecheck', 'sp_MSrepl_raiserror', 'sp_MSrepl_schema', 'sp_MSrepl_setNFR', 'sp_MSrepl_snapshot_helparticlecolumns', 'sp_MSrepl_snapshot_helppublication', 'sp_MSrepl_startup_internal', 'sp_MSrepl_subscription_rowset', 'sp_MSrepl_testadminconnection', 'sp_MSrepl_testconnection', 'sp_MSreplagentjobexists', 'sp_MSreplcheck_permission', 'sp_MSreplcheck_pull', 'sp_MSreplcheck_subscribe', 'sp_MSreplcheck_subscribe_withddladmin', 'sp_MSreplcheckoffloadserver', 'sp_MSreplcopyscriptfile', 'sp_MSreplraiserror', 'sp_MSreplremoveuncdir', 'sp_MSreplupdateschema', 'sp_MSrequestreenumeration', 'sp_MSrequestreenumeration_lightweight', 'sp_MSreset_attach_state', 'sp_MSreset_queued_reinit', 'sp_MSreset_subscription', 'sp_MSreset_subscription_seqno', 'sp_MSreset_synctran_bit', 'sp_MSreset_transaction', 'sp_MSresetsnapshotdeliveryprogress', 'sp_MSrestoresavedforeignkeys', 'sp_MSretrieve_publication_attributes', 'sp_MSscript_article_view', 'sp_MSscript_dri', 'sp_MSscript_pub_upd_trig', 'sp_MSscript_sync_del_proc', 'sp_MSscript_sync_del_trig', 'sp_MSscript_sync_ins_proc', 'sp_MSscript_sync_ins_trig', 'sp_MSscript_sync_upd_proc', 'sp_MSscript_sync_upd_trig', 'sp_MSscriptcustomdelproc', 'sp_MSscriptcustominsproc', 'sp_MSscriptcustomupdproc', 'sp_MSscriptdatabase', 'sp_MSscriptdb_worker', 'sp_MSscriptforeignkeyrestore', 'sp_MSscriptsubscriberprocs', 'sp_MSscriptviewproc', 'sp_MSsendtosqlqueue', 'sp_MSset_dynamic_filter_options', 'sp_MSset_logicalrecord_metadata', 'sp_MSset_new_identity_range', 'sp_MSset_oledb_prop', 'sp_MSset_snapshot_x005F_xact_seqno', 'sp_MSset_sub_guid', 'sp_MSset_subscription_properties', 'sp_MSsetaccesslist', 'sp_MSsetartprocs', 'sp_MSsetbit', 'sp_MSsetconflictscript', 'sp_MSsetconflicttable', 'sp_MSsetcontext_bypasswholeddleventbit', 'sp_MSsetcontext_replagent', 'sp_MSsetgentozero', 'sp_MSsetlastrecgen', 'sp_MSsetlastsentgen', 'sp_MSsetreplicainfo', 'sp_MSsetreplicaschemaversion', 'sp_MSsetreplicastatus', 'sp_MSsetrowmetadata', 'sp_MSsetsubscriberinfo', 'sp_MSsetup_identity_range', 'sp_MSsetup_partition_groups', 'sp_MSsetup_use_partition_groups', 'sp_MSsetupbelongs', 'sp_MSsetupnosyncsubwithlsnatdist', 'sp_MSsetupnosyncsubwithlsnatdist_cleanup', 'sp_MSsetupnosyncsubwithlsnatdist_helper', 'sp_MSSharedFixedDisk', 'sp_MSSQLDMO70_version', 'sp_MSSQLDMO80_version', 'sp_MSSQLDMO90_version', 'sp_MSSQLOLE_version', 'sp_MSSQLOLE65_version', 'sp_MSstartdistribution_agent', 'sp_MSstartmerge_agent', 'sp_MSstartsnapshot_agent', 'sp_MSstopdistribution_agent', 'sp_MSstopmerge_agent', 'sp_MSstopsnapshot_agent', 'sp_MSsub_check_identity', 'sp_MSsub_set_identity', 'sp_MSsubscription_status', 'sp_MSsubscriptionvalidated', 'sp_MStablechecks', 'sp_MStablekeys', 'sp_MStablerefs', 'sp_MStablespace', 'sp_MStestbit', 'sp_MStran_ddlrepl', 'sp_MStran_is_snapshot_required', 'sp_MStrypurgingoldsnapshotdeliveryprogress', _x000D__x000A__x0009__x0009_'sp_MSuniquename', 'sp_MSunmarkifneeded', 'sp_MSunmarkreplinfo', 'sp_MSunmarkschemaobject', 'sp_MSunregistersubscription', 'sp_MSupdate_agenttype_default', 'sp_MSupdate_singlelogicalrecordmetadata', 'sp_MSupdate_subscriber_info', 'sp_MSupdate_subscriber_schedule', 'sp_MSupdate_subscriber_tracer_history', 'sp_MSupdate_subscription', 'sp_MSupdate_tracer_history', 'sp_MSupdatecachedpeerlsn', 'sp_MSupdategenerations_afterbcp', 'sp_MSupdategenhistory', 'sp_MSupdateinitiallightweightsubscription', 'sp_MSupdatelastsyncinfo', 'sp_MSupdatepeerlsn', 'sp_MSupdaterecgen', 'sp_MSupdatereplicastate', 'sp_MSupdatesysmergearticles', 'sp_MSuplineageversion', 'sp_MSuploadsupportabilitydata', 'sp_MSuselightweightreplication', 'sp_MSvalidate_dest_recgen', 'sp_MSvalidate_subscription', 'sp_MSvalidate_wellpartitioned_articles', 'sp_MSvalidatearticle', 'sp_MSwritemergeperfcounter', 'sp_new_parallel_nested_tran_id', 'sp_objectfilegroup', 'sp_oledb_database', 'sp_oledb_defdb', 'sp_oledb_deflang', 'sp_oledb_language', 'sp_oledb_ro_usrname', 'sp_oledbinfo', 'sp_ORbitmap', 'sp_password', 'sp_peerconflictdetection_tableaug', 'sp_pkeys', 'sp_polybase_join_group', 'sp_polybase_leave_group', 'sp_posttracertoken', 'sp_prepare', 'sp_prepexec', 'sp_prepexecrpc', 'sp_primary_keys_rowset', 'sp_primary_keys_rowset_rmt', 'sp_primary_keys_rowset2', 