Detections
Analytics

DISA Microsoft SQL Server 2022 Instance STIG v1r1 MS_SQLDB

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Microsoft SQL Server 2022 Instance STIG v1r1 MS_SQLDB

Updated: 3/2/2026

Authority: DISA STIG

Plugin: MS_SQLDB

Revision: 1.1

Estimated Item Count: 75

Audit Items

DescriptionCategories
SQLI-22-003600 - SQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
SQLI-22-003700 - SQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
SQLI-22-003800 - SQL Server must be configured to use the most-secure authentication method available.
SQLI-22-003900 - SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
SQLI-22-004000 - SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
SQLI-22-004100 - SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.
SQLI-22-004200 - SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.
SQLI-22-004250 - SQL Server must protect against a user falsely repudiating by ensuring that only clearly unique Active Directory user accounts can connect to the database.
SQLI-22-004300 - SQL Server must be configured to generate audit records for DOD-defined auditable events within all DBMS/database components.
SQLI-22-004400 - SQL Server must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
SQLI-22-004600 - SQL Server must generate audit records when attempts to access privileges, categorized information, and security objects occur.
SQLI-22-004700 - SQL Server must initiate session auditing upon startup.
SQLI-22-005500 - SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
SQLI-22-005900 - The audit information produced by SQL Server must be protected from unauthorized access, modification, and deletion.
SQLI-22-006300 - SQL Server must protect its audit configuration from authorized and unauthorized access and modification.
SQLI-22-006500 - SQL Server must limit privileges to change software modules and links to software external to SQL Server.
SQLI-22-006600 - SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.
SQLI-22-006700 - SQL Server software installation account must be restricted to authorized users.
SQLI-22-006800 - Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
SQLI-22-006900 - Default demonstration and sample databases, database objects, and applications must be removed.
SQLI-22-007000 - Unused database components, DBMS software, and database objects must be removed.
SQLI-22-007200 - Access to xp_cmdshell must be disabled unless specifically required and approved.
SQLI-22-007300 - Access to common language runtime (CLR) code must be disabled or restricted unless specifically required and approved.
SQLI-22-007400 - Access to nonstandard, extended stored procedures must be disabled or restricted, unless specifically required and approved.
SQLI-22-007500 - Access to linked servers must be disabled or restricted, unless specifically required and approved.
SQLI-22-007600 - SQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.
SQLI-22-007700 - SQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.
SQLI-22-007800 - SQL Server must uniquely identify and authenticate users (or processes acting on behalf of organizational users).
SQLI-22-007900 - If DBMS authentication using passwords is employed, SQL Server must enforce the DOD standards for password complexity and lifetime.
SQLI-22-008000 - Contained databases must use Windows principals.
SQLI-22-008200 - If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords.
SQLI-22-009500 - SQL Server must protect the confidentiality and integrity of all information at rest.
SQLI-22-009600 - The Service Master Key must be backed up and stored in a secure location that is not on the SQL Server.
SQLI-22-009700 - The Master Key must be backed up and stored in a secure location that is not on the SQL Server.
SQLI-22-009800 - SQL Server must prevent unauthorized and unintended information transfer via shared system resources.
SQLI-22-009900 - SQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI).
SQLI-22-010000 - Access to database files must be limited to relevant processes and to authorized, administrative users.
SQLI-22-010010 - SQL Server and associated applications must reserve the use of dynamic code execution for situations that require it.
SQLI-22-010020 - SQL Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
SQLI-22-010100 - SQL Server must reveal detailed error messages only to documented and approved individuals or roles.
SQLI-22-010400 - SQL Server must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
SQLI-22-010500 - Use of credentials and proxies must be restricted to necessary cases only.
SQLI-22-010900 - SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
SQLI-22-011000 - SQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.
SQLI-22-011100 - SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.
SQLI-22-011400 - SQL Server must enforce access restrictions associated with changes to the configuration of the instance.
SQLI-22-011500 - Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.
SQLI-22-011800 - SQL Server must produce audit records when attempts to modify SQL Server configuration and privileges occur within the database(s).
SQLI-22-012300 - SQL Server must maintain a separate execution domain for each executing process.
SQLI-22-012400 - SQL Server services must be configured to run under unique dedicated user accounts.