STIGQter STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide

Version: 1

Release: 8 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-93825r1_ruleSQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
SV-93827r1_ruleSQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
SV-93829r1_ruleSQL Server must be configured to utilize the most-secure authentication method available.
SV-93831r1_ruleSQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
SV-93833r1_ruleSQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
SV-93835r4_ruleSQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.
SV-93837r3_ruleSQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.
SV-93839r1_ruleSQL Server must be configured to generate audit records for DoD-defined auditable events within all DBMS/database components.
SV-93841r1_ruleSQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
SV-93843r1_ruleSQL Server must generate audit records when privileges/permissions are retrieved.
SV-93845r2_ruleSQL Server must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.
SV-93847r1_ruleSQL Server must initiate session auditing upon startup.
SV-93851r1_ruleSQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
SV-93853r1_ruleSQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
SV-93855r2_ruleSQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
SV-93857r1_ruleThe audit information produced by SQL Server must be protected from unauthorized read access.
SV-93859r1_ruleThe audit information produced by SQL Server must be protected from unauthorized modification.
SV-93861r1_ruleThe audit information produced by SQL Server must be protected from unauthorized deletion.
SV-93863r2_ruleSQL Server must protect its audit features from unauthorized access.
SV-93865r1_ruleSQL Server must protect its audit configuration from unauthorized modification.
SV-93867r1_ruleSQL Server must protect its audit features from unauthorized removal.
SV-93869r1_ruleSQL Server must limit privileges to change software modules and links to software external to SQL Server.
SV-93871r1_ruleSQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.
SV-93873r1_ruleSQL Server software installation account must be restricted to authorized users.
SV-93875r2_ruleDatabase software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
SV-93877r2_ruleDefault demonstration and sample databases, database objects, and applications must be removed.
SV-93879r1_ruleUnused database components, DBMS software, and database objects must be removed.
SV-93881r1_ruleUnused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.
SV-93883r1_ruleAccess to xp_cmdshell must be disabled, unless specifically required and approved.
SV-93885r2_ruleAccess to CLR code must be disabled or restricted, unless specifically required and approved.
SV-93887r2_ruleAccess to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved.
SV-93889r1_ruleAccess to linked servers must be disabled or restricted, unless specifically required and approved.
SV-93891r1_ruleSQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the PPSM CAL and vulnerability assessments.
SV-93893r1_ruleSQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the PPSM CAL and vulnerability assessments.
SV-93895r1_ruleSQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
SV-93897r4_ruleIf DBMS authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity and lifetime.
SV-93899r1_ruleContained databases must use Windows principals.
SV-93901r3_ruleIf passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords.
SV-93903r1_ruleSQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server.
SV-93905r1_ruleSQL Server must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations.
SV-93907r1_ruleSQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
SV-93909r1_ruleSQL Server must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
SV-93911r1_ruleSQL Server must protect the confidentiality and integrity of all information at rest.
SV-93913r1_ruleThe Service Master Key must be backed up, stored offline and off-site.
SV-93915r1_ruleThe Master Key must be backed up, stored offline and off-site.
SV-93917r3_ruleSQL Server must prevent unauthorized and unintended information transfer via shared system resources.
SV-93919r2_ruleSQL Server must prevent unauthorized and unintended information transfer via shared system resources.
SV-93921r2_ruleAccess to database files must be limited to relevant processes and to authorized, administrative users.
SV-93923r2_ruleSQL Server must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.
SV-93925r1_ruleSQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
SV-93927r1_ruleUse of credentials and proxies must be restricted to necessary cases only.
SV-93929r1_ruleSQL Server must utilize centralized management of the content captured in audit records generated by all components of SQL Server.
SV-93931r1_ruleSQL Server must provide centralized configuration of the content to be captured in audit records generated by all components of SQL Server.
SV-93933r1_ruleSQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
SV-93935r1_ruleSQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.
SV-93937r1_ruleSQL Server must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.
SV-93939r1_ruleSQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC, formerly GMT).
SV-93941r1_ruleSQL Server must enforce access restrictions associated with changes to the configuration of the instance.
SV-93943r1_ruleWindows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.
SV-93945r3_ruleSQL Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of SQL Server or database(s).
SV-93947r1_ruleSQL Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
SV-93949r1_ruleSQL Server must maintain a separate execution domain for each executing process.
SV-93951r1_ruleSQL Server services must be configured to run under unique dedicated user accounts.
SV-93953r1_ruleWhen updates are applied to SQL Server software, any software components that have been replaced or made unnecessary must be removed.