'sp_primarykeys', 'sp_procedure_params_100_managed', 'sp_procedure_params_100_rowset', 'sp_procedure_params_100_rowset2', 'sp_procedure_params_90_rowset', 'sp_procedure_params_90_rowset2', 'sp_procedure_params_managed', 'sp_procedure_params_rowset', 'sp_procedure_params_rowset2', 'sp_procedures_rowset', 'sp_procedures_rowset2', 'sp_processlogshippingmonitorhistory', 'sp_processlogshippingmonitorprimary', 'sp_processlogshippingmonitorsecondary', 'sp_processlogshippingretentioncleanup', 'sp_procoption', 'sp_prop_oledb_provider', 'sp_provider_types_100_rowset', 'sp_provider_types_90_rowset', 'sp_provider_types_rowset', 'sp_publication_validation', 'sp_publicationsummary', 'sp_publishdb', 'sp_publisherproperty', 'sp_query_store_flush_db', 'sp_query_store_force_plan', 'sp_query_store_remove_plan', 'sp_query_store_remove_query', 'sp_query_store_reset_exec_stats', 'sp_query_store_unforce_plan', 'sp_rda_deauthorize_db', 'sp_rda_get_rpo_duration', 'sp_rda_reauthorize_db', 'sp_rda_reconcile_batch', 'sp_rda_reconcile_columns', 'sp_rda_reconcile_indexes', 'sp_rda_set_query_mode', 'sp_rda_set_rpo_duration', 'sp_rda_test_connection', 'sp_readerrorlog', 'sp_recompile', 'sp_redirect_publisher', 'sp_refresh_heterogeneous_publisher', 'sp_refresh_log_shipping_monitor', 'sp_refresh_parameter_encryption', 'sp_refreshsqlmodule', 'sp_refreshsubscriptions', 'sp_refreshview', 'sp_register_custom_scripting', 'sp_registercustomresolver', 'sp_reinitmergepullsubscription', 'sp_reinitmergesubscription', 'sp_reinitpullsubscription', 'sp_reinitsubscription', 'sp_releaseapplock', 'sp_releaseschemalock', 'sp_remote_data_archive_event', 'sp_remoteoption', 'sp_removedbreplication', 'sp_removedistpublisherdbreplication', 'sp_removesrvreplication', 'sp_rename', 'sp_renamedb', 'sp_repl_generate_subscriber_event', 'sp_repl_generateevent', 'sp_repladdcolumn', 'sp_replcleanupccsprocs', 'sp_replcmds', 'sp_replcounters', 'sp_replddlparser', 'sp_repldeletequeuedtran', 'sp_repldone', 'sp_repldropcolumn', 'sp_replflush', 'sp_replgetparsedddlcmd', 'sp_replhelp', 'sp_replica', 'sp_replication_agent_checkup', 'sp_replicationdboption', 'sp_replincrementlsn', 'sp_replmonitorchangepublicationthreshold', 'sp_replmonitorhelpmergesession', 'sp_replmonitorhelpmergesessiondetail', 'sp_replmonitorhelpmergesubscriptionmoreinfo', 'sp_replmonitorhelppublication', 'sp_replmonitorhelppublicationthresholds', 'sp_replmonitorhelppublisher', 'sp_replmonitorhelpsubscription', 'sp_replmonitorrefreshjob', 'sp_replmonitorsubscriptionpendingcmds', 'sp_replpostsyncstatus', 'sp_replqueuemonitor', 'sp_replrestart', 'sp_replrethrow', 'sp_replsendtoqueue', 'sp_replsetoriginator', 'sp_replsetsyncstatus', 'sp_replshowcmds', 'sp_replsqlqgetrows', 'sp_replsync', 'sp_repltrans', 'sp_replwritetovarbin', 'sp_requestpeerresponse', 'sp_requestpeertopologyinfo', 'sp_reserve_http_namespace', 'sp_reset_connection', 'sp_reset_session_context', 'sp_resetsnapshotdeliveryprogress', 'sp_resign_database', 'sp_restoredbreplication', 'sp_restoremergeidentityrange', 'sp_resyncexecute', 'sp_resyncexecutesql', 'sp_resyncmergesubscription', 'sp_resyncprepare', 'sp_resyncuniquetable', 'sp_revoke_publication_access', 'sp_revokedbaccess', 'sp_revokelogin', 'sp_rollback_parallel_nested_tran', 'sp_schemafilter', 'sp_schemata_rowset', 'sp_script_reconciliation_delproc', 'sp_script_reconciliation_insproc', 'sp_script_reconciliation_sinsproc', 'sp_script_reconciliation_vdelproc', 'sp_script_reconciliation_x005F_xdelproc', 'sp_script_synctran_commands', _x000D__x000A__x0009__x0009_'sp_scriptdelproc', 'sp_scriptdynamicupdproc', 'sp_scriptinsproc', 'sp_scriptmappedupdproc', 'sp_scriptpublicationcustomprocs', 'sp_scriptsinsproc', 'sp_scriptsubconflicttable', 'sp_scriptsupdproc', 'sp_scriptupdproc', 'sp_scriptvdelproc', 'sp_scriptvupdproc', 'sp_scriptxdelproc', 'sp_scriptxupdproc', 'sp_sequence_get_range', 'sp_server_diagnostics', 'sp_server_info', 'sp_serveroption', 'sp_set_session_context', 'sp_setapprole', 'sp_SetAutoSAPasswordAndDisable', 'sp_setdefaultdatatypemapping', 'sp_setnetname', 'sp_SetOBDCertificate', 'sp_setOraclepackageversion', 'sp_setreplfailovermode', 'sp_setsubscriptionxactseqno', 'sp_settriggerorder', 