UCF STIG Viewer Logo

MS SQL Server 2016 Instance Security Technical Implementation Guide


Overview

Date Finding Count (120)
2018-03-09 CAT I (High): 8 CAT II (Med): 109 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-79305 High SQL Server must implement NIST FIPS 140-2 validated cryptographic modules to provision digital signatures.
V-79307 High SQL Server must implement NIST FIPS 140-2 validated cryptographic modules to generate and validate cryptographic hashes.
V-79129 High SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.
V-79125 High SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-79205 High SQL Server must protect the confidentiality and integrity of all information at rest.
V-79195 High If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords.
V-79357 High Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-79355 High When using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.
V-79335 Medium SQL Server User Options feature must be disabled, unless specifically required and approved.
V-79337 Medium Remote Access feature must be disabled, unless specifically required and approved.
V-79331 Medium The Filestream setting in registry and in SQL Server configuration must match.
V-79333 Medium Ole Automation Procedures feature must be disabled, unless specifically required and approved.
V-79339 Medium Smo and Dmo Xps feature must be disabled, unless specifically required and approved.
V-79281 Medium SQL Server must generate audit records when unsuccessful attempts to delete security objects occur.
V-79283 Medium SQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is deleted.
V-79285 Medium SQL Server must generate audit records when unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur.
V-79287 Medium SQL Server must generate audit records when successful logons or connections occur.
V-79289 Medium SQL Server must generate audit records when unsuccessful logons or connection attempts occur.
V-79161 Medium SQL Server must protect its audit features from unauthorized removal.
V-79139 Medium SQL Server must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.
V-79119 Medium SQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
V-79301 Medium SQL Server must generate audit records when unsuccessful accesses to objects occur.
V-79303 Medium SQL Server must generate audit records for all direct access to the database(s).
V-79309 Medium SQL Server must implement NIST FIPS 140-2 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
V-79131 Medium SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.
V-79235 Medium SQL Server must enforce access restrictions associated with changes to the configuration of the instance.
V-79237 Medium Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.
V-79233 Medium SQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC, formerly GMT).
V-79127 Medium SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
V-79121 Medium SQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
V-79123 Medium SQL Server must be configured to utilize the most-secure authentication method available.
V-79257 Medium SQL Server must generate audit records when unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur.
V-79255 Medium SQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is accessed.
V-79253 Medium SQL Server must generate audit records when unsuccessful attempts to access security objects occur.
V-79149 Medium SQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
V-79319 Medium SQL Server default account [sa] must have its name changed.
V-79147 Medium SQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
V-79317 Medium The SQL Server default account [sa] must be disabled.
V-79145 Medium SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
V-79315 Medium SQL Server must configure SQL Server Usage and Error Reporting Auditing.
V-79143 Medium SQL Server must be configured to allow authorized users to capture, record, and log all content related to a user session.
V-79313 Medium SQL Server must configure Customer Feedback and Error Reporting.
V-79141 Medium SQL Server must initiate session auditing upon startup.
V-79311 Medium The system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
V-79159 Medium SQL Server must protect its audit configuration from unauthorized modification.
V-79223 Medium SQL Server must utilize centralized management of the content captured in audit records generated by all components of SQL Server.
V-79221 Medium Use of credentials and proxies must be restricted to necessary cases only.
V-79227 Medium SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-79225 Medium SQL Server must provide centralized configuration of the content to be captured in audit records generated by all components of SQL Server.
V-79133 Medium SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBMS/database components.
V-79229 Medium SQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.
V-79137 Medium SQL Server must generate audit records when privileges/permissions are retrieved.
V-79135 Medium SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-79245 Medium SQL Server services must be configured to run under unique dedicated user accounts.
V-79247 Medium When updates are applied to SQL Server software, any software components that have been replaced or made unnecessary must be removed.
V-79241 Medium SQL Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
V-79243 Medium SQL Server must maintain a separate execution domain for each executing process.
V-79155 Medium The audit information produced by SQL Server must be protected from unauthorized deletion.
V-79157 Medium SQL Server must protect its audit features from unauthorized access.
V-79249 Medium Security-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
