From 438a2a8a4586783a25e37d645dca4f6a8650cf13 Mon Sep 17 00:00:00 2001
From: jpomfret <jpomfret7@gmail.com>
Date: Tue, 30 May 2023 15:16:40 +0000
Subject: [PATCH] new check - GuestUserConnect

---
 source/checks/Databasev5.Tests.ps1                | 10 ++++++++++
 source/internal/configurations/configuration.ps1  |  1 +
 source/internal/functions/Get-AllDatabaseInfo.ps1 |  5 +++++
 3 files changed, 16 insertions(+)

diff --git a/source/checks/Databasev5.Tests.ps1 b/source/checks/Databasev5.Tests.ps1
index 82e9b069..8fe3c874 100644
--- a/source/checks/Databasev5.Tests.ps1
+++ b/source/checks/Databasev5.Tests.ps1
@@ -222,3 +222,13 @@ Describe "Compatibility Level" -Tag CompatibilityLevel, High, Database -ForEach
         }
     }
 }
+
+Describe "Guest User" -Tag GuestUserConnect, Security, CIS, Medium, Database -ForEach $InstancesToTest {
+    $Skip = ($__dbcconfig | Where-Object Name -EQ 'skip.security.guestuserconnect').Value
+
+    Context "Testing Guest user has CONNECT permission" {
+        It "Database Guest user should return no CONNECT permissions in <_.Name> on <_.SqlInstance>" -Skip:$skip -ForEach $psitem.Databases.Where{ if ($Database) { $_.Name -in $Database } else { $psitem.ConfigValues.guestuserexclude -notcontains $psitem.Name } } {
+            $psitem.GuestUserConnect | Should -BeFalse -Because "we don't want the guest user to have connect access to our database."
+        }
+    }
+}
diff --git a/source/internal/configurations/configuration.ps1 b/source/internal/configurations/configuration.ps1
index 09453b0f..ed908ebe 100644
--- a/source/internal/configurations/configuration.ps1
+++ b/source/internal/configurations/configuration.ps1
@@ -164,6 +164,7 @@ Set-PSFConfig -Module dbachecks -Name policy.database.status.excluderestoring -V
 Set-PSFConfig -Module dbachecks -Name database.querystoreenabled.excludedb -Value @('model', 'tempdb', 'master') -Initialize -Description "A List of databases that we do not want to check for Query Store enabled"
 Set-PSFConfig -Module dbachecks -Name database.querystoredisabled.excludedb -Value @('model', 'tempdb', 'master') -Initialize -Description "A List of databases that we do not want to check for Query Store disabled"
 Set-PSFConfig -Module dbachecks -Name database.compatibilitylevel.excludedb -Value @() -Initialize -Description "A list of databases that we do not want to check compatibility level"
+Set-PSFConfig -Module dbachecks -Name database.guestuser.excludedb -Value @('master', 'tempdb', 'msdb') -Initialize -Description "A list of databases that we do not want to check guest user connect permissions for"
 
 Set-PSFConfig -Module dbachecks -Name policy.database.filegrowthdaystocheck -Value $null -Initialize -Description "The number of days to go back to check for growth events"
 Set-PSFConfig -Module dbachecks -Name policy.database.trustworthyexcludedb -Value @('msdb') -Initialize -Description "A List of databases that we do not want to check for Trustworthy being on"
diff --git a/source/internal/functions/Get-AllDatabaseInfo.ps1 b/source/internal/functions/Get-AllDatabaseInfo.ps1
index 8b2d6b0d..9c29c9e0 100644
--- a/source/internal/functions/Get-AllDatabaseInfo.ps1
+++ b/source/internal/functions/Get-AllDatabaseInfo.ps1
@@ -135,6 +135,10 @@ function Get-AllDatabaseInfo {
             $compatibilityLevel = $true
             $ConfigValues | Add-Member -MemberType NoteProperty -Name 'compatexclude' -Value ($__dbcconfig | Where-Object Name -EQ 'database.compatibilitylevel.excludedb').Value
         }
+        'GuestUserConnect' {
+            $guestUserConnect = $true
+            $ConfigValues | Add-Member -MemberType NoteProperty -Name 'guestuserexclude' -Value ($__dbcconfig | Where-Object Name -EQ 'database.guestuser.excludedb').Value
+        }
         Default { }
     }
 
@@ -169,6 +173,7 @@ function Get-AllDatabaseInfo {
                 QueryStore                = @(if ($qs) { $psitem.QueryStoreOptions.ActualState })
                 CompatibilityLevel        = @(if ($compatibilitylevel) { $psitem.CompatibilityLevel })
                 ServerLevel               = @(if ($compatibilitylevel) { [Enum]::GetNames('Microsoft.SqlServer.Management.Smo.CompatibilityLevel').Where{ $psitem -match $Instance.VersionMajor } })
+                GuestUserConnect          = @(if ($guestUserConnect) { if ($psitem.EnumDatabasePermissions('guest') | Where-Object { $_.PermissionState -eq 'Grant' -and $_.PermissionType.Connect }) { $true } } )
             }
         }
     }