'sp_setuserbylogin', 'sp_showcolv', 'sp_showlineage', 'sp_showmemo_x005F_xml', 'sp_showpendingchanges', 'sp_showrowreplicainfo', 'sp_sm_detach', 'sp_spaceused', 'sp_spaceused_remote_data_archive', 'sp_sparse_columns_100_rowset', 'sp_special_columns', 'sp_special_columns_100', 'sp_special_columns_90', 'sp_sproc_columns', 'sp_sproc_columns_100', 'sp_sproc_columns_90', 'sp_sqlagent_add_job', 'sp_sqlagent_add_jobstep', 'sp_sqlagent_delete_job', 'sp_sqlagent_help_jobstep', 'sp_sqlagent_log_job_history', 'sp_sqlagent_start_job', 'sp_sqlagent_stop_job', 'sp_sqlagent_verify_database_context', 'sp_sqlagent_write_jobstep_log', 'sp_sqlexec', 'sp_srvrolepermission', 'sp_start_user_instance', 'sp_startmergepullsubscription_agent', 'sp_startmergepushsubscription_agent', 'sp_startpublication_snapshot', 'sp_startpullsubscription_agent', 'sp_startpushsubscription_agent', 'sp_statistics', 'sp_statistics_100', 'sp_statistics_rowset', 'sp_statistics_rowset2', 'sp_stopmergepullsubscription_agent', 'sp_stopmergepushsubscription_agent', 'sp_stoppublication_snapshot', 'sp_stoppullsubscription_agent', 'sp_stoppushsubscription_agent', 'sp_stored_procedures', 'sp_subscribe', 'sp_subscription_cleanup', 'sp_subscriptionsummary', 'sp_sysdac_add_history_entry', 'sp_sysdac_add_instance', 'sp_sysdac_delete_history', 'sp_sysdac_delete_instance', 'sp_sysdac_drop_database', 'sp_sysdac_ensure_dac_creator', 'sp_sysdac_rename_database', 'sp_sysdac_resolve_pending_entry', 'sp_sysdac_rollback_all_pending_objects', 'sp_sysdac_rollback_committed_step', 'sp_sysdac_rollback_pending_object', 'sp_sysdac_setreadonly_database', 'sp_sysdac_update_history_entry', 'sp_sysdac_upgrade_instance', 'sp_syspolicy_subscribe_to_policy_category', 'sp_syspolicy_unsubscribe_from_policy_category', 'sp_syspolicy_update_ddl_trigger', 'sp_syspolicy_update_event_notification', 'sp_sysdac_update_instance', 'sp_table_constraints_rowset', 'sp_table_constraints_rowset2', 'sp_table_privileges', 'sp_table_privileges_ex', 'sp_table_privileges_rowset', 'sp_table_privileges_rowset_rmt', 'sp_table_privileges_rowset2', 'sp_table_statistics_rowset', 'sp_table_statistics2_rowset', 'sp_table_type_columns_100', 'sp_table_type_columns_100_rowset', 'sp_table_type_pkeys', 'sp_table_type_primary_keys_rowset', 'sp_table_types', 'sp_table_types_rowset', 'sp_table_validation', 'sp_tablecollations', 'sp_tablecollations_100', 'sp_tablecollations_90', 'sp_tableoption', 'sp_tables', 'sp_tables_ex', 'sp_tables_info_90_rowset', 'sp_tables_info_90_rowset_64', 'sp_tables_info_90_rowset2', 'sp_tables_info_90_rowset2_64', 'sp_tables_info_rowset', 'sp_tables_info_rowset_64', 'sp_tables_info_rowset2', 'sp_tables_info_rowset2_64', 'sp_tables_rowset', 'sp_tables_rowset_rmt', 'sp_tables_rowset2', 'sp_tableswc', 'sp_testlinkedserver', 'sp_trace_create', 'sp_trace_generateevent', 'sp_trace_getdata', 'sp_trace_setevent', 'sp_trace_setfilter', 'sp_trace_setstatus', 'sp_try_set_session_context', 'sp_unbindefault', 'sp_unbindrule', 'sp_unprepare', 'sp_unregister_custom_scripting', 'sp_unregistercustomresolver', 'sp_unsetapprole', 'sp_unsubscribe', 'sp_update_agent_profile', 'sp_update_user_instance', 'sp_updateextendedproperty', 'sp_updatestats', 'sp_upgrade_log_shipping', 'sp_user_counter1', 'sp_user_counter10', 'sp_user_counter2', 'sp_user_counter3', 'sp_user_counter4', 'sp_user_counter5', 'sp_user_counter6', 'sp_user_counter7', 'sp_user_counter8', 'sp_user_counter9', 'sp_usertypes_rowset', 'sp_usertypes_rowset_rmt', 'sp_usertypes_rowset2', 'sp_validate_redirected_publisher', 'sp_validate_replica_hosts_as_publishers', 'sp_validatecache', 'sp_validatelogins', 'sp_validatemergepublication', 'sp_validatemergepullsubscription', 'sp_validatemergesubscription', 'sp_validlang', 'sp_validname', 'sp_verifypublisher', 'sp_views_rowset', 'sp_views_rowset2', 'sp_vupgrade_mergeobjects', 'sp_vupgrade_mergetables', 'sp_vupgrade_replication', 'sp_vupgrade_replsecurity_metadata', 'sp_who', 'sp_who2', 'sp_x005F_xml_preparedocument', 'sp_x005F_xml_removedocument', 'sp_x005F_xml_schema_rowset', 'sp_x005F_xml_schema_rowset2', _x000D__x000A__x0009__x0009_'sp_x005F_xtp_bind_db_resource_pool', 'sp_x005F_xtp_checkpoint_force_garbage_collection', 