Scribd
Upload
106 views

CIS Microsoft SQL Server 2016 Benchmark v1.3.0

The document provides recommendations for securing a SQL Server database, including ensuring latest updates and patches are installed, restricting surface area by disabling unnecessary configuration options, enforcing strong authentication and authorization by using Windows authentication and restricting permissions, enforcing password policies, enabling auditing and logging, securing application development, using encryption of at least AES 128-bit or higher, and additional configuration considerations. It categorizes the recommendations and specifies whether each item can be implemented manually or automated.

Uploaded by

Jesus David Duarte Prado
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
106 views

CIS Microsoft SQL Server 2016 Benchmark v1.3.0

The document provides recommendations for securing a SQL Server database, including ensuring latest updates and patches are installed, restricting surface area by disabling unnecessary configuration options, enforcing strong authentication and authorization by using Windows authentication and restricting permissions, enforcing password policies, enabling auditing and logging, securing application development, using encryption of at least AES 128-bit or higher, and additional configuration considerations. It categorizes the recommendations and specifies whether each item can be implemented manually or automated.

Uploaded by

Jesus David Duarte Prado
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Recommendations

1  Installation, Updates and Patches


1.1  Ensure Latest SQL Server Service Packs and Hotfixes are Installed (Manual)
1.2  Ensure Single-Function Member Servers are Used (Manual)
2  Surface Area Reduction
2.1  Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0' (Automated)
2.2  Ensure 'CLR Enabled' Server Configuration Option is set to '0' (Automated) . 15
2.3  Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0' (Automated)
2.4  Ensure 'Database Mail XPs' Server Configuration Option is set to '0' (Automated)
2.5  Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0' (Automated)
2.6  Ensure 'Remote Access' Server Configuration Option is set to '0' (Automated)
2.7  Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' (Automated)
2.8  Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' (Automated)
2.9  Ensure 'Trustworthy' Database Property is set to 'Off' (Automated)
2.10  Ensure Unnecessary SQL Server Protocols are set to 'Disabled' (Manual)
2.11  Ensure SQL Server is configured to use non-standard ports (Automated)
2.12  Ensure 'Hide Instance' option is set to 'Yes' for Production SQL Server instances (Automated)
2.13  Ensure the 'sa' Login Account is set to 'Disabled' (Automated)
2.14  Ensure the 'sa' Login Account has been renamed (Automated)
2.15  Ensure 'xp_cmdshell' Server Configuration Option is set to '0' (Automated) 42
2.16  Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases (Automated) . 44 2.17 Ensure no login exists with the name
3  Authentication and Authorization
3.1  Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' (Automated)
3.2  Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases excluding the master, msdb a
3.3  Ensure 'Orphaned Users' are Dropped From SQL Server Databases (Automated)
3.4  Ensure SQL Authentication is not used in contained databases (Automated) 54
3.5  Ensure the SQL Server’s MSSQL Service Account is Not an Administrator (Manual)
3.6  Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator (Manual)
3.7  Ensure the SQL Server’s Full-Text Service Account is Not an Administrator (Manual)
3.8  Ensure only the default permissions specified by Microsoft are granted to the public server role (Automated)
3.9  Ensure Windows BUILTIN groups are not SQL Logins (Automated)
3.10  Ensure Windows local groups are not SQL Logins (Automated)
3.11  Ensure the public role in the msdb database is not granted access to SQL Agent proxies (Automated)
4  Password Policies
4.1  Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated Logins (Manual)
4.2  Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role (Automated)
4.3  Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins (Automated)
5  Auditing and Logging
5.1  Ensure 'Maximum number of error log files' is set to greater than or equal to '12' (Automated)
5.2  Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' (Automated)
5.3  Ensure 'Login Auditing' is set to 'failed logins' (Automated)
5.4  Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins' (Automated)
6  Application Development
6.1  Ensure Database and Application User Input is Sanitized (Manual)
6.2  Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies (Automated)
7  Encryption
7.1  Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases (Automated)
7.2  Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non- system databases (Automated)
8  Appendix: Additional Considerations
8.1  Ensure 'SQL Server Browser Service' is configured correctly (Manual)
Appendix: Recommendation Summary Table
e no login exists with the name 'sa' (Automated)

es excluding the master, msdb and tempdb (Automated)

r role (Automated)

Automated)

the Sysadmin Role (Automated)


atabases (Automated)
ases (Automated)

You might also like