| 2.11 Ensure SQL Server is configured to use non-standard ports | CIS SQL Server 2014 Database L1 DB v1.5.0 | MS_SQLDB | SYSTEM AND INFORMATION INTEGRITY |
| 2.11 Ensure SQL Server is configured to use non-standard ports | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.11 Ensure SQL Server is configured to use non-standard ports | CIS SQL Server 2016 Database L1 AWS RDS v1.4.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2 Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.5 Ensure the SQL Server's MSSQL Service Account is Not an Administrator | CIS Microsoft SQL Server 2022 v1.2.1 L1 AWS RDS | MS_SQLDB | ACCESS CONTROL |
| 3.5 Ensure the SQL Server's MSSQL Service Account is Not an Administrator | CIS Microsoft SQL Server 2022 v1.2.1 L1 Database Engine | MS_SQLDB | ACCESS CONTROL |
| 3.5 Ensure the SQL Server's SQLAgent Service Account is Not an Administrator | CIS SQL Server 2008 R2 DB OS L1 v1.7.0 | Windows | ACCESS CONTROL |
| 3.6 Ensure the SQL Server's Full-Text Service Account is Not an Administrator | CIS SQL Server 2008 R2 DB OS L1 v1.7.0 | Windows | ACCESS CONTROL |
| 3.6 Ensure the SQL Server's SQLAgent Service Account is Not an Administrator | CIS SQL Server 2012 Database L1 OS v1.6.0 | Windows | ACCESS CONTROL |
| 3.6 Ensure the SQL Server's SQLAgent Service Account is Not an Administrator | CIS SQL Server 2016 Database L1 AWS RDS v1.4.0 | MS_SQLDB | ACCESS CONTROL |
| 4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins | CIS SQL Server 2016 Database L1 DB v1.4.0 | MS_SQLDB | IDENTIFICATION AND AUTHENTICATION |
| DO6749-ORACLE11 - The Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter should be set to an ISSO-approved value between 1 and 3 - 'sec_max_failed_login_attempts < 3' | DISA STIG Oracle 11 Instance v9r1 Database | OracleDB | |
| O121-BP-023900 - The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE. | DISA Oracle Database 12c STIG v3r5 OracleDB | OracleDB | CONFIGURATION MANAGEMENT |
| SP13-00-000165 - The SharePoint farm service account (database access account) must be configured with minimum privileges on the SQL server. | DISA Microsoft SharePoint 2013 STIG v2r4 | Windows | CONFIGURATION MANAGEMENT |
| SQL2-00-003700 - SQL Server must not grant users direct access to the Create server role permission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-004800 - SQL Server must not grant users direct access to the External access assembly permission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-005100 - SQL Server must not grant users direct access to the Alter Settings permission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-005200 - SQL Server must not grant users direct access to the Alter trace permission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-005500 - SQL Server must not grant users direct access to the Alter any linked server permission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-005800 - SQL Server must not grant users direct access to the Control server permission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-006000 - SQL Server must not grant users direct access to the Create availability group permission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-006300 - SQL Server must not grant users direct access to the Administer bulk operations permission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-008000 - SQL Server must not grant users direct access to the Alter any connection permission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-008300 - SQL Server must not grant users direct access to the Alter any endpoint permission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | ACCESS CONTROL |
| SQL2-00-015800 - The OS must limit privileges to change SQL Server software resident within software libraries (including privileged programs) - '\110\Shared' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| SQL2-00-015800 - The OS must limit privileges to change SQL Server software resident within software libraries (including privileged programs) - 'Install' | DISA STIG SQL Server 2012 Database OS Audit v1r20 | Windows | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| SQL2-00-020400 - SQL Server must associate and maintain security labels when exchanging information between systems. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | SYSTEM AND COMMUNICATIONS PROTECTION |
| SQL4-00-011200 - SQL Server must generate Trace or Audit records for organization-defined auditable events - APPLICATION_ROLE_CHANGE_PASSWORD_GROUP | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-011200 - SQL Server must generate Trace or Audit records for organization-defined auditable events - DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-011200 - SQL Server must generate Trace or Audit records for organization-defined auditable events - DATABASE_ROLE_MEMBER_CHANGE_GROUP | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-012200 - SQL Server must produce Trace or Audit records containing sufficient information to establish the outcome (success or failure) of the events - success/failure of the events. | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-015620 - In a database owned by a login not having administrative privileges at the instance level, the database property TRUSTWORTHY must be OFF unless required and authorized. | DISA STIG SQL Server 2014 Database Audit v1r7 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQL4-00-016830 - SQL Server must have the Data Quality Client software component removed if it is unused. | DISA STIG SQL Server 2014 Instance OS Audit v2r4 | Windows | CONFIGURATION MANAGEMENT |
| SQL4-00-037700 - SQL Server must generate Trace or Audit records for all privileged activities or other system-level access - APPLICATION_ROLE_CHANGE_PASSWORD_GROUP | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037700 - SQL Server must generate Trace or Audit records for all privileged activities or other system-level access - DATABASE_OBJECT_PERMISSION_CHANGE_GROUP | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037700 - SQL Server must generate Trace or Audit records for all privileged activities or other system-level access - DATABASE_ROLE_MEMBER_CHANGE_GROUP | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037700 - SQL Server must generate Trace or Audit records for all privileged activities or other system-level access - Event ID 89 | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037700 - SQL Server must generate Trace or Audit records for all privileged activities or other system-level access - Event ID 90 | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037700 - SQL Server must generate Trace or Audit records for all privileged activities or other system-level access - Event ID 118 | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037700 - SQL Server must generate Trace or Audit records for all privileged activities or other system-level access - Event ID 177 | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037700 - SQL Server must generate Trace or Audit records for all privileged activities or other system-level access - FAILED_LOGIN_GROUP | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037700 - SQL Server must generate Trace or Audit records for all privileged activities or other system-level access - SCHEMA_OBJECT_ACCESS_GROUP | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037700 - SQL Server must generate Trace or Audit records for all privileged activities or other system-level access - SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL6-D0-002400 - SQL Server must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | DISA MS SQL Server 2016 Database STIG v3r4 | MS_SQLDB | SYSTEM AND INFORMATION INTEGRITY |
| SQL6-D0-005700 - SQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records. | DISA MS SQL Server 2016 Instance STIG v3r6 MS_SQLDB | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL6-D0-007500 - Access to linked servers must be disabled or restricted, unless specifically required and approved. | DISA MS SQL Server 2016 Instance STIG v3r6 MS_SQLDB | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQL6-D0-011900 - SQL Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance. | DISA MS SQL Server 2016 Instance STIG v3r6 MS_SQLDB | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQLD-22-002400 - SQL Server must provide nonprivileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. | DISA Microsoft SQL Server 2022 Database STIG v1r2 | MS_SQLDB | SYSTEM AND INFORMATION INTEGRITY |
| SQLI-22-007700 - SQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments. | DISA Microsoft SQL Server 2022 Instance STIG v1r3 MS_SQLDB | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQLI-22-012400 - SQL Server services must be configured to run under unique dedicated user accounts. | DISA Microsoft SQL Server 2022 Instance STIG v1r3 MS_SQLDB | MS_SQLDB | SYSTEM AND COMMUNICATIONS PROTECTION |