'sp_x005F_xtp_control_proc_exec_stats', 'sp_x005F_xtp_control_query_exec_stats', 'sp_x005F_xtp_flush_temporal_history', 'sp_x005F_xtp_kill_active_transactions', 'sp_x005F_xtp_merge_checkpoint_files', 'sp_x005F_xtp_objects_present', 'sp_x005F_xtp_set_memory_quota', 'sp_x005F_xtp_slo_can_downgrade', 'sp_x005F_xtp_slo_downgrade_finished', 'sp_x005F_xtp_slo_prepare_to_downgrade', 'sp_x005F_xtp_unbind_db_resource_pool', 'xp_dirtree', 'xp_fileexist', 'xp_fixeddrives', 'xp_getnetname', 'xp_grantlogin', 'xp_instance_regread', 'xp_msver', 'xp_qv', 'xp_regread', 'xp_repl_convert_encrypt_sysadmin_wrapper', 'xp_replposteor', 'xp_revokelogin', 'xp_sprintf', 'xp_sscanf'_x000D__x000A__x0009__x0009_))_x000D__x000A__x0009__x0009_OR (prin.type = 'S' AND prin.name = '##MS_PolicyEventProcessingLogin##' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('sp_syspolicy_events_reader', 'sp_syspolicy_execute_policy'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'DatabaseMailUserRole' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('sp_send_dbmail', 'sysmail_delete_mailitems_sp', 'sysmail_help_status_sp'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name IN ('db_ssisadmin', 'db_ssisltduser') AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('sp_ssis_addfolder', 'sp_ssis_addlogentry', 'sp_ssis_checkexists', 'sp_ssis_deletefolder', 'sp_ssis_deletepackage', 'sp_ssis_getfolder', 'sp_ssis_getpackage', 'sp_ssis_getpackageroles', 'sp_ssis_listfolders', 'sp_ssis_listpackages', 'sp_ssis_putpackage', 'sp_ssis_renamefolder', 'sp_ssis_setpackageroles'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'db_ssisoperator' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('sp_ssis_checkexists', 'sp_ssis_deletepackage', 'sp_ssis_getfolder', 'sp_ssis_getpackage', 'sp_ssis_listfolders', 'sp_ssis_listpackages', 'sp_ssis_putpackage'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'dc_admin' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('fn_syscollector_highest_incompatible_mdw_version', 'sp_syscollector_cleanup_collector', 'sp_syscollector_create_collection_item', 'sp_syscollector_create_collection_set', 'sp_syscollector_create_collector_type', 'sp_syscollector_delete_collection_item', 'sp_syscollector_delete_collection_set', 'sp_syscollector_delete_collector_type', 'sp_syscollector_set_cache_directory', 'sp_syscollector_set_cache_window', 'sp_syscollector_set_warehouse_database_name', 'sp_syscollector_set_warehouse_instance_name'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'dc_operator' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('fn_syscollector_find_collection_set_root', 'sp_syscollector_create_tsql_query_collector', 'sp_syscollector_delete_execution_log_tree', 'sp_syscollector_disable_collector', 'sp_syscollector_enable_collector', 'sp_syscollector_get_tsql_query_collector_package_ids', 'sp_syscollector_run_collection_set', 'sp_syscollector_start_collection_set', 'sp_syscollector_stop_collection_set', 'sp_syscollector_update_collection_item', 'sp_syscollector_update_collection_set', 'sp_syscollector_upload_collection_set', 'sp_verify_subsystems'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'dc_proxy' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('fn_syscollector_highest_incompatible_mdw_version', 'sp_syscollector_create_tsql_query_collector', 'sp_syscollector_event_oncollectionbegin', 'sp_syscollector_event_oncollectionend', 'sp_syscollector_event_onerror', 'sp_syscollector_event_onpackagebegin', 'sp_syscollector_event_onpackageend', 'sp_syscollector_event_onpackageupdate', 'sp_syscollector_event_onstatsupdate', 'sp_syscollector_get_tsql_query_collector_package_ids', 'sp_syscollector_get_warehouse_connection_string', 'sp_syscollector_snapshot_dm_exec_query_stats', 'sp_syscollector_snapshot_dm_exec_requests'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'PolicyAdministratorRole' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('sp_syspolicy_add_condition', 'sp_syspolicy_add_object_set', 'sp_syspolicy_add_policy', 'sp_syspolicy_add_policy_category', 'sp_syspolicy_add_policy_category_subscription', 'sp_syspolicy_add_target_set', 'sp_syspolicy_add_target_set_level', 