UCF STIG Viewer Logo

MS SQL Server 2016 Instance Security Technical Implementation Guide


Overview

Date Finding Count (102)
2023-06-01 CAT I (High): 15 CAT II (Med): 85 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-213952 High SQL Server software installation account must be restricted to authorized users.
V-214028 High The SQL Server default account [sa] must be disabled.
V-214022 High SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.
V-214023 High SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.
V-213968 High SQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server.
V-213969 High SQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.
V-213966 High If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords.
V-213967 High Confidentiality of information during transmission is controlled through the use of an approved TLS version.
V-213964 High If DBMS authentication using passwords is employed, SQL Server must enforce the DoD standards for password complexity and lifetime.
V-213972 High SQL Server must protect the confidentiality and integrity of all information at rest.
V-214045 High When using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.
V-214046 High Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-213934 High SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.
V-213930 High SQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
V-213932 High SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-214008 Medium SQL Server must generate audit records when successful and unsuccessful attempts to delete privileges/permissions occur.
V-214000 Medium SQL Server must generate audit records when successful and unsuccessful attempts to add privileges/permissions occur.
V-214002 Medium SQL Server must generate audit records when successful and unsuccessful attempts to modify privileges/permissions occur.
V-214004 Medium SQL Server must generate audit records when successful and unsuccessful attempts to modify security objects occur.
V-214006 Medium SQL Server must generate audit records when successful and unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur.
V-213948 Medium SQL Server must protect its audit configuration from authorized and unauthorized access and modification.
V-213940 Medium SQL Server must initiate session auditing upon startup.
V-213941 Medium SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
V-213942 Medium SQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
V-213943 Medium SQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
V-213944 Medium The audit information produced by SQL Server must be protected from unauthorized access, modification, and deletion.
V-214018 Medium SQL Server must generate audit records when concurrent logons/connections by the same user from different workstations occur.
V-214012 Medium SQL Server must generate audit records when successful and unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur.
V-214010 Medium SQL Server must generate audit records when successful and unsuccessful attempts to delete security objects occur.
V-214017 Medium SQL Server must generate audit records showing starting and ending time for user access to the database(s).
V-214016 Medium SQL Server must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur.
V-214015 Medium SQL Server must generate audit records for all privileged activities or other system-level access.
V-214014 Medium SQL Server must generate audit records when successful and unsuccessful logons or connection attempts occur.
V-213959 Medium Access to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved.
V-213958 Medium Access to CLR code must be disabled or restricted, unless specifically required and approved.
V-213953 Medium Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
V-213951 Medium SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.
V-213950 Medium SQL Server must limit privileges to change software modules and links to software external to SQL Server.
V-213957 Medium Access to xp_cmdshell must be disabled, unless specifically required and approved.
V-213956 Medium Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.
V-213955 Medium Unused database components, DBMS software, and database objects must be removed.
V-213954 Medium Default demonstration and sample databases, database objects, and applications must be removed.
V-214029 Medium SQL Server default account [sa] must have its name changed.
V-214026 Medium SQL Server must configure Customer Feedback and Error Reporting.
V-214027 Medium SQL Server must configure SQL Server Usage and Error Reporting Auditing.
V-214024 Medium SQL Server must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
V-214025 Medium The system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
V-214020 Medium SQL Server must generate audit records when successful and unsuccessful accesses to objects occur.
V-214021 Medium SQL Server must generate audit records for all direct access to the database(s).
V-213965 Medium Contained databases must use Windows principals.
V-213962 Medium SQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the PPSM CAL and vulnerability assessments.
V-213963 Medium SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-213960 Medium Access to linked servers must be disabled or restricted, unless specifically required and approved.
V-213961 Medium SQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the PPSM CAL and vulnerability assessments.
V-214031 Medium SQL Server Mirroring endpoint must utilize AES encryption.
V-214030 Medium Execution of startup stored procedures must be restricted to necessary cases only.
V-214033 Medium SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved.
V-214032 Medium SQL Server Service Broker endpoint must utilize AES encryption.
V-214035 Medium Ole Automation Procedures feature must be disabled, unless specifically required and approved.
V-214034 Medium Filestream must be disabled, unless specifically required and approved.
V-214037 Medium Remote Access feature must be disabled, unless specifically required and approved.
V-214036 Medium SQL Server User Options feature must be disabled, unless specifically required and approved.
V-214039 Medium Allow Polybase Export feature must be disabled, unless specifically required and approved.
V-214038 Medium Hadoop Connectivity feature must be disabled, unless specifically required and approved.
V-213971 Medium SQL Server must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
V-213970 Medium SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-213973 Medium The Service Master Key must be backed up, stored offline and off-site.
V-213975 Medium SQL Server must prevent unauthorized and unintended information transfer via shared system resources.
V-213974 Medium The Master Key must be backed up, stored offline and off-site.
V-213977 Medium Access to database files must be limited to relevant processes and to authorized, administrative users.
V-213976 Medium SQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI).
V-213979 Medium SQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-213978 Medium SQL Server must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.
V-213988 Medium Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.
V-213989 Medium SQL Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of SQL Server or database(s).
V-213984 Medium SQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.
V-213985 Medium SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.
V-213986 Medium SQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC, formerly GMT).
V-213987 Medium SQL Server must enforce access restrictions associated with changes to the configuration of the instance.
V-213980 Medium Use of credentials and proxies must be restricted to necessary cases only.
V-213981 Medium SQL Server must utilize centralized management of the content captured in audit records generated by all components of SQL Server.
V-213982 Medium SQL Server must provide centralized configuration of the content to be captured in audit records generated by all components of SQL Server.
V-213983 Medium SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-214040 Medium Remote Data Archive feature must be disabled, unless specifically required and approved.
V-214041 Medium SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved.
V-214043 Medium SQL Server Replication Xps feature must be disabled, unless specifically required and approved.
V-213998 Medium SQL Server must generate audit records when successful and unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur.
V-213995 Medium SQL Server must be able to generate audit records when successful and unsuccessful attempts to access security objects occur.
V-213994 Medium Security-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
V-213993 Medium When updates are applied to SQL Server software, any software components that have been replaced or made unnecessary must be removed.
V-213992 Medium SQL Server services must be configured to run under unique dedicated user accounts.
V-213991 Medium SQL Server must maintain a separate execution domain for each executing process.
V-213990 Medium SQL Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
V-213929 Medium SQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
V-213939 Medium SQL Server must generate audit records when successful/unsuccessful attempts to retrieve privileges/permissions occur.
V-213935 Medium SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.
V-213937 Medium SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-213936 Medium SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBMS/database components.
V-213931 Medium SQL Server must be configured to utilize the most-secure authentication method available.
V-213933 Medium SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
V-214044 Low If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.
V-214042 Low The SQL Server Browser service must be disabled unless specifically required and approved.