The Access Security Checks audit access and configuration for data access and objects. These security checks take a look at data encryption, remote access, and other object configurations that allow access to the data or object.
The Access Security Checks available on the Configure the Policy section are the following:
Access Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Always Encrypted | ||||||||||||||||||||||||
Appropriate cryptographic modules have been used to encrypt data. | ||||||||||||||||||||||||
Assembly host policy | ||||||||||||||||||||||||
Backup Encryption (Native) | ||||||||||||||||||||||||
Backup Encryption (Non-Native) | ||||||||||||||||||||||||
Certificate private keys were never exported | ||||||||||||||||||||||||
Contained database authentication type | ||||||||||||||||||||||||
DAC Remote Access | ||||||||||||||||||||||||
Dangerous Extended Stored Procedures (XSPs) | ||||||||||||||||||||||||
Database Master Key encrypted by Service Master Key | ||||||||||||||||||||||||
Database Master Keys Encrypted by Password | ||||||||||||||||||||||||
Database roles and members | ||||||||||||||||||||||||
Dynamic Data Masking | ||||||||||||||||||||||||
Encryption Methods | ||||||||||||||||||||||||
Files On Drives Not Using NTFS | ||||||||||||||||||||||||
Fixed Roles Assigned To public Or guest | ||||||||||||||||||||||||
Guest User Enabled | ||||||||||||||||||||||||
Linked server is running as a member of sysadmin group | ||||||||||||||||||||||||
NTFS Folder Level Encryption | ||||||||||||||||||||||||
Operating System Version | ||||||||||||||||||||||||
Public role permissions | ||||||||||||||||||||||||
Remote Access | ||||||||||||||||||||||||
Required Administrative Accounts Do Not Exist | ||||||||||||||||||||||||
Row-Level Security | ||||||||||||||||||||||||
Server roles and members | ||||||||||||||||||||||||
Signed Objects | ||||||||||||||||||||||||
SQL Job permissions | ||||||||||||||||||||||||
SQL Jobs and Agent | ||||||||||||||||||||||||
SQL Server Browser Running | ||||||||||||||||||||||||
SQL Server database level encryption | ||||||||||||||||||||||||
Startup Stored Procedures | ||||||||||||||||||||||||
Startup Stored Procedures Enabled | ||||||||||||||||||||||||
Startup Stored Procedures permissions | ||||||||||||||||||||||||
Stored Procedures Encrypted | ||||||||||||||||||||||||
Symmetric key | ||||||||||||||||||||||||
Symmetric Keys Not Encrypted with a Certificate | ||||||||||||||||||||||||
Sysadmins Own Trustworthy Databases | ||||||||||||||||||||||||
Transparent Data Encryption | ||||||||||||||||||||||||
Unacceptable Database Ownership | ||||||||||||||||||||||||
User Defined Extended Stored Procedures (XSPs) |
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
C2 Audit Trace Enabled | ||||||||||||||||||||||||
DISA Audit Configuration | ||||||||||||||||||||||||
Implement Change Data Capture | ||||||||||||||||||||||||
Login Audit Level | ||||||||||||||||||||||||
SQL Server Audit is Configured for Logins | ||||||||||||||||||||||||
SQL Server Audit is in use |
Configuration Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Analysis Services Running | ||||||||||||||||||||||||
Asymmetric Key Size | ||||||||||||||||||||||||
Auto_Close set for contained databases | ||||||||||||||||||||||||
Backups compliance with RTO and RPO requirements | ||||||||||||||||||||||||
BUILTIN/Administrators Is sysadmin | ||||||||||||||||||||||||
CLR Enabled | ||||||||||||||||||||||||
Common criteria compliance | ||||||||||||||||||||||||
Data Files On System Drive | ||||||||||||||||||||||||
Database-level Firewall Rules | ||||||||||||||||||||||||
Databases Are Trustworthy | ||||||||||||||||||||||||
Default Trace Enabled | ||||||||||||||||||||||||
Full-Text Search Running | ||||||||||||||||||||||||
HADR is configured | ||||||||||||||||||||||||
Hide Instance Option is set | ||||||||||||||||||||||||
Integration Services | ||||||||||||||||||||||||
Linked servers are configured | ||||||||||||||||||||||||
Max Number of concurrent sessions | ||||||||||||||||||||||||
Maximum number of error log files | ||||||||||||||||||||||||
Ole automation procedures | ||||||||||||||||||||||||
Other General Domain Accounts | ||||||||||||||||||||||||
Replication Enabled | ||||||||||||||||||||||||
sa Account Not Disabled | ||||||||||||||||||||||||
sa Account Not Disabled Or Renamed | ||||||||||||||||||||||||
Sample Databases Exist | ||||||||||||||||||||||||
Server Is Domain Controller | ||||||||||||||||||||||||
Server-level Firewall Rules | ||||||||||||||||||||||||
Shutdown SQL Server on Trace Failure | ||||||||||||||||||||||||
