SQL Server
Description
The SQL Server connector connects to a Microsoft SQL Server instance via JDBC and discovers server-level logins, role memberships, and database-level principals. It identifies privileged logins such as members of sysadmin and other fixed server roles.
System Type Classification
| Field | Value |
|---|---|
| System Type | Infrastructure |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
SQL Server scanning requires a Pro or Enterprise licence.
Supported Protocols
| Protocol | Port | Notes |
|---|---|---|
| JDBC (TDS) | 1433 TCP | Standard SQL Server port; configurable per instance |
What OrbisID Discovers
| Data | Source |
|---|---|
| Server logins | sys.server_principals |
| Server role memberships | sys.server_role_members |
| Fixed server roles | sysadmin, securityadmin, serveradmin, setupadmin, processadmin, diskadmin, dbcreator, bulkadmin |
| Login status (enabled/disabled) | is_disabled column |
| Login type (SQL login vs Windows login) | type_desc column |
Connection Requirements
Credential Requirements
The credential must be a SQL Server login or a Windows account with at least the following server-level permissions:
| Permission | Purpose |
|---|---|
VIEW SERVER STATE | Read sys.server_principals and role memberships |
VIEW ANY DATABASE | (Optional) Extend discovery to database-level principals |
Recommended: Create a dedicated SQL login for OrbisID with minimal permissions:
-- Create a dedicated login
CREATE LOGIN orbisid_scanner WITH PASSWORD = '<strong-password>';
-- Grant minimum required permissions
GRANT VIEW SERVER STATE TO orbisid_scanner;
GRANT VIEW ANY DATABASE TO orbisid_scanner;
Network Requirements
| Requirement | Detail |
|---|---|
| SQL Server Browser service | Required if using named instances |
| TCP/IP protocol enabled | Must be enabled in SQL Server Configuration Manager |
| Port 1433 accessible | Or the custom port for the instance |
| SQL Server Authentication | Must be enabled if using SQL logins (mixed mode authentication) |
Configuration Steps
- Navigate to Systems in the sidebar
- Click Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., sql-prod-01) |
| Hostname / IP | SQL Server hostname or IP |
| Port | 1433 (or custom port) |
| OS Type | SQL Server |
| System Type | Infrastructure (auto-selected) |
| Database Name | Name of the database to connect to (e.g., master) |
| Credential | SQL login or Windows account with required permissions |
- Click Test Connection to verify connectivity and authentication
- Click Save
Database Name
The Database Name field specifies the initial connection database. The scanner reads server-level data from system views (sys.*), so master is typically appropriate.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Connection test fails with Login failed | Invalid credentials or SQL auth disabled | Verify login exists and SQL Server is in mixed auth mode |
Connection test fails with Connection refused | Port blocked or TCP/IP disabled | Check SQL Server Configuration Manager — enable TCP/IP and verify port 1433 |
| Named instance not found | SQL Server Browser not running | Start the SQL Server Browser service or specify the port explicitly |
| Scan succeeds but no roles found | Insufficient permissions | Grant VIEW SERVER STATE to the scanning login |
| Windows logins not discovered | Windows auth not configured | Windows logins are discovered; ensure WINDOWS_LOGIN accounts appear in sys.server_principals |