SV-93955r1_ruleSecurity-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
SV-93957r2_ruleSQL Server must be able to generate audit records when security objects are accessed.
SV-93959r1_ruleSQL Server must generate audit records when unsuccessful attempts to access security objects occur.
SV-93961r2_ruleSQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is accessed.
SV-93963r1_ruleSQL Server must generate audit records when unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur.
SV-93965r3_ruleSQL Server must generate audit records when privileges/permissions are added.
SV-93967r3_ruleSQL Server must generate audit records when unsuccessful attempts to add privileges/permissions occur.
SV-93969r3_ruleSQL Server must generate audit records when privileges/permissions are modified.
SV-93971r3_ruleSQL Server must generate audit records when unsuccessful attempts to modify privileges/permissions occur.
SV-93973r1_ruleSQL Server must generate audit records when security objects are modified.
SV-93975r2_ruleSQL Server must generate audit records when unsuccessful attempts to modify security objects occur.
SV-93977r1_ruleSQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is modified.
SV-93979r1_ruleSQL Server must generate audit records when unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur.
SV-93981r2_ruleSQL Server must generate audit records when privileges/permissions are deleted.
SV-93983r2_ruleSQL Server must generate audit records when unsuccessful attempts to delete privileges/permissions occur.
SV-93985r2_ruleSQL Server must generate audit records when security objects are deleted.
SV-93987r2_ruleSQL Server must generate audit records when unsuccessful attempts to delete security objects occur.
SV-93989r1_ruleSQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is deleted.
SV-93991r1_ruleSQL Server must generate audit records when unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur.
SV-93993r1_ruleSQL Server must generate audit records when successful logons or connections occur.
SV-93995r1_ruleSQL Server must generate audit records when unsuccessful logons or connection attempts occur.
SV-93997r2_ruleSQL Server must generate audit records for all privileged activities or other system-level access.
SV-93999r4_ruleSQL Server must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur.
SV-94001r4_ruleSQL Server must generate audit records showing starting and ending time for user access to the database(s).
SV-94003r1_ruleSQL Server must generate audit records when concurrent logons/connections by the same user from different workstations occur.
SV-94005r1_ruleSQL Server must generate audit records when successful accesses to objects occur.
SV-94007r1_ruleSQL Server must generate audit records when unsuccessful accesses to objects occur.
SV-94009r1_ruleSQL Server must generate audit records for all direct access to the database(s).
SV-94011r1_ruleSQL Server must implement NIST FIPS 140-2 validated cryptographic modules to provision digital signatures.
SV-94013r1_ruleSQL Server must implement NIST FIPS 140-2 validated cryptographic modules to generate and validate cryptographic hashes.
SV-94015r1_ruleSQL Server must implement NIST FIPS 140-2 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
SV-94017r1_ruleThe system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
SV-94019r1_ruleSQL Server must configure Customer Feedback and Error Reporting.
SV-94021r1_ruleSQL Server must configure SQL Server Usage and Error Reporting Auditing.
SV-94023r2_ruleThe SQL Server default account [sa] must be disabled.
SV-94025r1_ruleSQL Server default account [sa] must have its name changed.
SV-94027r1_ruleExecution of startup stored procedures must be restricted to necessary cases only.
SV-94029r1_ruleSQL Server Mirroring endpoint must utilize AES encryption.
SV-94031r1_ruleSQL Server Service Broker endpoint must utilize AES encryption.
SV-94033r2_ruleSQL Server execute permissions to access the registry must be revoked, unless specifically required and approved.
SV-94035r3_ruleFilestream must be disabled, unless specifically required and approved.
SV-94039r1_ruleOle Automation Procedures feature must be disabled, unless specifically required and approved.
SV-94041r1_ruleSQL Server User Options feature must be disabled, unless specifically required and approved.
SV-94043r1_ruleRemote Access feature must be disabled, unless specifically required and approved.
SV-94047r1_ruleHadoop Connectivity feature must be disabled, unless specifically required and approved.
SV-94049r1_ruleAllow Polybase Export feature must be disabled, unless specifically required and approved.
SV-94051r1_ruleRemote Data Archive feature must be disabled, unless specifically required and approved.
SV-94053r1_ruleSQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved.
SV-94055r1_ruleThe SQL Server Browser service must be disabled unless specifically required and approved.
SV-94057r1_ruleSQL Server Replication Xps feature must be disabled, unless specifically required and approved.
SV-94059r1_ruleIf the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.
SV-94061r1_ruleWhen using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.
SV-94063r1_ruleApplications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
SV-106625r1_ruleConfidentiality of controlled information during transmission through the use of an approved TLS version.