MS SQL Server 2016 Instance Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SQL Server must generate audit records showing starting and ending time for user access to the database(s).
For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to SQL Server lasts. This can be achieved by recording disconnections, in addition...Rule Medium Severity -
SRG-APP-000506-DB-000353
Group -
SQL Server must generate audit records when concurrent logons/connections by the same user from different workstations occur.
For completeness of forensic analysis, it is necessary to track who logs on to SQL Server. Concurrent connections by the same user from multiple workstations may be valid use of the system; or s...Rule Medium Severity -
SRG-APP-000507-DB-000357
Group -
SQL Server must generate audit records when successful and unsuccessful accesses to objects occur.
Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events r...Rule Medium Severity -
SRG-APP-000508-DB-000358
Group -
SRG-APP-000514-DB-000381
Group -
SRG-APP-000514-DB-000382
Group -
SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards ...Rule High Severity -
SRG-APP-000514-DB-000383
Group -
SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards ...Rule Medium Severity -
SRG-APP-000515-DB-000318
Group -
The system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. ...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SQL Server must configure Customer Feedback and Error Reporting.
By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program collects information about how its customers are using the product. Specif...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SQL Server must configure SQL Server Usage and Error Reporting Auditing.
By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program collects information about how its customers are using the product. Specif...Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
SRG-APP-000141-DB-000092
Group -
SRG-APP-000342-DB-000302
Group -
Execution of startup stored procedures must be restricted to necessary cases only.
In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SRG-APP-000516-DB-000363
Group -
SQL Server Service Broker endpoint must utilize AES encryption.
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, an...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
SRG-APP-000141-DB-000093
Group -
Filestream must be disabled, unless specifically required and approved.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
SRG-APP-000141-DB-000092
Group -
SQL Server User Options feature must be disabled, unless specifically required and approved.
SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary, and enabling them could adversely affect the ...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
SRG-APP-000141-DB-000093
Group -
Hadoop Connectivity feature must be disabled, unless specifically required and approved.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
Allow Polybase Export feature must be disabled, unless specifically required and approved.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
SRG-APP-000141-DB-000092
Group -
SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved.
SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary, and enabling them could adversely affect the ...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SRG-APP-000141-DB-000092
Group -
SQL Server Replication Xps feature must be disabled, unless specifically required and approved.
SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary, and enabling them could adversely affect the ...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.
The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexist on the same computer. It avoids the need to hard-assign port numbers t...Rule Low Severity -
SRG-APP-000178-DB-000083
Group -
SRG-APP-000178-DB-000083
Group -
SRG-APP-000456-DB-000400
Group -
Microsoft SQL Server products must be a version supported by the vendor.
Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilit...Rule High Severity -
SQL Server must be configured to utilize the most-secure authentication method available.
Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or o...Rule Medium Severity -
SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized access to sensitive information by entities t...Rule High Severity -
SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving info...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.