'sp_syspolicy_configure', 'sp_syspolicy_create_purge_job', 'sp_syspolicy_delete_condition', 'sp_syspolicy_delete_object_set', 'sp_syspolicy_delete_policy', 'sp_syspolicy_delete_policy_category', 'sp_syspolicy_delete_policy_category_subscription', 'sp_syspolicy_dispatch_event', 'sp_syspolicy_log_policy_execution_detail', 'sp_syspolicy_log_policy_execution_end', 'sp_syspolicy_log_policy_execution_start', 'sp_syspolicy_purge_health_state', 'sp_syspolicy_purge_history', 'sp_syspolicy_rename_condition', 'sp_syspolicy_rename_policy', 'sp_syspolicy_rename_policy_category', 'sp_syspolicy_repair_policy_automation', 'sp_syspolicy_set_config_enabled', 'sp_syspolicy_set_config_history_retention', 'sp_syspolicy_set_log_on_success', 'sp_syspolicy_update_condition', 'sp_syspolicy_update_policy', 'sp_syspolicy_update_policy_category', 'sp_syspolicy_update_policy_category_subscription', 'sp_syspolicy_update_target_set', 'sp_syspolicy_update_target_set_level', 'sp_syspolicy_verify_object_set_identifiers'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'ServerGroupAdministratorRole' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('sp_sysmanagement_add_shared_registered_server', 'sp_sysmanagement_add_shared_server_group', 'sp_sysmanagement_delete_shared_registered_server', 'sp_sysmanagement_delete_shared_server_group', 'sp_sysmanagement_move_shared_registered_server', 'sp_sysmanagement_move_shared_server_group', 'sp_sysmanagement_rename_shared_registered_server', 'sp_sysmanagement_rename_shared_server_group', 'sp_sysmanagement_update_shared_registered_server', 'sp_sysmanagement_update_shared_server_group'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'SQLAgentOperatorRole' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('sp_enum_login_for_proxy', 'sp_help_alert', 'sp_help_notification', 'sp_help_targetserver', 'sp_purge_jobhistory'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'SQLAgentUserRole' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('sp_add_job', 'sp_add_jobschedule', 'sp_add_jobserver', 'sp_add_jobstep', 'sp_add_schedule', 'sp_addtask', 'sp_agent_get_jobstep', 'sp_attach_schedule', 'sp_check_for_owned_jobs', 'sp_check_for_owned_jobsteps', 'sp_delete_job', 'sp_delete_jobschedule', 'sp_delete_jobserver', 'sp_delete_jobstep', 'sp_delete_jobsteplog', 'sp_delete_schedule', 'sp_detach_schedule', 'sp_droptask', 'sp_enum_sqlagent_subsystems', 'sp_get_job_alerts', 'sp_get_jobstep_db_username', 'sp_get_sqlagent_properties', 'sp_help_category', 'sp_help_job', 'sp_help_jobactivity', 'sp_help_jobcount', 'sp_help_jobhistory', 'sp_help_jobhistory_full', 'sp_help_jobhistory_sem', 'sp_help_jobhistory_summary', 'sp_help_jobs_in_schedule', 'sp_help_jobschedule', 'sp_help_jobserver', 'sp_help_jobstep', 'sp_help_jobsteplog', 'sp_help_operator', 'sp_help_proxy', 'sp_help_schedule', 'sp_maintplan_subplans_by_job', 'sp_notify_operator', 'sp_start_job', 'sp_stop_job', 'sp_uniquetaskname', 'sp_update_job', 'sp_update_jobschedule', 'sp_update_jobstep', 'sp_update_schedule'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'TargetServersRole' AND user_name(grantor_principal_id) = 'dbo' AND (state_desc = 'GRANT' AND object_name(major_id) IN ('sp_agent_get_jobstep', 'sp_downloaded_row_limiter', 'sp_enlist_tsx', 'sp_help_jobschedule', 'sp_help_jobstep', 'sp_maintplan_subplans_by_job', 'sp_sqlagent_check_msx_version', 'sp_sqlagent_probe_msx', 'sp_sqlagent_refresh_job') OR (state_desc = 'DENY' AND object_name(major_id) IN ('sp_add_job', 'sp_add_jobschedule', 'sp_add_jobserver', 'sp_add_jobstep', 'sp_addtask', 'sp_delete_job', 'sp_delete_jobschedule', 'sp_delete_jobserver', 'sp_delete_jobstep', 'sp_droptask', 'sp_post_msx_operation', 'sp_start_job', 'sp_stop_job', 'sp_update_job', 'sp_update_jobschedule', 'sp_update_jobstep'))))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'UtilityCMRReader' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('fn_encode_sqlname_for_powershell', 'fn_sysutility_get_is_instance_ucp', 'fn_sysutility_ucp_get_aggregated_failure_count', 'fn_sysutility_ucp_get_applicable_policy', 'fn_sysutility_ucp_get_global_health_policy'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'UtilityIMRReader' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('fn_sysutility_get_culture_invariant_conversion_style_internal', 'fn_sysutility_mi_get_cpu_architecture_name', 'fn_sysutility_mi_get_cpu_family_name'))_x000D__x000A__x0009__x0009_OR (prin.type = 'R' AND prin.name = 'UtilityIMRWriter' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT' AND object_name(major_id) IN ('sp_sysutility_mi_collect_dac_execution_statistics_internal', 'sp_sysutility_mi_get_dac_execution_statistics_internal'))_x000D__x000A__x0009_)</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $3 ON [$1].[$2] FROM [$5]</S>