SQL Agent Mail | ||||||||||||||||||||||||
SQL Mail Or Database Mail Enabled | ||||||||||||||||||||||||
SQL Server Installation Directories On System Drive | ||||||||||||||||||||||||
SQL Server Version | ||||||||||||||||||||||||
System Table Updates | ||||||||||||||||||||||||
Transport Layer Security | ||||||||||||||||||||||||
Unauthorized Account Check | ||||||||||||||||||||||||
User created 'sa' account does not exist | ||||||||||||||||||||||||
VSS Writer Running | ||||||||||||||||||||||||
xp_cmdshell Enabled | ||||||||||||||||||||||||
xp_cmdshell Proxy Account Exists |
Data Integrity Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Audit Data Is Stale | ||||||||||||||||||||||||
Baseline Data Not Being Used | ||||||||||||||||||||||||
Snapshot May Be Missing Data | ||||||||||||||||||||||||
Snapshot Not Found |
Login Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Active Directory Helper Login Account Not Acceptable | ||||||||||||||||||||||||
Analysis Services Login Account Not Acceptable | ||||||||||||||||||||||||
Blank Passwords | ||||||||||||||||||||||||
DISTRIBUTOR_ADMIN Login | ||||||||||||||||||||||||
Full-Text Search Login Account Not Acceptable | ||||||||||||||||||||||||
Integration Services Login Account Not Acceptable | ||||||||||||||||||||||||
Notification Services Login Account Not Acceptable | ||||||||||||||||||||||||
Orphaned users | ||||||||||||||||||||||||
Reporting Services Login Account Not Acceptable | ||||||||||||||||||||||||
sa Account Has Blank Password | ||||||||||||||||||||||||
sa Account Not Using Password Policy | ||||||||||||||||||||||||
SQL Authentication Enabled | ||||||||||||||||||||||||
SQL Logins not using Must Change | ||||||||||||||||||||||||
SQL Logins Not Using Password Expiration | ||||||||||||||||||||||||
SQL Logins Not Using Password Policy | ||||||||||||||||||||||||
SQL Server Agent Login Account Not Acceptable | ||||||||||||||||||||||||
SQL Server Browser Login Account Not Acceptable | ||||||||||||||||||||||||
SQL Server Service Login Account Not Acceptable | ||||||||||||||||||||||||
SQL Server SYSADMIN accounts | ||||||||||||||||||||||||
Suspect Logins | ||||||||||||||||||||||||
Unauthorized SQL Logins Exist | ||||||||||||||||||||||||
VSS Writer Login Account Not Acceptable | ||||||||||||||||||||||||
Weak Passwords |
Permissions Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Agent Job Execution | ||||||||||||||||||||||||
ALTER TRACE Permission Granted To Unauthorized Users | ||||||||||||||||||||||||
CONTROL SERVER Permission Granted To Unauthorized Users | ||||||||||||||||||||||||
Database File Owners Not Acceptable | ||||||||||||||||||||||||
Database File Permissions Not Acceptable | ||||||||||||||||||||||||
Database Files Missing Required Administrative Permissions | ||||||||||||||||||||||||
Direct Access Permissions | ||||||||||||||||||||||||
Everyone Database File Access | ||||||||||||||||||||||||
Everyone System Table Access | ||||||||||||||||||||||||
Executable File Owners Not Acceptable | ||||||||||||||||||||||||
Executable File Permissions Not Acceptable | ||||||||||||||||||||||||
Executable Files Missing Required Administrative Permissions | ||||||||||||||||||||||||
Integration Services Roles Have Dangerous Security Principals | ||||||||||||||||||||||||
Integration Services Roles Permissions Not Acceptable | ||||||||||||||||||||||||
Integration Services Users Permissions Not Acceptable | ||||||||||||||||||||||||
Limit Propagation of access rights | ||||||||||||||||||||||||
Public Database Role Has Permissions | ||||||||||||||||||||||||
Public Role Has Permissions on User Database Objects | ||||||||||||||||||||||||
Public Server Role Has Permissions | ||||||||||||||||||||||||
Registry Key Owners Not Acceptable | ||||||||||||||||||||||||
Registry Key Permissions Not Acceptable | ||||||||||||||||||||||||
Registry Keys Missing Required Administrative Permissions | ||||||||||||||||||||||||
Sysadmins Own Databases |
Surface Area Security Checks
Name | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Ad Hoc Distributed Queries Enabled | ||||||||||||||||||||||||
Common TCP Port Used | ||||||||||||||||||||||||
Cross Database Ownership Chaining Enabled | ||||||||||||||||||||||||
FILESTREAM is configured | ||||||||||||||||||||||||
Integration Services Running | ||||||||||||||||||||||||
Notification Services Running | ||||||||||||||||||||||||
Reporting Services Running | ||||||||||||||||||||||||
SQL Server Agent Running | ||||||||||||||||||||||||
SQL Server Browser Running | ||||||||||||||||||||||||
Unapproved Protocols |