Logic & Engine by Andreas Wolter (MCSM)
Version 2026.4
Get-SqlSafe Community Edition is a standalone PowerShell-based SQL Server security assessment collector. It gathers selected high-level security indicators from a SQL Server instance and generates a local HTML report for review and remediation discussions.
The Community Edition is designed as a practical first look at SQL Server security posture. It focuses on baseline indicators such as authentication exposure, auditing gaps, excessive privileges, risky configuration settings, orphaned or dependent accounts, and database ownership drift.
Note: This tool identifies indicators of risk. It is not a full security audit, penetration test, compliance assessment, or guarantee of security.
Read the original public introduction to Get-SqlSafe Community Edition.
Get-SqlSafe.ps1 is a simple, reviewable PowerShell script that helps identify high-level SQL Server security posture indicators. It focuses on common security-relevant areas such as authentication, privileged access, server-level permissions, risky configuration, audit visibility, ownership risks, and orphaned accounts.
This Community Edition is designed to:
- Operate under least-privilege principles where supported by the target SQL Server version.
- Output a clean, visual local HTML report.
- Be transparent and easy to review as plain-text PowerShell with embedded T-SQL.
- Avoid automatic dependency installation.
- Run without the Microsoft
SqlServerPowerShell module orInvoke-Sqlcmd. - Support both GUI-based and console-based execution.
- Support selected checks against SQL Server on Amazon RDS through an explicit compatibility mode.
Version 2026.4 builds on the self-contained 2026.3 collector and adds:
- AWS RDS compatibility mode through
-AwsRdsCompatand the GUI checkbox. AWS managedlabels for selected findings where SQL Server behavior may be controlled by AWS.- Check
006for SQL logins without password policy enforcement. - Improved contained availability group reporting in Check
802, including listener DNS/port details and guidance about the separate contained availability group security context. - Improved availability group handling.
- A category summary table in the HTML report.
- A report legend explaining the result labels.
See CHANGELOG.md for the complete public changelog summary.
The public Community Edition package contains:
Get-SqlSafe.ps1— standalone PowerShell collector, embedded SQL assessment logic, and report generatorREADME.md— usage documentationCHANGELOG.md— public release historyLICENSE.md— Sarpedon Community License
Generated reports and logs are written to:
.\Results
The public package does not require a separate SQL file.
- Windows PowerShell 5.1
- Windows operating system with .NET Framework support
- Network access to the target SQL Server instance
- SQL Server 2016 or newer recommended
- Permissions sufficient to read the assessed security metadata
SQL Server 2012 and SQL Server 2014 may work for selected scenarios, but older versions can require higher privileges for some checks.
No PowerShell module installation is required for SQL execution. The collector uses .NET System.Data.SqlClient.
Get-SqlSafe Community Edition currently supports SQL Server on-premises, SQL Server running in a virtual machine, and selected assessment scenarios for SQL Server on Amazon RDS. Use Windows or SQL authentication as supported by the target platform.
For SQL Server on Amazon RDS, explicitly enable -AwsRdsCompat or select the corresponding GUI option. This mode adjusts or skips selected checks where AWS controls the underlying SQL Server behavior or restricts access to required metadata.
Microsoft Entra authentication scenarios are not currently supported. In current SQL Server versions, Entra-authenticated sessions can expose the session authentication scheme as NTLM, which does not accurately describe the authentication protocol. Because Get-SqlSafe uses SQL Server authentication-scheme metadata for NTLM/Kerberos interpretation, authentication-related findings may be misleading for Entra-authenticated sessions.
Contained availability group metadata is available only when the target SQL Server version exposes the required catalog views. Security-context-dependent checks may need to be run through the contained availability group connection context for complete results.
-
Download the repository or release package.
-
Open Windows PowerShell.
-
Unblock the script if it was downloaded from the internet:
Unblock-File .\Get-SqlSafe.ps1
-
Run the assessment:
.\Get-SqlSafe.ps1 -
Enter the SQL Server name or instance.
-
Select Windows or SQL authentication.