</Props>
</Obj>
<Obj RefId="46">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">3fb84d5c-1a0b-4a6f-bc00-959d28944d24</G>
<S N="RuleId">VA2034</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped EXECUTE permission on XML Schema Collection.</S>
<S N="Title">Minimal set of principals should be granted database-scoped EXECUTE permission on XML Schema Collection</S>
<S N="Query">select REPLACE(perms.class_desc, '_', ' ') AS [Permission Class], _x000D__x000A__x0009_xmlsc.name AS [Object],_x000D__x000A__x0009_perms.permission_name AS Permission, _x000D__x000A__x0009_prin.type_desc AS [Principal Type], _x000D__x000A__x0009_prin.name AS Principal_x000D__x000A_FROM sys.database_permissions perms_x000D__x000A_LEFT JOIN_x000D__x000A__x0009_sys.database_principals prin_x000D__x000A__x0009_ON perms.grantee_principal_id = prin.principal_id_x000D__x000A_LEFT JOIN _x000D__x000A__x0009_sys.xml_schema_collections xmlsc_x000D__x000A__x0009_ON perms.major_id = xmlsc.xml_collection_id_x000D__x000A__x000D__x000A_WHERE _x000D__x000A_ permission_name = 'EXECUTE'_x000D__x000A_ AND perms.class = 10 _x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND NOT (prin.type = 'R' AND prin.name = 'dc_admin' AND user_name(grantor_principal_id) = 'dbo' AND state_desc = 'GRANT')</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $2 ON $0::[$1] FROM [$4]</S>
</Props>
</Obj>
<Obj RefId="47">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">0d7d9c8e-74dd-48dc-bf0a-ac31a10f3fba</G>
<S N="RuleId">VA2040</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted low impact database-scoped permissions.</S>
<S N="Title">Minimal set of principals should be granted low impact database-scoped permissions</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name IN ('INSERT', 'UPDATE', 'DELETE') _x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 0</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $1 FROM [$3]</S>
</Props>
</Obj>
<Obj RefId="48">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">98446f20-eac5-4184-8222-c4a4a8b7c6fb</G>
<S N="RuleId">VA2041</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted low impact database-scoped permissions on objects or columns.</S>
<S N="Title">Minimal set of principals should be granted low impact database-scoped permissions on objects or columns</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], object_schema_name(major_id) as [Schema Name], object_name(major_id) as [Object], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name IN ('INSERT', 'UPDATE', 'DELETE') _x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 1</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $3 ON [$1].[$2] FROM [$5]</S>
</Props>
</Obj>
<Obj RefId="49">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">f0d77109-4591-405e-9a7d-3a9d0c62cb1d</G>
<S N="RuleId">VA2042</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted low impact database-scoped permissions on schema.</S>
<S N="Title">Minimal set of principals should be granted low impact database-scoped permissions on schema</S>
<S N="Query">SELECT perms.class_desc AS [Permission Class], _x000D__x000A_ schema_name(major_id) AS [Object],_x000D__x000A_ perms.permission_name AS Permission, _x000D__x000A_ prin.type_desc AS [Principal Type], _x000D__x000A_ prin.name AS Principal_x000D__x000A_FROM sys.database_permissions perms_x000D__x000A_LEFT JOIN_x000D__x000A__x0009_sys.database_principals prin_x000D__x000A__x0009_ON perms.grantee_principal_id = prin.principal_id_x000D__x000A_WHERE _x000D__x000A_ perms.permission_name IN ('INSERT', 'UPDATE', 'DELETE') _x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 3</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $2 ON $0::[$1] FROM [$4]</S>
