| 1.1 Ensure Latest SQL Server Cumulative and Security Updates are Installed | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | SYSTEM AND SERVICES ACQUISITION |
| 2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Prevent Database Users from Logging into the Operating System | CIS IBM DB2 11 v1.2.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2 Ensure 'CLR Enabled' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| 2.3 Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 2.5 Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.6 Ensure 'Remote Access' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8 Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.10 Ensure 'Trustworthy' Database Property is set to 'Off' | CIS SQL Server 2008 R2 DB Engine L1 v1.7.0 | MS_SQLDB | ACCESS CONTROL |
| 2.11 Ensure SQL Server is configured to use non-standard ports | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.13 Ensure the 'sa' Login Account is set to 'Disabled' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL |
| 2.14 Ensure the 'sa' Login Account has been renamed | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.15 Ensure 'xp_cmdshell' Server Configuration Option is set to '0' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.17 Ensure no login exists with the name 'sa' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.18 Ensure 'clr strict security' Server Configuration Option is set to '1' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3 Ensure 'Orphaned Users' are Dropped From SQL Server Databases | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL |
| 3.4 Ensure SQL Authentication is not used in contained databases | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL |
| 3.5 Ensure the SQL Server's MSSQL Service Account is Not an Administrator | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL |
| 3.7 Ensure the SQL Server's Full-Text Service Account is Not an Administrator | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL |
| 3.9 Ensure Windows BUILTIN groups are not SQL Logins | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 3.10 Ensure Windows local groups are not SQL Logins | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | IDENTIFICATION AND AUTHENTICATION |
| 5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| 6.2 Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 7.1 Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases | CIS SQL Server 2017 Database L1 AWS RDS v1.3.0 | MS_SQLDB | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure Network Encryption is Configured and Enabled | CIS SQL Server 2017 Database L2 DB v1.3.0 | MS_SQLDB | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.5 Ensure Databases are Encrypted with TDE | CIS SQL Server 2017 Database L2 DB v1.3.0 | MS_SQLDB | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| EP11-00-006200 - The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization. | EDB PostgreSQL Advanced Server v11 DB Audit v2r4 | PostgreSQLDB | SYSTEM AND INFORMATION INTEGRITY |
| SQL4-00-012000 - SQL Server must produce Trace or Audit records containing sufficient information to establish where the events occurred. | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-016200 - SQL Server must have the publicly available Northwind sample database removed. | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQL4-00-016300 - SQL Server must have the publicly available pubs sample database removed. | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQL4-00-016835 - SQL Server must have the Data Quality Services software component removed if it is unused. | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQL4-00-017100 - The SQL Server default account [sa] must be disabled. | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQL4-00-035500 - Software updates to SQL Server must be tested before being applied to production systems. | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | SYSTEM AND INFORMATION INTEGRITY |
| SQL4-00-035600 - SQL Server must produce Trace or Audit records when security objects are accessed - Event ID 43 | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-035600 - SQL Server must produce Trace or Audit records when security objects are accessed - Event ID 90 | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-035600 - SQL Server must produce Trace or Audit records when security objects are accessed - SCHEMA_OBJECT_ACCESS_GROUP | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037500 - SQL Server must generate Trace or Audit records when successful logons or connections occur - Event ID 15 | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037500 - SQL Server must generate Trace or Audit records when successful logons or connections occur - SUCCESSFUL_LOGIN_GROUP | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037900 - SQL Server must generate Trace or Audit records when logoffs or disconnections occur - Event ID 14 | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037900 - SQL Server must generate Trace or Audit records when logoffs or disconnections occur - Event ID 15 | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL4-00-037900 - SQL Server must generate Trace or Audit records when logoffs or disconnections occur - Event ID 16 | DISA STIG SQL Server 2014 Instance DB Audit v2r4 | MS_SQLDB | AUDIT AND ACCOUNTABILITY |
| SQL6-D0-016200 - The SQL Server default account [sa] must be disabled. | DISA STIG SQL Server 2016 Instance DB Audit v3r5 | MS_SQLDB | ACCESS CONTROL |
| SQL6-D0-017600 - Remote Data Archive feature must be disabled, unless specifically required and approved. | DISA STIG SQL Server 2016 Instance DB Audit v3r5 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQL6-D0-017800 - The SQL Server Browser service must be disabled unless specifically required and approved. | DISA STIG SQL Server 2016 Instance OS Audit v3r5 | Windows | CONFIGURATION MANAGEMENT |
| SQL6-D0-018000 - If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden. | DISA STIG SQL Server 2016 Instance DB Audit v3r5 | MS_SQLDB | CONFIGURATION MANAGEMENT |
| SQLI-22-016200 - The SQL Server default account [sa] must be disabled. | DISA Microsoft SQL Server 2022 Instance STIG v1r1 MS_SQLDB | MS_SQLDB | ACCESS CONTROL |
| SQLI-22-017800 - The SQL Server Browser service must be disabled unless specifically required and approved. | DISA Microsoft SQL Server 2022 Instance STIG v1r1 Windows | Windows | CONFIGURATION MANAGEMENT |
