| V-271264 | | SQL Server must be configured to use the most-secure authentication method available. | Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functi... |
| V-271265 | | SQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functi... |
| V-271266 | | SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | Authentication with a DOD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorized... |
| V-271286 | | SQL Server software installation account must be restricted to authorized users. | When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information syste... |
| V-271306 | | Contained databases must use Windows principals. | OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstance... |
| V-271307 | | If DBMS authentication using passwords is employed, SQL Server must enforce the DOD standards for password complexity and lifetime. | Windows Authentication is the default authentication mode and is much more secure than SQL Server Authentication. Windows Authentication uses Kerberos... |
| V-271309 | | If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords. | The DOD standard for authentication is DOD-approved PKI certificates.
Authentication based on User ID and Password may be used only when it is not po... |
| V-271310 | | Confidentiality of information during transmission must be controlled through the use of an approved TLS version. | Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Socket... |
| V-271313 | | When using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password. | To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the informat... |
| V-271314 | | SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic operations for encryption, hashing, and signing. | Use of weak or not validated cryptographic algorithms undermines the purposes of using encryption and digital signatures to protect data. Weak algorit... |
| V-271322 | | The Master Key must be backed up and stored in a secure location that is not on the SQL Server. | Backup and recovery of the Master Key may be critical to the complete recovery of the database. Not having this key can lead to loss of data during re... |
| V-271323 | | The Service Master Key must be backed up and stored in a secure location that is not on the SQL Server. | Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. Creating this backup should be one of the firs... |
| V-271324 | | SQL Server must protect the confidentiality and integrity of all information at rest. | This control is intended to address the confidentiality and integrity of information at rest in nonmobile devices and covers user information and syst... |
| V-271365 | | Microsoft SQL Server products must be a version supported by the vendor. | Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack ... |
| V-271263 | | SQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types. | Database management includes the ability to control the number of users and user sessions using a DBMS. Unlimited concurrent connections to the DBMS c... |
| V-271267 | | SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance. | Nonrepudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating informati... |
| V-271268 | | SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration. | Nonrepudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating informati... |
| V-271269 | | SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared. | Nonrepudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating informati... |
| V-271270 | | SQL Server must be configured to generate audit records for DOD-defined auditable events within all DBMS/database components. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-271271 | | SQL Server must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or i... |
| V-271272 | | SQL Server must generate audit records when attempts to access privileges, categorized information, and security objects occur. | Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, monitoring must be possibl... |
| V-271273 | | SQL Server must initiate session auditing upon startup. | Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session a... |
| V-271280 | | SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject. | Information system auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is not possib... |
| V-271282 | | The audit information produced by SQL Server must be protected from unauthorized access, modification, and deletion. | If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would... |
| V-271283 | | SQL Server must protect its audit configuration from authorized and unauthorized access and modification. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is ne... |
| V-271284 | | SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server. | If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate... |
| V-271285 | | SQL Server must limit privileges to change software modules and links to software external to SQL Server. | If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate... |
| V-271287 | | Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications. | When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information syste... |
| V-271290 | | Default demonstration and sample databases, database objects, and applications must be removed. | Information systems are capable of providing a wide variety of functions and services. Some of the default functions and services may not be necessary... |
| V-271291 | | Unused database components, DBMS software, and database objects must be removed. | Information systems are capable of providing a wide variety of functions and services. Some of the default functions and services may not be necessary... |
| V-271292 | | The SQL Server Replication Xps feature must be disabled unless specifically required and approved. | SQL Server is capable of providing a wide range of features and services. Some of the default features and services may not be necessary and enabling ... |
| V-271293 | | The SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved. | SQL Server is capable of providing a wide range of features and services. Some of the default features and services may not be necessary and enabling ... |
| V-271295 | | The remote Data Archive feature must be disabled unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the default functions and services may not be necessary... |
| V-271296 | | The "Allow Polybase Export" feature must be disabled, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the default functions and services may not be necessary... |
| V-271297 | | The "Hadoop Connectivity" feature must be disabled unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the default functions and services may not be necessary... |
| V-271298 | | The "Remote Access" feature must be disabled unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the default functions and services may not be necessary... |
| V-271299 | | Access to linked servers must be disabled or restricted, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the default functions and services may not be necessary... |
