STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.

DISA Rule

SV-214044r617437_rule

Vulnerability Number

V-214044

Group Title

SRG-APP-000516-DB-000363

Rule Version

SQL6-D0-018000

Severity

CAT III

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

If SQL Server Browser is needed, document the justification and obtain the appropriate authorization.

To hide the SQL instance, in SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for <server instance>, select "Properties", on the "Flags" tab, select "Yes" in the "HideInstance" box, then click "OK". The change takes effect immediately for new connections.

Check Contents

If the need for the SQL Server Browser service is documented and authorized, check to make sure the SQL Instances that do not require use of the SQL Browser Service are hidden with the following query:

DECLARE @HiddenInstance INT
EXEC master.dbo.Xp_instance_regread
N'HKEY_LOCAL_MACHINE',
N'Software\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib',
N'HideInstance',
@HiddenInstance output

SELECT CASE
WHEN @HiddenInstance = 0
AND Serverproperty('IsClustered') = 0 THEN 'No'
ELSE 'Yes'
END AS [Hidden]

If the value of "Hidden" is "Yes", this is not a finding.

If the value of "Hidden" is "No" and the startup type of the "SQL Server Browser" service is not "Disabled", this is a finding.

If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments