April 29, 2011 | SQL Server

If you disable the guest user, please read this!

As a matter of security, it is typically recommended to disable the guest user account across your user databases. For system databases, of course you have a tough time disabling guest access for tempdb and master, which are peripherally required for a lot of different types of activity. You have probably felt quite confident in disabling guest access to msdb as well, but this might be more trouble than it's worth, for the same reason: guest access to msdb is required for some SQL Server functionality to work. This applies to SQL Server 2005, 2008, 2008 R2, Denali and, almost certainly, beyond.

Yesterday, Microsoft published a KB article to underscore this point, and to complement the advice found in Books Online. It describes the types of symptoms you might see (or that your users might be experiencing, but not complaining loudly enough about – yet) if you disable guest access to msdb:

KB #2539091 : You should not disable the guest user in the msdb database in SQL Server

Here is a somewhat relevant article in Books Online (and I recommend browsing all of the checklists). Note that the "Limiting Access to Data" checklist does not cover this topic as specifically as the KB article might otherwise imply:

Checklist: Limiting Access to Data

There may be far more overwhelming factors to consider when implementing security in your environment, and you might already have a tight enough reign on access that this isn't a concern. But if disabling the guest account is part of your policy, make sure you are aware of the consequences.

3 comments on this post

    • Livetvijken - April 30, 2011, 12:18 PM

      I still don't really get how disabling guest users in a DB might increase your security? And is this also the case in .i.e. MySQL databases?
      I'm not really a pro on this…

    • AaronBertrand - May 1, 2011, 2:30 AM

      I would take a look at this article, it covers a few bases:
      http://www.mssqltips.com/tip.asp?tip=1172

    • Livetvkijken - May 1, 2011, 1:13 PM

      Hey AaronBertrand thanks, I will 😉

Comments are closed.