| V-271300 | | Access to nonstandard, extended stored procedures must be disabled or restricted, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the default functions and services may not be necessary... |
| V-271301 | | Access to common language runtime (CLR) code must be disabled or restricted unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the default functions and services may not be necessary... |
| V-271302 | | Access to xp_cmdshell must be disabled unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the default functions and services may not be necessary... |
| V-271303 | | SQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-271304 | | SQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-271305 | | SQL Server must uniquely identify and authenticate users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-271327 | | SQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI). | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/rol... |
| V-271328 | | SQL Server must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/rol... |
| V-271329 | | Access to database files must be limited to relevant processes and to authorized, administrative users. | Applications, including SQL Server, must prevent unauthorized and unintended information transfer via shared system resources. Permitting only DBMS pr... |
| V-271331 | | SQL Server and associated applications must reserve the use of dynamic code execution for situations that require it. | With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of t... |
| V-271332 | | SQL Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack. | With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of t... |
| V-271334 | | SQL Server must reveal detailed error messages only to documented and approved individuals or roles. | If SQL Server provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and ... |
| V-271341 | | SQL Server must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary ... |
| V-271342 | | Use of credentials and proxies must be restricted to necessary cases only. | In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or... |
| V-271343 | | SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to SQL Server on its own ser... |
| V-271344 | | SQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity. | Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to SQL Server on its own ser... |
| V-271345 | | SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-271346 | | SQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC), formerly Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps genera... |
| V-271349 | | Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance. | Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the sy... |
| V-271350 | | SQL Server must enforce access restrictions associated with changes to the configuration of the instance. | Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the sy... |
| V-271351 | | SQL Server must produce audit records when attempts to modify SQL Server configuration and privileges occur within the database(s). | Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks, and an ... |
| V-271358 | | SQL Server services must be configured to run under unique dedicated user accounts. | Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Eac... |
| V-271359 | | SQL Server must maintain a separate execution domain for each executing process. | Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space.
... |
| V-271362 | | When invalid inputs are received, the SQL Server must behave in a predictable and documented manner that reflects organizational and system objectives. | A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior c... |
| V-271364 | | Security-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). | Security flaws with software applications, including database management systems, are discovered daily. Vendors are constantly updating and patching t... |
| V-271370 | | SQL Server must generate audit records when successful and unsuccessful attempts to modify or delete security objects occur. | Changes and deletions of the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles grante... |
| V-271375 | | SQL Server must generate audit records when successful and unsuccessful logons or connection attempts occur. | For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to SQL Server. It is also necessary to tr... |
| V-271381 | | SQL Server must generate audit records for all direct access to the database(s). | In this context, direct access is any query, command, or call to SQL Server that comes from any source other than the application(s) that it supports.... |
| V-271385 | | The system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information... |
| V-271387 | | The SQL Server Browser service must be disabled unless specifically required and approved. | The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexist on the same computer. I... |
| V-271388 | | SQL Server must configure SQL Server Usage and Error Reporting Auditing. | By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program collects information about ... |
| V-271389 | | SQL Server must configure Customer Feedback and Error Reporting. | By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program collects information about ... |
| V-271400 | | SQL Server must, for password-based authentication, require immediate selection of a new password upon account recovery. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords ... |
| V-274444 | | The SQL Server default account [sa] must be disabled. | SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account and is likel... |
| V-274445 | | The SQL Server default account [sa] must have its name changed. | SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account name and is ... |
| V-274446 | | Execution of startup stored procedures must be restricted to necessary cases only. | In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or... |
| V-274447 | | The SQL Server Mirroring endpoint must use AES encryption. | Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregatio... |
| V-274448 | | The SQL Server Service Broker endpoint must use AES encryption. | Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregatio... |
| V-274449 | | SQL Server execute permissions to access the registry must be revoked unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-274450 | | Filestream must be disabled unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-274451 | | The Ole Automation Procedures feature must be disabled unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-274452 | | The SQL Server User Options feature must be disabled unless specifically required and approved. | SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary... |
| V-274453 | | SQL Server must protect against a user falsely repudiating by ensuring that only clearly unique Active Directory user accounts can connect to the database. | Nonrepudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating informati... |