</Props>
</Obj>
<Obj RefId="50">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">c852c8cc-2b1d-4a95-91e5-799282c615c1</G>
<S N="RuleId">VA2050</S>
<S N="Severity">Medium</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped VIEW DEFINITION permissions.</S>
<S N="Title">Minimal set of principals should be granted database-scoped VIEW DEFINITION permissions</S>
<S N="Query">SELECT prin.NAME AS Principal_x000D__x000A_FROM sys.database_permissions perms_x000D__x000A__x0009_,sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id_x000D__x000A__x0009_AND permission_name = 'VIEW DEFINITION'_x000D__x000A__x0009_AND grantee_principal_id NOT IN (_x000D__x000A__x0009__x0009_DATABASE_PRINCIPAL_ID('guest')_x000D__x000A__x0009__x0009_,DATABASE_PRINCIPAL_ID('public')_x000D__x000A__x0009__x0009_)_x000D__x000A__x0009_AND perms.class = 0</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE VIEW DEFINITION FROM [$0]</S>
</Props>
</Obj>
<Obj RefId="51">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">647ad9a6-4342-4819-8739-38db9c42887f</G>
<S N="RuleId">VA2051</S>
<S N="Severity">Medium</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped VIEW DEFINITION permissions on schema.</S>
<S N="Title">Minimal set of principals should be granted database-scoped VIEW DEFINITION permissions on schema</S>
<S N="Query">SELECT perms.class_desc as [Permission Class], object_schema_name(major_id) as [Schema Name], object_name(major_id) as [Object], perms.permission_name AS Permission, type_desc AS [Principal Type], prin.name as Principal_x000D__x000A_FROM sys.database_permissions perms, sys.database_principals prin_x000D__x000A_WHERE perms.grantee_principal_id = prin.principal_id _x000D__x000A_ AND permission_name = 'VIEW DEFINITION'_x000D__x000A__x0009_AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND perms.class = 1</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $3 ON [$1].[$2] FROM [$5]</S>
</Props>
</Obj>
<Obj RefId="52">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">81375438-8916-4d3e-b13c-3b5b60be2f95</G>
<S N="RuleId">VA2052</S>
<S N="Severity">Medium</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted database-scoped VIEW DEFINITION permission on various securables.</S>
<S N="Title">Minimal set of principals should be granted database-scoped VIEW DEFINITION permission on various securables</S>
<S N="Query">SELECT REPLACE(perms.class_desc, '_', ' ') AS [Permission Class], _x000D__x000A_ CASE _x000D__x000A_ WHEN perms.class=3 THEN schema_name(major_id) -- schema_x000D__x000A_ WHEN perms.class=4 THEN printarget.name -- principal_x000D__x000A_ WHEN perms.class=5 THEN asm.name -- assembly_x000D__x000A_ WHEN perms.class=6 THEN type_name(major_id) -- type_x000D__x000A_ WHEN perms.class=10 THEN xmlsc.name -- xml schema_x000D__x000A_ WHEN perms.class=15 THEN msgt.name COLLATE DATABASE_DEFAULT -- message types_x000D__x000A_ WHEN perms.class=16 THEN svcc.name COLLATE DATABASE_DEFAULT -- service contracts_x000D__x000A_ WHEN perms.class=17 THEN svcs.name COLLATE DATABASE_DEFAULT -- services_x000D__x000A_ WHEN perms.class=18 THEN rsb.name COLLATE DATABASE_DEFAULT -- remote service bindings_x000D__x000A_ WHEN perms.class=19 THEN rts.name COLLATE DATABASE_DEFAULT -- routes_x000D__x000A_ WHEN perms.class=23 THEN ftc.name -- full text catalog_x000D__x000A_ WHEN perms.class=24 then sym.name -- symmetric key_x000D__x000A_ WHEN perms.class=25 then crt.name -- certificate_x000D__x000A_ WHEN perms.class=26 then asym.name -- assymetric key_x000D__x000A_ ELSE ''_x000D__x000A_ END AS [Object],_x000D__x000A_ perms.permission_name AS Permission, _x000D__x000A_ prin.type_desc AS [Principal Type], _x000D__x000A_ prin.name AS Principal_x000D__x000A_FROM sys.database_permissions perms_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.database_principals prin_x000D__x000A_ ON perms.grantee_principal_id = prin.principal_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.assemblies asm_x000D__x000A_ ON perms.major_id = asm.assembly_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.xml_schema_collections