| 1.1 Ensure Latest SQL Server Service Packs and Hotfixes are Installed | CONFIGURATION MANAGEMENT |
| 1.2 Ensure Single-Function Member Servers are Used | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0' | SYSTEM AND INFORMATION INTEGRITY |
| 2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0' | CONFIGURATION MANAGEMENT |
| 2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0' | ACCESS CONTROL |
| 2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | SYSTEM AND INFORMATION INTEGRITY |
| 2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0' | CONFIGURATION MANAGEMENT |
| 2.6 Ensure 'Remote Access' Server Configuration Option is set to '0' | SYSTEM AND INFORMATION INTEGRITY |
| 2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' | SYSTEM AND INFORMATION INTEGRITY |
| 2.8 Ensure 'Scan for Startup Procs' Server Configuration Option is set to '0' | CONFIGURATION MANAGEMENT |
| 2.9 Ensure 'SQL Mail XPs' Server Configuration Option is set to '0' | SYSTEM AND INFORMATION INTEGRITY |
| 2.10 Ensure 'Trustworthy' Database Property is set to 'Off' | ACCESS CONTROL |
| 2.14 Ensure 'sa' Login Account is set to 'Disabled' | ACCESS CONTROL |
| 2.15 Ensure 'sa' Login Account has been renamed | CONFIGURATION MANAGEMENT |
| 2.16 Ensure 'xp_cmdshell' Server Configuration Option is set to '0' | SYSTEM AND INFORMATION INTEGRITY |
| 3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' | IDENTIFICATION AND AUTHENTICATION |
| 3.2 Ensure CONNECT permissions on the 'guest user' is Revoked within all SQL Server databases excluding the master, msdb and tempdb | ACCESS CONTROL |
| 3.3 Ensure 'Orphaned Users' are Dropped From SQL Server Databases | ACCESS CONTROL |
| 3.7 Ensure only the default permissions specified by Microsoft are granted to the public server role | ACCESS CONTROL |
| 3.8 Ensure Windows BUILTIN groups are not SQL Logins | ACCESS CONTROL |
| 3.9 Ensure Windows local groups are not SQL Logins | ACCESS CONTROL |
| 3.10 Ensure the public role in the msdb database is not granted access to SQL Agent proxies | ACCESS CONTROL |
| 4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated Logins | IDENTIFICATION AND AUTHENTICATION |
| 4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role | ACCESS CONTROL |
| 4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins | IDENTIFICATION AND AUTHENTICATION |
| 5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12' | AUDIT AND ACCOUNTABILITY |
| 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' | AUDIT AND ACCOUNTABILITY |
| 5.3 Ensure 'Login Auditing' is set to Both 'failed' and 'successful logins' | ACCESS CONTROL |
| 6.1 Ensure Database and Application User Input is Sanitized | SYSTEM AND INFORMATION INTEGRITY |
| 6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies | CONFIGURATION MANAGEMENT |
| 7.1 Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1 Ensure 'SQL Server Browser Service' is configured correctly | SYSTEM AND INFORMATION INTEGRITY |