-
Choose the encryption options required by the target.
-
Enable AWS RDS compatibility mode when assessing SQL Server on Amazon RDS.
-
Optionally test the connection and permissions.
-
Start the assessment.
The generated HTML report is written to the Results subfolder and opens automatically unless report launch is disabled.
If your system blocks script execution, you may run the script with an explicit execution policy for this PowerShell process:
powershell.exe -ExecutionPolicy Bypass -File .\Get-SqlSafe.ps1This permits the script to run in that PowerShell process. It does not unblock files permanently and does not install dependencies.
Supplying -SqlInstance automatically runs the script in console mode.
Windows authentication:
.\Get-SqlSafe.ps1 -SqlInstance "SQLPROD01"Run without opening the report automatically:
.\Get-SqlSafe.ps1 -SqlInstance "SQLPROD01" -NoAutoOpenReportSQL authentication:
$pwd = Read-Host "SQL password" -AsSecureString
.\Get-SqlSafe.ps1 -SqlInstance "SQLPROD01" -Auth SQL -SqlUser "assessment_user" -SqlPass $pwd -NoAutoOpenReportMandatory encryption while trusting the server certificate:
.\Get-SqlSafe.ps1 -SqlInstance "SQLPROD01" -Encrypt Mandatory -TrustServerCert -NoAutoOpenReportAWS RDS compatibility mode:
.\Get-SqlSafe.ps1 -SqlInstance "my-rds-instance.example.rds.amazonaws.com" -AwsRdsCompat -Encrypt Mandatory -TrustServerCertWrite a run log:
.\Get-SqlSafe.ps1 -SqlInstance "SQLPROD01" -WriteLog -Verbose -NoAutoOpenReportConsole mode and -NoAutoOpenReport are useful for controlled endpoints, automation-friendly execution, and EDR/XDR-controlled environments where UI prompts or automatic browser launches may be restricted.
| Parameter | Purpose |
|---|---|
-SqlInstance |
Target SQL Server name or instance. Supplying this parameter enables console mode. |
-ConsoleOnly |
Runs without the WPF dialog. Aliases: -NoUI, -NonInteractive. |
-Auth |
Authentication method: Windows or SQL. Defaults to Windows. |
-SqlUser |
SQL login name. Required when -Auth SQL is used. |
-SqlPass |
SQL login password as a SecureString. If omitted for SQL authentication, the script prompts interactively. |
-Encrypt |
Connection encryption mode: Optional or Mandatory. Defaults to Optional. |
-TrustServerCert |
Trusts the SQL Server certificate without certificate-chain validation. |
-AwsRdsCompat |
Enables AWS RDS compatibility behavior and AWS managed labels. |
-WindowsCredential |
Relaunches the assessment under another Windows account. Valid with Windows authentication and requires -SqlInstance. |
-WriteLog |
Writes run output to a log file in the Results folder. Alias: -LogFile. |
-Verbose |
Shows verbose progress output in the console independently of -WriteLog. |
-NoAutoOpenReport |
Prevents the generated HTML report from opening automatically. |
Use Windows authentication when the current Windows account has the required SQL Server permissions:
.\Get-SqlSafe.ps1 -SqlInstance "SQLPROD01"Use -WindowsCredential to relaunch the assessment under another Windows identity:
$cred = Get-Credential
.\Get-SqlSafe.ps1 -ConsoleOnly -SqlInstance "SQLPROD01" -Auth Windows -WindowsCredential $cred -NoAutoOpenReportUse SQL authentication with a secure password prompt:
$pwd = Read-Host "SQL password" -AsSecureString
.\Get-SqlSafe.ps1 -SqlInstance "SQLPROD01" -Auth SQL -SqlUser "assessment_user" -SqlPass $pwdUse -AwsRdsCompat when assessing SQL Server on Amazon RDS.
When enabled, the collector:
- Adjusts selected permission checks for restricted AWS-managed environments.
