CIS SQL Server 2008 R2 DB Engine L1 v1.7.0

Audit Details

Name: CIS SQL Server 2008 R2 DB Engine L1 v1.7.0

Updated: 6/17/2024

Authority: CIS

Plugin: MS_SQLDB

Revision: 1.1

Estimated Item Count: 33

File Details

Filename: CIS_Microsoft_SQL_Server_2008_R2_v1.7.0_Level_1_Database.audit

Size: 70.9 kB

MD5: 3b6ccd608b2405723b26360bfa28a1e5
SHA256: bc9ac5e74b97dc904e0d35e434127679c46b1507eec9685bf0d5d4580ef89787

Audit Items

DescriptionCategories
1.1 Ensure Latest SQL Server Service Packs and Hotfixes are Installed

CONFIGURATION MANAGEMENT

1.2 Ensure Single-Function Member Servers are Used

SYSTEM AND COMMUNICATIONS PROTECTION

2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'

SYSTEM AND INFORMATION INTEGRITY

2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0'

CONFIGURATION MANAGEMENT

2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'

ACCESS CONTROL

2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'

SYSTEM AND INFORMATION INTEGRITY

2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'

CONFIGURATION MANAGEMENT

2.6 Ensure 'Remote Access' Server Configuration Option is set to '0'

SYSTEM AND INFORMATION INTEGRITY

2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'

SYSTEM AND INFORMATION INTEGRITY

2.8 Ensure 'Scan for Startup Procs' Server Configuration Option is set to '0'

CONFIGURATION MANAGEMENT

2.9 Ensure 'SQL Mail XPs' Server Configuration Option is set to '0'

SYSTEM AND INFORMATION INTEGRITY

2.10 Ensure 'Trustworthy' Database Property is set to 'Off'

ACCESS CONTROL

2.14 Ensure 'sa' Login Account is set to 'Disabled'

ACCESS CONTROL

2.15 Ensure 'sa' Login Account has been renamed

CONFIGURATION MANAGEMENT

2.16 Ensure 'xp_cmdshell' Server Configuration Option is set to '0'

SYSTEM AND INFORMATION INTEGRITY

3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'

IDENTIFICATION AND AUTHENTICATION

3.2 Ensure CONNECT permissions on the 'guest user' is Revoked within all SQL Server databases excluding the master, msdb and tempdb

ACCESS CONTROL

3.3 Ensure 'Orphaned Users' are Dropped From SQL Server Databases

ACCESS CONTROL

3.7 Ensure only the default permissions specified by Microsoft are granted to the public server role

ACCESS CONTROL

3.8 Ensure Windows BUILTIN groups are not SQL Logins

ACCESS CONTROL

3.9 Ensure Windows local groups are not SQL Logins

ACCESS CONTROL

3.10 Ensure the public role in the msdb database is not granted access to SQL Agent proxies

ACCESS CONTROL

4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated Logins

IDENTIFICATION AND AUTHENTICATION

4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role

ACCESS CONTROL

4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins

IDENTIFICATION AND AUTHENTICATION

5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12'

AUDIT AND ACCOUNTABILITY

5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1'

AUDIT AND ACCOUNTABILITY

5.3 Ensure 'Login Auditing' is set to Both 'failed' and 'successful logins'

ACCESS CONTROL

6.1 Ensure Database and Application User Input is Sanitized

SYSTEM AND INFORMATION INTEGRITY

6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies

CONFIGURATION MANAGEMENT

7.1 Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases

SYSTEM AND COMMUNICATIONS PROTECTION

7.2 Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases

SYSTEM AND COMMUNICATIONS PROTECTION

8.1 Ensure 'SQL Server Browser Service' is configured correctly

SYSTEM AND INFORMATION INTEGRITY