MS SQL Server 2016 Instance Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000172-DB-000075
Group -
SRG-APP-000176-DB-000068
Group -
SRG-APP-000179-DB-000114
Group -
SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken, and not validated...Rule High Severity -
SRG-APP-000180-DB-000115
Group -
SRG-APP-000224-DB-000384
Group -
SRG-APP-000231-DB-000154
Group -
SRG-APP-000231-DB-000154
Group -
SRG-APP-000231-DB-000154
Group -
The Master Key must be backed up and stored in a secure location that is not on the SQL Server.
Backup and recovery of the Master Key may be critical to the complete recovery of the database. Not having this key can lead to loss of data during recovery.Rule Medium Severity -
SRG-APP-000243-DB-000373
Group -
SRG-APP-000243-DB-000373
Group -
SRG-APP-000243-DB-000374
Group -
SRG-APP-000267-DB-000163
Group -
SRG-APP-000340-DB-000304
Group -
SRG-APP-000342-DB-000302
Group -
SRG-APP-000357-DB-000316
Group -
SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
In order to ensure sufficient storage capacity for the audit logs, SQL Server must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandate...Rule Medium Severity -
SRG-APP-000359-DB-000319
Group -
SRG-APP-000360-DB-000320
Group -
SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...Rule Medium Severity -
SRG-APP-000374-DB-000322
Group -
SQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC, formerly GMT).
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by SQL Server must include date and time. T...Rule Medium Severity -
SRG-APP-000380-DB-000360
Group -
SRG-APP-000380-DB-000360
Group -
SRG-APP-000381-DB-000361
Group -
SRG-APP-000383-DB-000364
Group -
SRG-APP-000431-DB-000388
Group -
SRG-APP-000431-DB-000388
Group -
SQL Server services must be configured to run under unique dedicated user accounts.
Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that ...Rule Medium Severity -
SRG-APP-000454-DB-000389
Group -
SRG-APP-000456-DB-000390
Group -
SRG-APP-000492-DB-000332
Group -
SRG-APP-000494-DB-000345
Group -
SQL Server must generate audit records when successful and unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur.
Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected. For detailed information on categorizing information, refer...Rule Medium Severity -
SRG-APP-000495-DB-000327
Group -
SRG-APP-000495-DB-000329
Group -
SRG-APP-000496-DB-000335
Group -
SQL Server must generate audit records when successful and unsuccessful attempts to modify security objects occur.
Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail,...Rule Medium Severity -
SRG-APP-000498-DB-000347
Group -
SQL Server must generate audit records when successful and unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur.
Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected. To aid in diagnosis, it is necessary to keep track of fai...Rule Medium Severity -
SRG-APP-000499-DB-000331
Group -
SRG-APP-000501-DB-000337
Group -
SQL Server must generate audit records when successful and unsuccessful attempts to delete security objects occur.
The removal of security objects from the database/DBMS would seriously degrade a system's information assurance posture. If such an action is attempted, it must be logged. To aid in diagnosis, i...Rule Medium Severity -
SRG-APP-000502-DB-000349
Group -
SRG-APP-000503-DB-000351
Group -
SQL Server must generate audit records when successful and unsuccessful logons or connection attempts occur.
For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to SQL Server. It is also necessary to track failed attempts to log on to SQL Server. Wh...Rule Medium Severity -
SRG-APP-000504-DB-000354
Group -
SRG-APP-000504-DB-000355
Group -
SRG-APP-000505-DB-000352
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.