- Skips Check
046because the required server-level access is not normally available on SQL Server on Amazon RDS. - Excludes AWS-managed objects such as
rdsadminwhere applicable. - Excludes the
modeldatabase from selected owner checks. - Marks selected findings with an
AWS managedlabel when the target is detected as RDS.
AWS RDS compatibility mode does not imply that every control managed by AWS is secure or correctly configured. It distinguishes selected platform-managed conditions from findings under direct customer control.
Check 802 reports contained availability group names and listener DNS/port details when SQL Server 2022 or newer exposes the required metadata.
Important: Contained availability groups maintain security principals and metadata separately from the host SQL Server instance. Checks that depend on this security context, such as identifying orphaned database users, must be executed through the contained availability group context to produce accurate results.
The assessment is designed to run with least privilege using a dedicated login where supported by the SQL Server version.
Recommended practices:
- Use a dedicated assessment login.
- Do not use personal or shared administrator accounts unless required by the target environment and approved by your process.
- Grant only the permissions needed for the target SQL Server version.
- Remove or disable the assessment login after use if it is not part of an approved recurring process.
- Review generated reports as sensitive security output.
The examples below use SqlAssessmentReader as the assessment principal. They apply to self-managed SQL Server. SQL Server on Amazon RDS has a different permission model; use an account with the available metadata permissions and enable -AwsRdsCompat.
GRANT VIEW SERVER SECURITY STATE TO SqlAssessmentReader;
GRANT VIEW ANY SECURITY DEFINITION TO SqlAssessmentReader;
GRANT VIEW SERVER PERFORMANCE STATE TO SqlAssessmentReader;
GRANT CONNECT ANY DATABASE TO SqlAssessmentReader;
ALTER SERVER ROLE securityadmin ADD MEMBER SqlAssessmentReader;
DENY CREATE LOGIN TO SqlAssessmentReader;
DENY ALTER ANY LOGIN TO SqlAssessmentReader;GRANT VIEW SERVER STATE TO SqlAssessmentReader;
GRANT VIEW ANY DEFINITION TO SqlAssessmentReader;
GRANT CONNECT ANY DATABASE TO SqlAssessmentReader;
ALTER SERVER ROLE securityadmin ADD MEMBER SqlAssessmentReader;
DENY ALTER ANY LOGIN TO SqlAssessmentReader;ALTER SERVER ROLE sysadmin ADD MEMBER SqlAssessmentReader;SQL Server 2012 has fewer granular metadata visibility options. Review this requirement carefully before running the Community Edition against SQL Server 2012 systems.
The script includes a connection and permission test in the GUI. In console mode, missing permissions are typically discovered during SQL execution.
The assessment covers high-level indicators across areas such as:
- Authentication configuration
- SQL authentication, password-policy enforcement, and NTLM usage
- Sysadmin and powerful server role memberships
- Server-level permissions
TRUSTWORTHYand cross-database ownership chaining- Powerful features such as
xp_cmdshell, ad hoc distributed queries, and OLE Automation - Orphaned Windows logins and database users
- SQL Server security audit configuration
- Database ownership risks
- SQL Server error log retention
- Availability groups and contained availability groups
- System overview and informational context
The HTML report includes:
- Execution metadata and target summary
- Outcome distribution chart
- Category summary table with status counts and total indicators
- Outcome definition legend
- Detailed findings grouped by category
- Recommendations and references for actionable findings
- Informational context for version and system overview checks
The report uses five outcome states:
| Outcome | Meaning |
|---|---|
INFO |
Provides useful context. It does not indicate a security finding. |
PASS |
The assessed condition met the expected rule. |
OBSERVE |
Marks a condition that is not necessarily risky by itself but should be reviewed or monitored. Impact depends on environment, intent, and compensating controls. |
WARNING |
Indicates a security-relevant finding that should be reviewed and usually remediated, but does not by itself indicate immediate high risk. |
FAIL |
Indicates a clear security risk that requires prompt attention. |
For OBSERVE, WARNING, and FAIL findings, the report includes recommendation text and, where available, reference links.
