| V-213929 | | SQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types. | Database management includes the ability to control the number of users and user sessions utilizing SQL Server. Unlimited concurrent connections to SQ... |
| V-213931 | | SQL Server must be configured to utilize the most-secure authentication method available. | Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functi... |
| V-213933 | | SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared. | Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating... |
| V-213934 | | SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration. | Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating... |
| V-213935 | | SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance. | Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating... |
| V-213936 | | SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBMS/database components. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-213937 | | SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or i... |
| V-213939 | | SQL Server must generate audit records when successful/unsuccessful attempts to retrieve privileges/permissions occur. | Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, monitoring must be possibl... |
| V-213940 | | SQL Server must initiate session auditing upon startup. | Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session a... |
| V-213941 | | SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject. | Information system auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is not possib... |
| V-213942 | | SQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure. | It is critical that when SQL Server is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing... |
| V-213943 | | SQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records. | It is critical that when SQL Server is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing ... |
| V-213944 | | The audit information produced by SQL Server must be protected from unauthorized access, modification, and deletion. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity i... |
| V-213948 | | SQL Server must protect its audit configuration from authorized and unauthorized access and modification. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is ne... |
| V-213950 | | SQL Server must limit privileges to change software modules and links to software external to SQL Server. | If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate... |
| V-213951 | | SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server. | If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate... |
| V-213953 | | Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications. | When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information syste... |
| V-213954 | | Default demonstration and sample databases, database objects, and applications must be removed. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-213955 | | Unused database components, DBMS software, and database objects must be removed. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-213956 | | Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-213957 | | Access to xp_cmdshell must be disabled, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-213958 | | Access to CLR code must be disabled or restricted, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-213959 | | Access to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-213960 | | Access to linked servers must be disabled or restricted, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-213961 | | SQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-213962 | | SQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-213963 | | SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-213965 | | Contained databases must use Windows principals. | OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstance... |
| V-213970 | | SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals t... |
| V-213971 | | SQL Server must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values. | One class of man-in-the-middle, or session hijacking, attack involves the adversary guessing at valid session identifiers based on patterns in identif... |
| V-213973 | | The Service Master Key must be backed up and stored in a secure location that is not on the SQL Server. | Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. Creating this backup should be one of the firs... |
| V-213974 | | The Master Key must be backed up and stored in a secure location that is not on the SQL Server. | Backup and recovery of the Master Key may be critical to the complete recovery of the database. Not having this key can lead to loss of data during re... |
| V-213975 | | SQL Server must prevent unauthorized and unintended information transfer via shared system resources. | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/rol... |
| V-213976 | | SQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI). | The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/rol... |
| V-213977 | | Access to database files must be limited to relevant processes and to authorized, administrative users. | SQL Server must prevent unauthorized and unintended information transfer via shared system resources. Permitting only SQL Server processes and authori... |
| V-213978 | | SQL Server must reveal detailed error messages only to documented and approved individuals or roles. | If SQL Server provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and ... |
| V-213979 | | SQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-213980 | | Use of credentials and proxies must be restricted to necessary cases only. | In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or... |
| V-213983 | | SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | In order to ensure sufficient storage capacity for the audit logs, SQL Server must be able to allocate audit record storage capacity. Although another... |
| V-213984 | | SQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity. | Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to SQL Server on its own ser... |
| V-213985 | | SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-213986 | | SQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC, formerly GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps genera... |
| V-213987 | | SQL Server must enforce access restrictions associated with changes to the configuration of the instance. | Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the sy... |
| V-213988 | | Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance. | Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the sy... |
| V-213989 | | SQL Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of SQL Server or database(s). | Without auditing the enforcement of access restrictions against changes to configuration, it would be difficult to identify attempted attacks and an a... |
| V-213990 | | SQL Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance. | Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.... |
| V-213991 | | SQL Server must maintain a separate execution domain for each executing process. | Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space.
... |
| V-213992 | | SQL Server services must be configured to run under unique dedicated user accounts. | Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Eac... |
| V-213993 | | When updates are applied to SQL Server software, any software components that have been replaced or made unnecessary must be removed. | Previous versions of DBMS components that are not removed from the information system after updates have been installed may be exploited by adversarie... |
| V-213994 | | Security-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs). | Security flaws with software applications, including database management systems, are discovered daily. Vendors are constantly updating and patching t... |
| V-213995 | | SQL Server must be able to generate audit records when successful and unsuccessful attempts to access security objects occur. | Changes to the security configuration must be tracked.
