STIGQter STIGQter: STIG Summary: Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide

Version: 1

Release: 18 Benchmark Date: 25 Jan 2019

CheckedNameTitle
SV-53265r5_ruleSQL Server must protect data at rest and ensure confidentiality and integrity of data.
SV-53912r4_ruleSQL Server must maintain and support organization-defined security labels on stored information.
SV-53914r4_ruleSQL Server must maintain and support organization-defined security labels on information in process.
SV-53916r4_ruleSQL Server must maintain and support organization-defined security labels on data in transmission.
SV-53917r3_ruleSQL Server must allow authorized users to associate security labels to information in the database.
SV-53918r3_ruleSQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
SV-53920r4_ruleSQL Server must be protected from unauthorized access by developers.
SV-53921r2_ruleSQL Server must be protected from unauthorized access by developers on shared production/development host systems.
SV-53922r5_ruleAdministrative privileges, built-in server roles and built-in database roles must be assigned to the DBMS login accounts that require them via custom roles, and not directly.
SV-53925r2_ruleSQL Server job/batch queues must be reviewed regularly to detect unauthorized SQL Server job submissions.
SV-53928r4_ruleSQL Server must provide audit record generation capability for organization-defined auditable events within the database.
SV-53930r4_ruleSQL Server must be monitored to discover unauthorized changes to functions.
SV-53931r4_ruleSQL Server must be monitored to discover unauthorized changes to triggers.
SV-53933r4_ruleSQL Server must be monitored to discover unauthorized changes to stored procedures.
SV-53935r2_ruleDatabase objects must be owned by accounts authorized for ownership.
SV-53937r3_ruleUnused database components and database objects must be removed.
SV-53939r5_ruleSQL Server must encrypt information stored in the database.
SV-53940r5_ruleSQL Server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SV-53944r3_ruleThe Database Master Key must be encrypted by the Service Master Key where required.
SV-53945r2_ruleDatabase Master Key passwords must not be stored in credentials within the database.
SV-53946r5_ruleSymmetric keys (other than the database master key) must use a DoD certificate to encrypt the key.
SV-53949r6_ruleSQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest.
SV-53950r2_ruleSQL Server must prevent unauthorized and unintended information transfer via shared system resources.
SV-53951r2_ruleSQL Server must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.
SV-53953r3_ruleSQL Server must check the validity of data inputs.
SV-75113r1_ruleIn a database owned by a login not having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF unless required and authorized.
SV-75233r1_ruleIn a database owned by [sa], or by any other login having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF.
SV-85249r2_ruleAppropriate staff must be alerted when the amount of storage space used by the SQL Server transaction log file(s) exceeds an organization-defined value.