xmlsc_x000D__x000A_ ON perms.major_id = xmlsc.xml_collection_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.service_message_types msgt_x000D__x000A_ ON perms.major_id = msgt.message_type_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.service_contracts svcc_x000D__x000A_ ON perms.major_id = svcc.service_contract_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.services svcs_x000D__x000A_ ON perms.major_id = svcs.service_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.remote_service_bindings rsb_x000D__x000A_ ON perms.major_id = rsb.remote_service_binding_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.routes rts_x000D__x000A_ ON perms.major_id = rts.route_id_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.database_principals printarget_x000D__x000A_ ON perms.major_id = printarget.principal_id_x000D__x000A_LEFT JOIN _x000D__x000A_ sys.symmetric_keys sym_x000D__x000A_ On perms.major_id = sym.symmetric_key_id_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.asymmetric_keys asym_x000D__x000A_ ON perms.major_id = asym.asymmetric_key_id_x000D__x000A_ LEFT JOIN_x000D__x000A_ sys.certificates crt_x000D__x000A_ ON perms.major_id = crt.certificate_id_x000D__x000A_LEFT JOIN_x000D__x000A_ sys.fulltext_catalogs ftc_x000D__x000A_ ON perms.major_id = ftc.fulltext_catalog_id_x000D__x000A_WHERE _x000D__x000A_ permission_name = 'VIEW DEFINITION'_x000D__x000A_ AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest'), DATABASE_PRINCIPAL_ID('public')) _x000D__x000A_ AND class in (3,4,5,6,10,15,16,17,18,19,23,24,25,26)</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">REVOKE $2 ON $0::[$1] FROM [$4]</S>
</Props>
</Obj>
<Obj RefId="53">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">d80cfa1a-4ff2-4ec9-95f6-f54bd3b29624</G>
<S N="RuleId">VA2108</S>
<S N="Severity">High</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">SQL Server provides roles to help manage the permissions. Roles are security principals that group other principals. Database-level roles are database-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed database roles.</S>
<S N="Title">Minimal set of principals should be members of fixed high impact database roles</S>
<S N="Query">SELECT user_name(sr.member_principal_id) as [Principal], user_name(sr.role_principal_id) as [Role], type_desc as [Principal Type], authentication_type_desc as [Authentication Type]_x000D__x000A_FROM sys.database_role_members sr, sys.database_principals sp _x000D__x000A_WHERE sp.principal_id = sr.member_principal_id _x000D__x000A_AND sr.role_principal_id IN (user_id('bulkadmin'), _x000D__x000A_ user_id('db_accessadmin'),_x000D__x000A_ user_id('db_securityadmin'),_x000D__x000A_ user_id('db_ddladmin'),_x000D__x000A_ user_id('db_backupoperator'))_x000D__x000A_ORDER BY sp.name</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">ALTER ROLE [$1] DROP MEMBER [$0]</S>
</Props>
</Obj>
<Obj RefId="54">
<TNRef RefId="0" />
<ToString>System.Data.DataRow</ToString>
<Props>
<G N="ID">43e8fa29-37f3-42f5-b30e-94d174d982a0</G>
<S N="RuleId">VA2109</S>
<S N="Severity">Low</S>
<S N="Category">AuthenticationAndAuthorization</S>
<S N="Description">SQL Server provides roles to help manage the permissions. Roles are security principals that group other principals. Database-level roles are database-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed database roles.</S>
<S N="Title">Minimal set of principals should be members of fixed low impact database roles</S>
<S N="Query">SELECT user_name(sr.member_principal_id) as [Principal], user_name(sr.role_principal_id) as [Role], type_desc as [Principal Type], authentication_type_desc as [Authentication Type]_x000D__x000A_FROM sys.database_role_members sr, sys.database_principals sp _x000D__x000A_WHERE sp.principal_id = sr.member_principal_id _x000D__x000A_AND sr.role_principal_id IN (user_id('db_datareader'), _x000D__x000A_ user_id('db_datawriter'),_x000D__x000A_ user_id('db_denydatareader'),_x000D__x000A_ user_id('db_denydatawriter'))_x000D__x000A_ORDER BY sp.name</S>
<Nil N="ExpectedResult" />
<S N="RemedSkeleton">ALTER ROLE [$1] DROP MEMBER [$0]</S>
</Props>
</Obj>
</Objs>