III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000514-DB-000381
Group -
SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards ...Rule High Severity -
SRG-APP-000514-DB-000382
Group -
SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards ...Rule High Severity -
SRG-APP-000514-DB-000383
Group -
SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards ...Rule Medium Severity -
SRG-APP-000515-DB-000318
Group -
The system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. ...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SQL Server must configure Customer Feedback and Error Reporting.
By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program collects information about how its customers are using the product. Specif...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SQL Server must configure SQL Server Usage and Error Reporting Auditing.
By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program collects information about how its customers are using the product. Specif...Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
The SQL Server default account [sa] must be disabled.
SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account and is likely to be targeted by attackers and thus more pro...Rule High Severity -
SRG-APP-000141-DB-000092
Group -
SQL Server default account [sa] must have its name changed.
SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account name and is likely to be targeted by attackers, and is thus...Rule Medium Severity -
SRG-APP-000342-DB-000302
Group -
Execution of startup stored procedures must be restricted to necessary cases only.
In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SQL Server Mirroring endpoint must utilize AES encryption.
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, an...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SQL Server Service Broker endpoint must utilize AES encryption.
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, an...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
Filestream must be disabled, unless specifically required and approved.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
Ole Automation Procedures feature must be disabled, unless specifically required and approved.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000092
Group -
SQL Server User Options feature must be disabled, unless specifically required and approved.
SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary, and enabling them could adversely affect the ...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
Remote Access feature must be disabled, unless specifically required and approved.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
Hadoop Connectivity feature must be disabled, unless specifically required and approved.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
Allow Polybase Export feature must be disabled, unless specifically required and approved.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
Remote Data Archive feature must be disabled, unless specifically required and approved.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000092
Group -
SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved.
SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary, and enabling them could adversely affect the ...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
The SQL Server Browser service must be disabled unless specifically required and approved.
The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexist on the same computer. It avoids the need to hard-assign port numbers t...Rule Low Severity -
SRG-APP-000141-DB-000092
Group -
SQL Server Replication Xps feature must be disabled, unless specifically required and approved.
SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary, and enabling them could adversely affect the ...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.
The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexist on the same computer. It avoids the need to hard-assign port numbers t...Rule Low Severity -
SRG-APP-000178-DB-000083
Group -
When using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.
To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the information system must not provide any information tha...Rule High Severity -
SRG-APP-000178-DB-000083
Group -
Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the information system must not provide any information tha...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.