Page History
...
The Access Security Checks available on the Configure the Policy section are the following:
Access Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Always Encrypted | ||||||||||||||||||||||||
Appropriate cryptographic modules have been used to encrypt data. | ||||||||||||||||||||||||
Assembly host policy | ||||||||||||||||||||||||
Backup Encryption (Native) | ||||||||||||||||||||||||
Backup Encryption (Non-Native) | ||||||||||||||||||||||||
Certificate private keys were never exported | ||||||||||||||||||||||||
Contained database authentication type | ||||||||||||||||||||||||
DAC Remote Access | ||||||||||||||||||||||||
Dangerous Extended Stored Procedures (XSPs) | ||||||||||||||||||||||||
Database Master Key encrypted by Service Master Key | ||||||||||||||||||||||||
Database Master Keys Encrypted by Password | ||||||||||||||||||||||||
Database roles and members | ||||||||||||||||||||||||
Dynamic Data Masking | ||||||||||||||||||||||||
Encryption Methods | ||||||||||||||||||||||||
Files On Drives Not Using NTFS | ||||||||||||||||||||||||
Fixed Roles Assigned To public Or guest | ||||||||||||||||||||||||
Guest User Enabled | ||||||||||||||||||||||||
Linked server is running as a member of sysadmin group | ||||||||||||||||||||||||
NTFS Folder Level Encryption | ||||||||||||||||||||||||
Operating System Version | ||||||||||||||||||||||||
Public role permissions | ||||||||||||||||||||||||
Remote Access | ||||||||||||||||||||||||
Required Administrative Accounts Do Not Exist | ||||||||||||||||||||||||
Row-Level Security | ||||||||||||||||||||||||
Server roles and members | ||||||||||||||||||||||||
Signed Objects | ||||||||||||||||||||||||
SQL Job permissions | ||||||||||||||||||||||||
SQL Jobs and Agent | ||||||||||||||||||||||||
SQL Server Browser Running | ||||||||||||||||||||||||
SQL Server database level encryption | ||||||||||||||||||||||||
Startup Stored Procedures | ||||||||||||||||||||||||
Startup Stored Procedures Enabled | ||||||||||||||||||||||||
Startup Stored Procedures permissions | ||||||||||||||||||||||||
Stored Procedures Encrypted | ||||||||||||||||||||||||
Symmetric key | ||||||||||||||||||||||||
Symmetric Keys Not Encrypted with a Certificate | ||||||||||||||||||||||||
Sysadmins Own Trustworthy Databases | ||||||||||||||||||||||||
Transparent Data Encryption | ||||||||||||||||||||||||
Unacceptable Database Ownership | ||||||||||||||||||||||||
User Defined Extended Stored Procedures (XSPs) |
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
C2 Audit Trace Enabled | ||||||||||||||||||||||||
DISA Audit Configuration | ||||||||||||||||||||||||
Implement Change Data Capture | ||||||||||||||||||||||||
Login Audit Level | ||||||||||||||||||||||||
SQL Server Audit is Configured for Logins | ||||||||||||||||||||||||
SQL Server Audit is in use |
Configuration Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Analysis Services Running | ||||||||||||||||||||||||
Asymmetric Key Size | ||||||||||||||||||||||||
Auto_Close set for contained databases | ||||||||||||||||||||||||
Backups compliance with RTO and RPO requirements | ||||||||||||||||||||||||
BUILTIN/Administrators Is sysadmin | ||||||||||||||||||||||||
CLR Enabled | ||||||||||||||||||||||||
Common criteria compliance | ||||||||||||||||||||||||
Data Files On System Drive | ||||||||||||||||||||||||
Database-level Firewall Rules | ||||||||||||||||||||||||
Databases Are Trustworthy | ||||||||||||||||||||||||
Default Trace Enabled | ||||||||||||||||||||||||
Full-Text Search Running | ||||||||||||||||||||||||
HADR is configured | ||||||||||||||||||||||||
Hide Instance Option is set | ||||||||||||||||||||||||
Integration Services | ||||||||||||||||||||||||
Linked servers are configured | ||||||||||||||||||||||||
Max Number of concurrent sessions | ||||||||||||||||||||||||
Maximum number of error log files | ||||||||||||||||||||||||
Ole automation procedures | ||||||||||||||||||||||||
Other General Domain Accounts | ||||||||||||||||||||||||
Replication Enabled | ||||||||||||||||||||||||
sa Account Not Disabled | ||||||||||||||||||||||||
sa Account Not Disabled Or Renamed | ||||||||||||||||||||||||
Sample Databases Exist | ||||||||||||||||||||||||
Server Is Domain Controller | ||||||||||||||||||||||||
Server-level Firewall Rules | ||||||||||||||||||||||||
Shutdown SQL Server on Trace Failure | ||||||||||||||||||||||||
SQL Agent Mail | ||||||||||||||||||||||||
SQL Mail Or Database Mail Enabled | ||||||||||||||||||||||||
