1.1 Ensure Latest SQL Server Cumulative and Security Updates are Installed | SYSTEM AND SERVICES ACQUISITION |
1.2 Ensure Single-Function Member Servers are Used | SYSTEM AND COMMUNICATIONS PROTECTION |
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0' | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0' | CONFIGURATION MANAGEMENT |
2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0' | ACCESS CONTROL, MEDIA PROTECTION |
2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0' | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.6 Ensure 'Remote Access' Server Configuration Option is set to '0' | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.9 Ensure 'Trustworthy' Database Property is set to 'Off' | ACCESS CONTROL, MEDIA PROTECTION |
2.10 Ensure Unnecessary SQL Server Protocols are set to 'Disabled' | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.11 Ensure SQL Server is configured to use non-standard ports | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.12 Ensure 'Hide Instance' option is set to 'Yes' for Production SQL Server instances | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.13 Ensure the 'sa' Login Account is set to 'Disabled' | ACCESS CONTROL |
2.14 Ensure the 'sa' Login Account has been renamed | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.15 Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.16 Ensure no login exists with the name 'sa' | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.17 Ensure 'clr strict security' Server Configuration Option is set to '1' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' | ACCESS CONTROL |
3.2 Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases | ACCESS CONTROL, MEDIA PROTECTION |
3.3 Ensure 'Orphaned Users' are Dropped From SQL Server Databases | ACCESS CONTROL |
3.4 Ensure SQL Authentication is not used in contained databases | ACCESS CONTROL |
3.5 Ensure the SQL Server's MSSQL Service Account is Not an Administrator | ACCESS CONTROL |
3.6 Ensure the SQL Server's SQLAgent Service Account is Not an Administrator | ACCESS CONTROL |
3.7 Ensure the SQL Server's Full-Text Service Account is Not an Administrator | ACCESS CONTROL |
3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role | ACCESS CONTROL, MEDIA PROTECTION |
3.9 Ensure Windows BUILTIN groups are not SQL Logins | ACCESS CONTROL, MEDIA PROTECTION |
3.10 Ensure Windows local groups are not SQL Logins | ACCESS CONTROL, MEDIA PROTECTION |
3.11 Ensure the public role in the msdb database is not granted access to SQL Agent proxies | ACCESS CONTROL, MEDIA PROTECTION |
3.12 Ensure the 'SYSADMIN' Role is Limited to Administrative or Built-in Accounts | ACCESS CONTROL |
3.13 Ensure membership in admin roles in MSDB database is limited | ACCESS CONTROL |
4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated Logins | IDENTIFICATION AND AUTHENTICATION |
4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role | ACCESS CONTROL |
4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins | IDENTIFICATION AND AUTHENTICATION |
5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12' | AUDIT AND ACCOUNTABILITY |
5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' | AUDIT AND ACCOUNTABILITY |
5.3 Ensure 'Login Auditing' is set to 'failed logins' | AUDIT AND ACCOUNTABILITY |
5.4 Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins' | AUDIT AND ACCOUNTABILITY |
6.1 Ensure Database and Application User Input is Sanitized | SYSTEM AND SERVICES ACQUISITION |
6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
7.1 Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.2 Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
8.1 Ensure 'SQL Server Browser Service' is configured correctly | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |