CIS SQL Server 2016 Database L1 DB v1.4.0

Audit Details

Name: CIS SQL Server 2016 Database L1 DB v1.4.0

Updated: 6/17/2024

Authority: CIS

Plugin: MS_SQLDB

Revision: 1.1

Estimated Item Count: 37

File Details

Filename: CIS_Microsoft_SQL_Server_2016_Database_v1.4.0_Level_1_Database.audit

Size: 92.2 kB

MD5: 7f93e9d75f7f9cbddc131ef5175db343
SHA256: bc68747931475e96cb7b28362ddc6b3d79e69b35a4be9bd3823bbfcac804a887

Audit Items

DescriptionCategories
1.1 Ensure Latest SQL Server Service Packs and Hotfixes are Installed

SYSTEM AND SERVICES ACQUISITION

2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0'

CONFIGURATION MANAGEMENT

2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'

ACCESS CONTROL, MEDIA PROTECTION

2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.6 Ensure 'Remote Access' Server Configuration Option is set to '0'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.9 Ensure 'Trustworthy' Database Property is set to 'Off'

ACCESS CONTROL, MEDIA PROTECTION

2.11 Ensure SQL Server is configured to use non-standard ports

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.12 Ensure 'Hide Instance' option is set to 'Yes' for Production SQL Server instances

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.13 Ensure the 'sa' Login Account is set to 'Disabled'

ACCESS CONTROL

2.14 Ensure the 'sa' Login Account has been renamed

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.15 Ensure 'xp_cmdshell' Server Configuration Option is set to '0'

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.16 Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.17 Ensure no login exists with the name 'sa'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'

ACCESS CONTROL

3.2 Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases

ACCESS CONTROL, MEDIA PROTECTION

3.3 Ensure 'Orphaned Users' are Dropped From SQL Server Databases

ACCESS CONTROL

3.4 Ensure SQL Authentication is not used in contained databases

ACCESS CONTROL

3.8 Ensure only the default permissions specified by Microsoft are granted to the public server role

ACCESS CONTROL, MEDIA PROTECTION

3.9 Ensure Windows BUILTIN groups are not SQL Logins

ACCESS CONTROL, MEDIA PROTECTION

3.10 Ensure Windows local groups are not SQL Logins

ACCESS CONTROL, MEDIA PROTECTION

3.11 Ensure the public role in the msdb database is not granted access to SQL Agent proxies

ACCESS CONTROL, MEDIA PROTECTION

4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated Logins

IDENTIFICATION AND AUTHENTICATION

4.2 Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role

ACCESS CONTROL

4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins

IDENTIFICATION AND AUTHENTICATION

5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12'

AUDIT AND ACCOUNTABILITY

5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1'

AUDIT AND ACCOUNTABILITY

5.3 Ensure 'Login Auditing' is set to 'failed logins'

AUDIT AND ACCOUNTABILITY

5.4 Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins'

AUDIT AND ACCOUNTABILITY

6.1 Ensure Database and Application User Input is Sanitized

SYSTEM AND SERVICES ACQUISITION

6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

7.1 Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.2 Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

8.1 Ensure 'SQL Server Browser Service' is configured correctly

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION