Access Security Checks | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008 R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
|---|
Always Encrypted | Appropriate cryptographic modules have been used to encrypt data. | Active Directory Helper Login Account Not Acceptable |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Analysis Services Login Account Not Acceptable |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Blank Passwords |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DISTRIBUTOR_ADMIN Login |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Full-Text Search Login Account Not Acceptable |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Integration Services Login Account Not Acceptable |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Notification Services Login Account Not Acceptable |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Orphaned users |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Reporting Services Login Account Not Acceptable |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sa Account Has Blank Password |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sa Account Not Using Password Policy |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL Authentication Enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL Logins not using Must Change |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL Logins Not Using Password Expiration |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL Logins Not Using Password Policy |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL Server Agent Login Account Not Acceptable |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL Server Browser Login Account Not Acceptable |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL Server Service Login Account Not Acceptable |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL Server SYSADMIN accounts |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Suspect Logins |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Unauthorized SQL Logins Exist |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
VSS Writer Login Account Not Acceptable |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Weak Passwords |
Assembly host policy | Backup Encryption (Native) | Backup Encryption (Non-Native) | Certificate private keys were never exported | Contained database authentication type | DAC Remote Access | Dangerous Extended Stored Procedures (XSPs) | Database Master Key encrypted by Service Master Key | Database Master Keys Encrypted by Password | Database roles and members | Dynamic Data Masking | Encryption Methods | Files On Drives Not Using NTFS | Fixed Roles Assigned To public Or guest | Guest User Enabled | Linked server is running as a member of sysadmin group | NTFS Folder Level Encryption | Operating System Version | Public role permissions | Remote Access | Required Administrative Accounts Do Not Exist | Row-Level Security | Server roles and members | Signed Objects | SQL Job permissions | SQL Jobs and Agent | SQL Server Browser Running | SQL Server database level encryption | Startup Stored Procedures | Startup Stored Procedures Enabled | Startup Stored Procedures permissions | Stored Procedures Encrypted | Symmetric key | Symmetric Keys Not Encrypted with a Certificate | Sysadmins Own Trustworthy Databases | Transparent Data Encryption | Unacceptable Database Ownership | User Defined Extended Stored Procedures (XSPs)