This requirement applies to situations where security data is retrieved or modified via data ... |
| V-213998 | | SQL Server must generate audit records when successful and unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur. | Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
For detailed... |
| V-214000 | | SQL Server must generate audit records when successful and unsuccessful attempts to add privileges/permissions occur. | Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restri... |
| V-214002 | | SQL Server must generate audit records when successful and unsuccessful attempts to modify privileges/permissions occur. | Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restri... |
| V-214004 | | SQL Server must generate audit records when successful and unsuccessful attempts to modify security objects occur. | Changes in the database objects (tables, views, procedures, functions) that record and control permissions, privileges, and roles granted to users and... |
| V-214006 | | SQL Server must generate audit records when successful and unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur. | Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
To aid in ... |
| V-214008 | | SQL Server must generate audit records when successful and unsuccessful attempts to delete privileges/permissions occur. | Changes in the permissions, privileges, and roles granted to users and roles must be tracked. Without an audit trail, unauthorized elevation or restri... |
| V-214010 | | SQL Server must generate audit records when successful and unsuccessful attempts to delete security objects occur. | The removal of security objects from the database/DBMS would seriously degrade a system's information assurance posture. If such an action is attempte... |
| V-214012 | | SQL Server must generate audit records when successful and unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur. | Changes in categorized information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected.
To aid in di... |
| V-214014 | | SQL Server must generate audit records when successful and unsuccessful logons or connection attempts occur. | For completeness of forensic analysis, it is necessary to track who/what (a user or other principal) logs on to SQL Server. It is also necessary to tr... |
| V-214015 | | SQL Server must generate audit records for all privileged activities or other system-level access. | Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify th... |
| V-214016 | | SQL Server must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur. | Without tracking privileged activity, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify th... |
| V-214017 | | SQL Server must generate audit records showing starting and ending time for user access to the database(s). | For completeness of forensic analysis, it is necessary to know how long a user's (or other principal's) connection to SQL Server lasts. This can be ac... |
| V-214018 | | SQL Server must generate audit records when concurrent logons/connections by the same user from different workstations occur. | For completeness of forensic analysis, it is necessary to track who logs on to SQL Server.
Concurrent connections by the same user from multiple wo... |
| V-214020 | | SQL Server must generate audit records when successful and unsuccessful accesses to objects occur. | Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to est... |
| V-214021 | | SQL Server must generate audit records for all direct access to the database(s). | In this context, direct access is any query, command, or call to SQL Server that comes from any source other than the application(s) that it supports.... |
| V-214024 | | SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptogr... |
| V-214025 | | The system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information... |
| V-214026 | | SQL Server must configure Customer Feedback and Error Reporting. | By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program collects information about ... |
| V-214027 | | SQL Server must configure SQL Server Usage and Error Reporting Auditing. | By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program collects information about ... |
| V-214029 | | SQL Server default account [sa] must have its name changed. | SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account name and is ... |
| V-214030 | | Execution of startup stored procedures must be restricted to necessary cases only. | In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or... |
| V-214031 | | SQL Server Mirroring endpoint must utilize AES encryption. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during agg... |
| V-214032 | | SQL Server Service Broker endpoint must utilize AES encryption. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during agg... |
| V-214033 | | SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-214034 | | Filestream must be disabled, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-214035 | | Ole Automation Procedures feature must be disabled, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-214036 | | SQL Server User Options feature must be disabled, unless specifically required and approved. | SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary... |
| V-214037 | | Remote Access feature must be disabled, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-214038 | | Hadoop Connectivity feature must be disabled, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-214039 | | Allow Polybase Export feature must be disabled, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-214040 | | Remote Data Archive feature must be disabled, unless specifically required and approved. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-214041 | | SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved. | SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary... |
| V-214043 | | SQL Server Replication Xps feature must be disabled, unless specifically required and approved. | SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary... |
| V-214042 | | The SQL Server Browser service must be disabled unless specifically required and approved. | The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexist on the same computer. I... |
| V-214044 | | If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden. | The SQL Server Browser simplifies the administration of SQL Server, particularly when multiple instances of SQL Server coexist on the same computer. I... |
| V-213930 | | SQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functi... |
| V-213932 | | SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | Authentication with a DoD-approved PKI certificate does not necessarily imply authorization to access SQL Server. To mitigate the risk of unauthorize... |
| V-213952 | | SQL Server software installation account must be restricted to authorized users. | When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information syste... |
| V-213964 | | If DBMS authentication using passwords is employed, SQL Server must enforce the DOD standards for password complexity and lifetime. | Windows Authentication is the default authentication mode and is much more secure than SQL Server Authentication. Windows Authentication uses Kerberos... |
| V-213966 | | If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords. | The DOD standard for authentication is DOD-approved PKI certificates.
Authentication based on User ID and Password may be used only when it is not ... |
| V-213967 | | Confidentiality of information during transmission is controlled through the use of an approved TLS version. | Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Socket... |
| V-213968 | | SQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server. | The DoD standard for authentication is DoD-approved PKI certificates. PKI certificate-based authentication is performed by requiring the certificate h... |
| V-213969 | | SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations. | Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak alg... |
| V-213972 | | SQL Server must protect the confidentiality and integrity of all information at rest. | This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and sys... |
| V-214022 | | SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptogr... |
| V-214023 | | SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptogr... |
| V-214028 | | The SQL Server default account [sa] must be disabled. | SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account and is likel... |
| V-214045 | | When using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password. | To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the informat... |
| V-214046 | | Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | To prevent the compromise of authentication information, such as passwords and PINs, during the authentication process, the feedback from the informat... |
| V-265870 | | Microsoft SQL Server products must be a version supported by the vendor. | Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack ... |
