Skip to content

MS SQL Server 2016 Instance Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000508-DB-000358

    <GroupDescription></GroupDescription>
    Group
  • SQL Server must generate audit records for all direct access to the database(s).

    &lt;VulnDiscussion&gt;In this context, direct access is any query, command, or call to SQL Server that comes from any source other than the applica...
    Rule Medium Severity
  • SRG-APP-000514-DB-000381

    <GroupDescription></GroupDescription>
    Group
  • SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.

    &lt;VulnDiscussion&gt;Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The applicatio...
    Rule High Severity
  • SRG-APP-000514-DB-000382

    <GroupDescription></GroupDescription>
    Group
  • SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.

    &lt;VulnDiscussion&gt;Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The applicatio...
    Rule High Severity
  • SRG-APP-000514-DB-000383

    <GroupDescription></GroupDescription>
    Group
  • SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.

    &lt;VulnDiscussion&gt;Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The applicatio...
    Rule Medium Severity
  • SRG-APP-000515-DB-000318

    <GroupDescription></GroupDescription>
    Group
  • The system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.

    &lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a comm...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • SQL Server must configure Customer Feedback and Error Reporting.

    &lt;VulnDiscussion&gt;By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program co...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • SQL Server must configure SQL Server Usage and Error Reporting Auditing.

    &lt;VulnDiscussion&gt;By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program co...
    Rule Medium Severity
  • SRG-APP-000033-DB-000084

    <GroupDescription></GroupDescription>
    Group
  • The SQL Server default account [sa] must be disabled.

    &lt;VulnDiscussion&gt;SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Se...
    Rule High Severity
  • SRG-APP-000141-DB-000092

    <GroupDescription></GroupDescription>
    Group
  • SQL Server default account [sa] must have its name changed.

    &lt;VulnDiscussion&gt;SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Se...
    Rule Medium Severity
  • SRG-APP-000342-DB-000302

    <GroupDescription></GroupDescription>
    Group
  • Execution of startup stored procedures must be restricted to necessary cases only.

    &lt;VulnDiscussion&gt;In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, function...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • SQL Server Mirroring endpoint must utilize AES encryption.

    &lt;VulnDiscussion&gt;Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • SQL Server Service Broker endpoint must utilize AES encryption.

    &lt;VulnDiscussion&gt;Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including...
    Rule Medium Severity
  • SRG-APP-000141-DB-000093

    <GroupDescription></GroupDescription>
    Group
  • SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved.

    &lt;VulnDiscussion&gt;Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...
    Rule Medium Severity
  • SRG-APP-000141-DB-000093

    <GroupDescription></GroupDescription>
    Group
  • Filestream must be disabled, unless specifically required and approved.

    &lt;VulnDiscussion&gt;Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...
    Rule Medium Severity
  • SRG-APP-000141-DB-000093

    <GroupDescription></GroupDescription>
    Group
  • Ole Automation Procedures feature must be disabled, unless specifically required and approved.

    &lt;VulnDiscussion&gt;Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...
    Rule Medium Severity
  • SRG-APP-000141-DB-000092

    <GroupDescription></GroupDescription>
    Group
  • SQL Server User Options feature must be disabled, unless specifically required and approved.

    &lt;VulnDiscussion&gt;SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by defa...
    Rule Medium Severity
  • SRG-APP-000141-DB-000093

    <GroupDescription></GroupDescription>
    Group
  • Remote Access feature must be disabled, unless specifically required and approved.

    &lt;VulnDiscussion&gt;Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...
    Rule Medium Severity
  • SRG-APP-000141-DB-000093

    <GroupDescription></GroupDescription>
    Group
  • Hadoop Connectivity feature must be disabled, unless specifically required and approved.

    &lt;VulnDiscussion&gt;Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...
    Rule Medium Severity
  • SRG-APP-000141-DB-000093

    <GroupDescription></GroupDescription>
    Group
  • Allow Polybase Export feature must be disabled, unless specifically required and approved.

    &lt;VulnDiscussion&gt;Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...
    Rule Medium Severity
  • SRG-APP-000141-DB-000093

    <GroupDescription></GroupDescription>
    Group
  • Remote Data Archive feature must be disabled, unless specifically required and approved.

    &lt;VulnDiscussion&gt;Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...
    Rule Medium Severity
  • SRG-APP-000141-DB-000092

    <GroupDescription></GroupDescription>
    Group
  • SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved.

    &lt;VulnDiscussion&gt;SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by defa...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • The SQL Server Browser service must be disabled unless specifically required and approved.

    &lt;VulnDiscussion&gt;The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexis...
    Rule Low Severity
  • SRG-APP-000141-DB-000092

    <GroupDescription></GroupDescription>
    Group
  • SQL Server Replication Xps feature must be disabled, unless specifically required and approved.

    &lt;VulnDiscussion&gt;SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by defa...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.

    &lt;VulnDiscussion&gt;The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexis...
    Rule Low Severity
  • SRG-APP-000178-DB-000083

    <GroupDescription></GroupDescription>
    Group
  • When using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.

    &lt;VulnDiscussion&gt;To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the f...
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules