Detections
Analytics

CIS SQL Server 2019 Database L1 DB v1.2.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS SQL Server 2019 Database L1 DB v1.2.0

Updated: 8/21/2023

Authority: CIS

Plugin: MS_SQLDB

Revision: 1.1

Estimated Item Count: 40

File Details

Filename: CIS_Microsoft_SQL_Server_2019_Database_v1.2.0_Level_1_Database.audit

Size: 76.8 kB

MD5: f31357b24f85eded70cdb480bc9fadfe
SHA256: b11d72caf94987b4ebfe13ff4c00ecc1b58c78c9382b614e9119c6c7d6fc0fe6

Audit Items

DescriptionCategories
1.1 Ensure Latest SQL Server Cumulative and Security Updates are Installed
1.2 Ensure Single-Function Member Servers are Used
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'
2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0'
2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'
2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'
2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'
2.6 Ensure 'Remote Access' Server Configuration Option is set to '0'
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'
2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'
2.9 Ensure 'Trustworthy' Database Property is set to 'Off'
2.11 Ensure SQL Server is configured to use non-standard ports
2.12 Ensure 'Hide Instance' option is set to 'Yes' for Production SQL Server instances
2.13 Ensure the 'sa' Login Account is set to 'Disabled'
2.14 Ensure the 'sa' Login Account has been renamed
2.15 Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases
2.16 Ensure no login exists with the name 'sa'
2.17 Ensure 'clr strict security' Server Configuration Option is set to '1'
3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'
3.2 Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases excluding the master, msdb and tempdb
3.3 Ensure 'Orphaned Users' are Dropped From SQL Server Databases
3.4 Ensure SQL Authentication is not used in contained databases
3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role
3.9 Ensure Windows BUILTIN groups are not SQL Logins
3.10 Ensure Windows local groups are not SQL Logins
3.11 Ensure the public role in the msdb database is not granted access to SQL Agent proxies
4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated Logins
4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role
4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins
5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12'
5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1'
5.3 Ensure 'Login Auditing' is set to 'failed logins'
5.4 Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins' - AUDIT_CHANGE_GROUP
5.4 Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins' - FAILED_LOGIN_GROUP
5.4 Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins' - SUCCESSFUL_LOGIN_GROUP
6.1 Ensure Database and Application User Input is Sanitized
6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies
7.1 Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases
7.2 Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases
8.1 Ensure 'SQL Server Browser Service' is configured correctly