The tool generates a local HTML report in the Results folder. The report filename includes the target server and timestamp. When -WriteLog is used, a .log file is also written to the same folder.
Generated reports and logs may include sensitive environment-specific information, including:
- Server and database names
- Login and role membership details
- Permission details
- Configuration values
- Database ownership details
- Security findings and recommendations
Handle generated reports according to your organization's data handling and confidentiality requirements.
The collector does not intentionally change SQL Server configuration or data. It reads metadata and reports high-level indicators.
The embedded SQL assessment text is validated before execution using SHA-256.
The required hash is stored in the script and compared against the embedded SQL text before execution. If the embedded SQL text does not match the required hash, execution stops.
This helps detect accidental edits, copy/paste damage, or mismatched build artifacts. For enterprise tamper protection, use your normal file-hash validation and code-signing process.
0 = completed successfully
2 = startup, parameter, credential, or assessment source validation failure
3 = SQL connection or SQL execution failure
This tool is distributed as a plain-text PowerShell script so organizations can review it according to internal security and change-control processes.
Get-SqlSafe Community Edition:
- Runs locally from the extracted folder.
- Connects to SQL Server using Windows or SQL authentication.
- Executes embedded SQL assessment logic.
- Validates the embedded SQL text using SHA-256 before execution.
- Writes a local HTML report to the
Resultsfolder. - Can optionally write a run log to the
Resultsfolder. - Does not install PowerShell modules automatically.
- Does not intentionally modify SQL Server configuration or data as part of the assessment.
Review the PowerShell script before running it in production or customer environments.
Get-FileHash .\Get-SqlSafe.ps1 -Algorithm SHA256Unblock-File .\Get-SqlSafe.ps1Run the assessment against a non-production SQL Server instance before using it in a production environment.
If your organization enforces AllSigned, sign the approved PowerShell file with your internal code-signing certificate after review.
Example only:
$cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
Set-AuthenticodeSignature -FilePath .\Get-SqlSafe.ps1 -Certificate $certFollow your internal process for code review, signing, packaging, and deployment.
The Community Edition is intentionally limited. It is not:
- A penetration test.
- A compliance assessment.
- A full SQL Server security review.
- A guarantee that the target SQL Server is secure.
A clean report means that the covered baseline indicators did not identify findings. SQL Server's real attack surface is broader and depends on combinations of permissions, ownership, impersonation, SQL Agent, linked servers, database configuration, service accounts, backups, operating-system security posture, and platform-specific controls.
Some checks may require permissions that are not available on older SQL Server versions or managed platforms without elevated access. Use the report as a starting point for deeper review and remediation planning.
- Review
CHANGELOG.mdbefore replacing older scripts. - Replace the previous collector with the new
Get-SqlSafe.ps1file. - Remove the old
SqlSafe.sqlfile if it remains in a working folder; it is no longer used. - Test the collector against a non-production SQL Server before broad use.
- Use
-AwsRdsCompatwhen assessing SQL Server on Amazon RDS.
Get-SqlSafe.ps1 covers a focused set of essential baseline indicators. Enterprise environments often require deeper architectural scrutiny.
The full Sarpedon SQL Server Security Assessment can include advanced architectural checks such as:
- Deep database-level configuration audits
- OS-level and backup security reviews
- Advanced account attribution and lateral-movement mapping
- High availability, operational, and governance-focused review areas
Explore full-scope SQL Server security assessments at Sarpedon Quality Lab.
Logic & Engine by Andreas Wolter (MCSM), Sarpedon Quality Lab.
This project is distributed under the Sarpedon Community License. Use is permitted for internal business or personal purposes. Unmodified generated reports may be shared provided that all branding, attribution, Community Edition designation, and version information remain intact. Redistribution of modified scripts or reports is governed by the license terms.
See LICENSE.md for the full license text. Use the tool only on systems where you have authorization to run security assessment tooling.
This tool is provided "as is", without warranty of any kind.
It identifies indicators of risk and does not replace a full security audit, penetration test, compliance assessment, or professional security review.
Use at your own risk.