Options
Sign in to Download

Microsoft SQL Server 2016 Instance STIG (version 1, rel. 9)

This policy compares the configuration for a SQL Server 2016 to the criteria defined in the Microsoft SQL Server 2016 Instance STIG and advises you of the results for each rule, this server, and for the policy. The following rules are not included in this policy:

  • V-79119 - SQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
  • V-79123 - SQL Server must be configured to utilize the most-secure authentication method available.
  • V-79127 - SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
  • V-79133 - SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBMS/database components.
  • V-79135 - SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
  • V-79145 - SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
  • V-79151 - The audit information produced by SQL Server must be protected from unauthorized read access.
  • V-79153 - The audit information produced by SQL Server must be protected from unauthorized modification.
  • V-79155 - The audit information produced by SQL Server must be protected from unauthorized deletion.
  • V-79163 - SQL Server must limit privileges to change software modules and links to software external to SQL Server.
  • V-79165 - SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.
  • V-79167 - SQL Server software installation account must be restricted to authorized users.
  • V-79169 - Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
  • V-79173 - Unused database components, DBMS software, and database objects must be removed.
  • V-79175 - Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.
  • V-79187 - SQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the PPSM CAL and vulnerability assessments.
  • V-79189 - SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
  • V-79201 - SQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
  • V-79205 - SQL Server must protect the confidentiality and integrity of all information at rest.
  • V-79207 - The Service Master Key must be backed up, stored offline and off-site.
  • V-79209 - The Master Key must be backed up, stored offline and off-site.
  • V-79215 - Access to database files must be limited to relevant processes and to authorized, administrative users.
  • V-79217 - SQL Server must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.
  • V-79219 - SQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
  • V-79223 - SQL Server must utilize centralized management of the content captured in audit records generated by all components of SQL Server.
  • V-79225 - SQL Server must provide centralized configuration of the content to be captured in audit records generated by all components of SQL Server.
  • V-79229 - SQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.
  • V-79231 - SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.
  • V-79235 - SQL Server must enforce access restrictions associated with changes to the configuration of the instance.
  • V-79237 - Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.
  • V-79241 - SQL Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
  • V-79245 - SQL Server services must be configured to run under unique dedicated user accounts.
  • V-79247 - When updates are applied to SQL Server software, any software components that have been replaced or made unnecessary must be removed.
  • V-79249 - Security-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
  • V-79311 - The system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
  • V-79315 - SQL Server must configure SQL Server Usage and Error Reporting Auditing.
  • V-79355 - When using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.
  • V-79357 - Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

Product Disclaimer: Please note, this policy is based on the Microsoft SQL Server 2016 Instance STIG – Ver 1, Rel 9 XCCDF (see the latest definition at https://nvd.nist.gov/ncp/checklist/838), which was published as a tool to improve the security of information systems. Your organization should internally review and assess to what extent, if any, such policy should be incorporated into your environment and how you can best ensure compliance with your internal policies. All policies contain a subset of rules deemed automatable by SolarWinds. SolarWinds makes no warranty, express or implied, or assumes any legal liability or responsibility for the policies contained herein, including the accuracy, completeness, or usefulness of any information.

solarwinds_worldwide_llc

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.