SQL Server Installation Directories On System Drive | ||||||||||||||||||||||||
SQL Server Version | ||||||||||||||||||||||||
System Table Updates | ||||||||||||||||||||||||
Transport Layer Security | ||||||||||||||||||||||||
Unauthorized Account Check | ||||||||||||||||||||||||
User created 'sa' account does not exist | ||||||||||||||||||||||||
VSS Writer Running | ||||||||||||||||||||||||
xp_cmdshell Enabled | ||||||||||||||||||||||||
xp_cmdshell Proxy Account Exists |
Data Integrity Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Audit Data Is Stale | ||||||||||||||||||||||||
Baseline Data Not Being Used | ||||||||||||||||||||||||
Snapshot May Be Missing Data | ||||||||||||||||||||||||
Snapshot Not Found |
Login Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Active Directory Helper Login Account Not Acceptable | ||||||||||||||||||||||||
Analysis Services Login Account Not Acceptable | ||||||||||||||||||||||||
Blank Passwords | ||||||||||||||||||||||||
DISTRIBUTOR_ADMIN Login | ||||||||||||||||||||||||
Full-Text Search Login Account Not Acceptable | ||||||||||||||||||||||||
Integration Services Login Account Not Acceptable | ||||||||||||||||||||||||
Notification Services Login Account Not Acceptable | ||||||||||||||||||||||||
Orphaned users | ||||||||||||||||||||||||
Reporting Services Login Account Not Acceptable | ||||||||||||||||||||||||
sa Account Has Blank Password | ||||||||||||||||||||||||
sa Account Not Using Password Policy | ||||||||||||||||||||||||
SQL Authentication Enabled | ||||||||||||||||||||||||
SQL Logins not using Must Change | ||||||||||||||||||||||||
SQL Logins Not Using Password Expiration | ||||||||||||||||||||||||
SQL Logins Not Using Password Policy | ||||||||||||||||||||||||
SQL Server Agent Login Account Not Acceptable | ||||||||||||||||||||||||
SQL Server Browser Login Account Not Acceptable | ||||||||||||||||||||||||
SQL Server Service Login Account Not Acceptable | ||||||||||||||||||||||||
SQL Server SYSADMIN accounts | ||||||||||||||||||||||||
Suspect Logins | ||||||||||||||||||||||||
Unauthorized SQL Logins Exist | ||||||||||||||||||||||||
VSS Writer Login Account Not Acceptable | ||||||||||||||||||||||||
Weak Passwords |
Permissions Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Agent Job Execution | ||||||||||||||||||||||||
ALTER TRACE Permission Granted To Unauthorized Users | ||||||||||||||||||||||||
CONTROL SERVER Permission Granted To Unauthorized Users | ||||||||||||||||||||||||
Database File Owners Not Acceptable | ||||||||||||||||||||||||
Database File Permissions Not Acceptable | ||||||||||||||||||||||||
Database Files Missing Required Administrative Permissions | ||||||||||||||||||||||||
Direct Access Permissions | ||||||||||||||||||||||||
Everyone Database File Access | ||||||||||||||||||||||||
Everyone System Table Access | ||||||||||||||||||||||||
Executable File Owners Not Acceptable | ||||||||||||||||||||||||
Executable File Permissions Not Acceptable | ||||||||||||||||||||||||
Executable Files Missing Required Administrative Permissions | ||||||||||||||||||||||||
Integration Services Roles Have Dangerous Security Principals | ||||||||||||||||||||||||
Integration Services Roles Permissions Not Acceptable | ||||||||||||||||||||||||
Integration Services Users Permissions Not Acceptable | ||||||||||||||||||||||||
Limit Propagation of access rights | ||||||||||||||||||||||||
Public Database Role Has Permissions | ||||||||||||||||||||||||
Public Role Has Permissions on User Database Objects | ||||||||||||||||||||||||
Public Server Role Has Permissions | ||||||||||||||||||||||||
Registry Key Owners Not Acceptable | ||||||||||||||||||||||||
Registry Key Permissions Not Acceptable | ||||||||||||||||||||||||
Registry Keys Missing Required Administrative Permissions | ||||||||||||||||||||||||
Sysadmins Own Databases |
Surface Area Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Ad Hoc Distributed Queries Enabled | ||||||||||||||||||||||||
Common TCP Port Used | ||||||||||||||||||||||||
Cross Database Ownership Chaining Enabled | ||||||||||||||||||||||||
FILESTREAM is configured | ||||||||||||||||||||||||
Integration Services Running | ||||||||||||||||||||||||
Notification Services Running | ||||||||||||||||||||||||
Reporting Services Running | ||||||||||||||||||||||||
SQL Server Agent Running | ||||||||||||||||||||||||
SQL Server Browser Running | ||||||||||||||||||||||||
Unapproved Protocols |