V-79151 Medium The audit information produced by SQL Server must be protected from unauthorized read access.
V-79153 Medium The audit information produced by SQL Server must be protected from unauthorized modification.
V-79239 Medium SQL Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of SQL Server or database(s).
V-79271 Medium SQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is modified.
V-79273 Medium SQL Server must generate audit records when unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur.
V-79275 Medium SQL Server must generate audit records when privileges/permissions are deleted.
V-79277 Medium SQL Server must generate audit records when unsuccessful attempts to delete privileges/permissions occur.
V-79279 Medium SQL Server must generate audit records when security objects are deleted.
V-79163 Medium SQL Server must limit privileges to change software modules and links to software external to SQL Server.
V-79165 Medium SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.
V-79167 Medium SQL Server software installation account must be restricted to authorized users.
V-79251 Medium SQL Server must be able to generate audit records when security objects are accessed.
V-79269 Medium SQL Server must generate audit records when unsuccessful attempts to modify security objects occur.
V-79267 Medium SQL Server must generate audit records when security objects are modified.
V-79265 Medium SQL Server must generate audit records when unsuccessful attempts to modify privileges/permissions occur.
V-79263 Medium SQL Server must generate audit records when privileges/permissions are modified.
V-79261 Medium SQL Server must generate audit records when unsuccessful attempts to add privileges/permissions occur.
V-79259 Medium SQL Server must generate audit records when privileges/permissions are added.
V-79219 Medium SQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-79213 Medium SQL Server must prevent unauthorized and unintended information transfer via shared system resources.
V-79211 Medium SQL Server must prevent unauthorized and unintended information transfer via shared system resources.
V-79217 Medium SQL Server must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.
V-79215 Medium Access to database files must be limited to relevant processes and to authorized, administrative users.
V-79189 Medium SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-79183 Medium Access to linked servers must be disabled or restricted, unless specifically required and approved.
V-79181 Medium Access to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved.
V-79187 Medium SQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the PPSM CAL and vulnerability assessments.
V-79185 Medium SQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the PPSM CAL and vulnerability assessments.
V-79345 Medium Remote Data Archive feature must be disabled, unless specifically required and approved.
V-79177 Medium Access to xp_cmdshell must be disabled, unless specifically required and approved.
V-79347 Medium SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved.
V-79175 Medium Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.
V-79341 Medium Hadoop Connectivity feature must be disabled, unless specifically required and approved.
V-79173 Medium Unused database components, DBMS software, and database objects must be removed.
V-79343 Medium Allow Polybase Export feature must be disabled, unless specifically required and approved.
V-79171 Medium Default demonstration and sample databases, database objects, and applications must be removed.
V-79179 Medium Access to CLR code must be disabled or restricted, unless specifically required and approved.
V-79327 Medium SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved.
V-79209 Medium The Master Key must be backed up, stored offline and off-site.
V-79325 Medium SQL Server Service Broker endpoint must utilize AES encryption.
V-79323 Medium SQL Server Mirroring endpoint must utilize AES encryption.
V-79321 Medium Execution of startup stored procedures must be restricted to necessary cases only.
V-79201 Medium SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-79203 Medium SQL Server must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
V-79329 Medium Filestream must be disabled, unless specifically required and approved.
V-79207 Medium The Service Master Key must be backed up, stored offline and off-site.
V-79199 Medium SQL Server must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations.
V-79191 Medium If DBMS authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity and lifetime.
V-79193 Medium Contained databases must use Windows principals.
V-79169 Medium Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
V-79293 Medium SQL Server must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur.
V-79291 Medium SQL Server must generate audit records for all privileged activities or other system-level access.
V-79297 Medium SQL Server must generate audit records when concurrent logons/connections by the same user from different workstations occur.
V-79295 Medium SQL Server must generate audit records showing starting and ending time for user access to the database(s).
V-79299 Medium SQL Server must generate audit records when successful accesses to objects occur.
V-79351 Medium SQL Server Replication Xps feature must be disabled, unless specifically required and approved.
V-79231 Medium SQL Server must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.
V-79349 Low The SQL Server Browser service must be disabled unless specifically required and approved.
V-79197 Low SQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server.
V-79353 Low If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.