Access Security Checks | CIS for SQL Server 2000 | CIS for SQL Server 2005 | CIS for SQL Server 2008 | CIS for SQL Server 2008
R2 | CIS for SQL Server 2012 | CIS for SQL Server 2014 | CIS for SQL Server 2016 | CIS for SQL Server 2017 | CIS for SQL Server 2019 | CIS for SQL Server 2022 | DISA-NIST STIG for SQL Server 2012 | DISA-NIST STIG for SQL Server 2014 | DISA-NIST STIG for SQL Server 2016 | European Union General Data Protection Regulation (GDPR) | HIPAA Guidelines for SQL Server | IDERA Level 1 - Basic Protection | IDERA Level 2 - Balanced Protection | IDERA Level 3 - Strong Protection | MS Best Practices Analyzer | NERC Critical Infrastructure Protection | PCI-DSS Guidelines for SQL Server | SNAC for SQL 2000 | SOX Section 404 | SRR Checklist for SQL Server 2000 | SRR Checklist for SQL Server 2005 or later |
|---|
Always Encrypted | Appropriate cryptographic modules have been used to encrypt data. | Assembly host policy | Backup Encryption (Native) | Backup Encryption (Non-Native) | Certificate private keys were never exported | Contained database authentication type | DAC Remote Access | Dangerous Extended Stored Procedures (XSPs) | Database Master Key encrypted by Service Master Key | Database Master Keys Encrypted by Password | Database roles and members | Dynamic Data Masking | Encryption Methods | Files On Drives Not Using NTFS | Fixed Roles Assigned To public Or guest | Guest User Enabled | Linked server is running as a member of sysadmin group | NTFS Folder Level Encryption | Operating System Version | Public role permissions | Remote Access | Required Administrative Accounts Do Not Exist | Row-Level Security | Server roles and members | Signed Objects | SQL Job permissions | SQL Jobs and Agent | SQL Server Browser Running | SQL Server database level encryption | Startup Stored Procedures | Startup Stored Procedures Enabled | Startup Stored Procedures permissions | Stored Procedures Encrypted | Symmetric key | Symmetric Keys Not Encrypted with a Certificate | Sysadmins Own Trustworthy Databases | Transparent Data Encryption | Unacceptable Database Ownership | User Defined Extended Stored Procedures (XSPs)
|
|---|
Analysis Services Running | X | X | X |
|
|
|
|
|
|
|
|
|
|
| X |
| X | X |
|
| X |
|
|
|
|
Asymmetric Key Size |
|
|
| X | X | X | X | X | X | X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Auto_Close set for contained databases |
|
|
|
| X | X | X | X | X | X |
|
|
|
|
|
| X | X |
|
|
|
|
|
|
|
Backups compliance with RTO and RPO requirements |
|
|
|
|
|
|
|
|
|
| X |
|
|
|
|
|
|
|
| X |
|
|
|
|
|
BUILTIN/Administrators Is sysadmin | X | X | X |
|
|
|
|
|
|
|
|
|
|
| X | X | X | X | X |
| X |
|
| X | X |
CLR Enabled |
|
| X | X | X | X | X | X | X | X |
|
|
| X |
|
|
| X |
|
|
|
|
|
|
|
Common criteria compliance |
|
| X |
|
|
|
|
|
|
|
|
|
|
|
| X | X | X |
|
|
|
|
|
|
|
Data Files On System Drive |
|
|
|
|
|
|
|
|
|
|
|
|
|
| X | X | X | X |
|
|
|
|
|
|
|
Database-level Firewall Rules |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| X | X | X |
|
|
|
|
|
|
|
Databases Are Trustworthy |
|
|
| X | X | X | X | X | X | X | X | X | X | X | X |
|
| X |
|
| X |
|
|
| X |
Default Trace Enabled |
|
| X | X | X | X | X | X | X | X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Full-Text Search Running |
| X | X |
|
|
|
|
|
|
|
|
|
|
| X |
| X | X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| X |
|
|
| X |
|
|
|
|
|
|
|
Hide Instance Option is set |
|
|
| X | X | X | X | X | X | X |
|
|
|
|
| X | X | X |
|
|
|
|
|
|
|
Integration Services | X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Max Number of concurrent sessions |
|
|
|
|
|
|
|
|
|
| X |
|
|
|
| X | X | X |
|
|
|
|
|
|
|
Maximum number of error log files |
|
| X | X | X | X | X | X | X | X |
|
|
|
|
|
| X | X |
|
|
|
|
|
|
|
Ole automation procedures |
|
| X | X | X | X | X | X | X | X |
|
|
| X |
|
| X | X |
|
|
|
|
|
|
|
Other General Domain Accounts |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| X |
|
|
|
|
|
|
|
Replication Enabled |
| X | X |
|
|
|
|
|
|
|
|
|
|
| X |
| X | X |
|
| X |
|
| X | X |
sa Account Not Disabled |
|
|
| X | X | X | X | X | X | X | X | X | X |
| X | X | X | X |
| X | X |
|
|
|
|
sa Account Not Disabled Or Renamed |
| X | X | X | X | X | X | X | X | X | X | X | X |
| X | X | X | X |
| X | X |
|
|
| X |
Sample Databases Exist | X | X | X |
|
|
|
|
|
|
| X | X | X | X |
|
| X | X |
|
|
| X |
| X | X |
Server Is Domain Controller |
| X | X |
|
|
|
|
|
|
|
|
|
|
| X | X | X | X | X |
|
|
|
|
|
|
Server-level Firewall Rules |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| X | X | X |
|
|
|
|
|
|
|
Shutdown SQL Server on Trace Failure |
|
|
|
|
|
|
|
|
|
|
| X | X |
|
|
|
| X |
|
|
|
|
|
|
|
SQL Agent Mail | X | X | X |
|
|
|
|
|
|
|
|
|
|
| X |
| X | X |
|
|
| X |
|
| X |
SQL Mail Or Database Mail Enabled | X | X | X | X | X | X | X | X | X | X |
|
|
|
| X |
| X | X |
|
|
| X |
| X | X |
SQL Server Installation Directories On System Drive |
|
|
|
|
|
|
|
|
|
|
|
|
|
| X | X | X | X |
|
|
|
|
|
|
|
SQL Server Version | X | X | X | X | X | X | X | X | X | X |
|
|
|
| X | X | X | X | X | X | X | X |
| X | X |
System Table Updates | X | X | X |
|
|
|
|
|
|
|
|
|
|
| X | X | X | X |
|
| X |
|
| X |
|
Transport Layer Security |
|
|
|
|
|
|
|
|
|
|
|
|
| X |
|
|
| X |
|
|
|
|
|
|
|
Unauthorized Account Check |
|
|
|
|
|
|
|
|
|
|
|
|
|
| X |
|
| X |
| X | X |
|
|
| X |
User created 'sa' account does not exist |
|
|
|
|
| X | X | X | X | X |
|
|
|
|
|
| X | X |
|
|
|
|
|
|
|
VSS Writer Running |
|
|
|
|
|
|
|
|
|
|
|
|
|
| X |
|
| X |
|
| X |
|
|
|
|
xp_cmdshell Enabled |
| X | X | X | X | X | X |
|
|
| X | X | X | X | X | X | X | X |
|
| X |
|
|
| X |
xp_cmdshell Proxy Account Exists |
| X | X |
|
|
|
|
|
|
|
|
|
|
| X | X | X | X | X |
| X |
|
|
|
|