I - Mission Critical Sensitive

SRG-APP-000231-DB-000154

The Service Master Key must be backed up, stored offline and off-site.

SRG-APP-000023-DB-000001

SQL Server authentication and identity management must be integrated with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

SRG-APP-000091-DB-000325

Where SQL Server Audit is in use, SQL Server must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.

SRG-APP-000109-DB-000321

Where availability is paramount, the SQL Server must continue processing (preferably overwriting existing records, oldest first), in the event of lack of space for more Audit/Trace log records; and must keep processing after any failure of an Audit/Trace.

SRG-APP-000133-DB-000362

The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to SQL Server, etc.) must be restricted to authorized users.

SRG-APP-000179-DB-000114

SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.

SRG-APP-000243-DB-000374

Access to database files must be limited to relevant processes and to authorized, administrative users.

SRG-APP-000295-DB-000305

SQL Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

SRG-APP-000340-DB-000304

SQL Server must prevent non-privileged users from executing privileged functionality, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

SRG-APP-000342-DB-000302

Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.