CIS Microsoft SQL Server 2008 R2 Database Engine Benchmark v1.0.0
CIS Microsoft SQL Server 2016 Benchmark v1.0.0 CC€¦ · 5 | Page Overview This document provides...
Transcript of CIS Microsoft SQL Server 2016 Benchmark v1.0.0 CC€¦ · 5 | Page Overview This document provides...
1|P a g e
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.
2|P a g e
TableofContentsOverview......................................................................................................................................................................5
IntendedAudience..............................................................................................................................................5
ConsensusGuidance...........................................................................................................................................5
TypographicalConventions............................................................................................................................6
ScoringInformation............................................................................................................................................6
ProfileDefinitions................................................................................................................................................7
Acknowledgements.............................................................................................................................................8
Recommendations....................................................................................................................................................9
1Installation,UpdatesandPatches.............................................................................................................9
1.1EnsureLatestSQLServerServicePacksandHotfixesareInstalled(NotScored).9
1.2EnsureSingle-FunctionMemberServersareUsed(NotScored)...............................11
2SurfaceAreaReduction..............................................................................................................................13
2.1Ensure'AdHocDistributedQueries'ServerConfigurationOptionissetto'0'(Scored).......................................................................................................................................................13
2.2Ensure'CLREnabled'ServerConfigurationOptionissetto'0'(Scored)...............15
2.3Ensure'CrossDBOwnershipChaining'ServerConfigurationOptionissetto'0'(Scored).......................................................................................................................................................17
2.4Ensure'DatabaseMailXPs'ServerConfigurationOptionissetto'0'(Scored)...20
2.5Ensure'OleAutomationProcedures'ServerConfigurationOptionissetto'0'(Scored).......................................................................................................................................................22
2.6Ensure'RemoteAccess'ServerConfigurationOptionissetto'0'(Scored)..........24
2.7Ensure'RemoteAdminConnections'ServerConfigurationOptionissetto'0'(Scored).......................................................................................................................................................26
2.8Ensure'ScanForStartupProcs'ServerConfigurationOptionissetto'0'(Scored).........................................................................................................................................................................28
2.9Ensure'Trustworthy'DatabasePropertyissetto'Off'(Scored)...............................30
2.10EnsureUnnecessarySQLServerProtocolsaresetto'Disabled'(NotScored)..32
2.11EnsureSQLServerisconfiguredtousenon-standardports(Scored)..................34
2.12Ensure'HideInstance'optionissetto'Yes'forProductionSQLServerinstances(Scored).......................................................................................................................................................36
3|P a g e
2.13Ensurethe'sa'LoginAccountissetto'Disabled'(Scored)........................................38
2.14Ensurethe'sa'LoginAccounthasbeenrenamed(Scored).......................................40
2.15Ensure'xp_cmdshell'ServerConfigurationOptionissetto'0'(Scored).............42
2.16Ensure'AUTO_CLOSE'issetto'OFF'oncontaineddatabases(Scored)...............44
2.17Ensurenologinexistswiththename'sa'(Scored).......................................................46
3AuthenticationandAuthorization.........................................................................................................48
3.1Ensure'ServerAuthentication'Propertyissetto'WindowsAuthenticationMode'(Scored).........................................................................................................................................48
3.2EnsureCONNECTpermissionsonthe'guest'userisRevokedwithinallSQLServerdatabasesexcludingthemaster,msdbandtempdb(Scored)..............................50
3.3Ensure'OrphanedUsers'areDroppedFromSQLServerDatabases(Scored).....52
3.4EnsureSQLAuthenticationisnotusedincontaineddatabases(Scored)..............54
3.5EnsuretheSQLServer’sMSSQLServiceAccountisNotanAdministrator(Scored).......................................................................................................................................................56
3.6EnsuretheSQLServer’sSQLAgentServiceAccountisNotanAdministrator(Scored).......................................................................................................................................................58
3.7EnsuretheSQLServer’sFull-TextServiceAccountisNotanAdministrator(Scored).......................................................................................................................................................60
3.8EnsureonlythedefaultpermissionsspecifiedbyMicrosoftaregrantedtothepublicserverrole(Scored).................................................................................................................62
3.9EnsureWindowsBUILTINgroupsarenotSQLLogins(Scored)................................64
3.10EnsureWindowslocalgroupsarenotSQLLogins(Scored)......................................66
3.11EnsurethepublicroleinthemsdbdatabaseisnotgrantedaccesstoSQLAgentproxies(Scored)......................................................................................................................................68
4PasswordPolicies.........................................................................................................................................70
4.1Ensure'MUST_CHANGE'Optionissetto'ON'forAllSQLAuthenticatedLogins(NotScored)..............................................................................................................................................70
4.2Ensure'CHECK_EXPIRATION'Optionissetto'ON'forAllSQLAuthenticatedLoginsWithintheSysadminRole(Scored).................................................................................72
4.3Ensure'CHECK_POLICY'Optionissetto'ON'forAllSQLAuthenticatedLogins(Scored).......................................................................................................................................................74
5AuditingandLogging..................................................................................................................................76
4|P a g e
5.1Ensure'Maximumnumberoferrorlogfiles'issettogreaterthanorequalto'12'(Scored).......................................................................................................................................................76
5.2Ensure'DefaultTraceEnabled'ServerConfigurationOptionissetto'1'(Scored).........................................................................................................................................................................78
5.3Ensure'LoginAuditing'issetto'failedlogins'(Scored)................................................80
5.4Ensure'SQLServerAudit'issettocaptureboth'failed'and'successfullogins'(Scored).......................................................................................................................................................82
6ApplicationDevelopment..........................................................................................................................85
6.1EnsureSanitizeDatabaseandApplicationUserInputisSanitized(NotScored)85
6.2Ensure'CLRAssemblyPermissionSet'issetto'SAFE_ACCESS'forAllCLRAssemblies(Scored)..............................................................................................................................87
7Encryption........................................................................................................................................................89
7.1Ensure'SymmetricKeyencryptionalgorithm'issetto'AES_128'orhigherinnon-systemdatabases(Scored)........................................................................................................89
7.2EnsureAsymmetricKeySizeissetto'greaterthanorequalto2048'innon-systemdatabases(Scored).................................................................................................................91
8Appendix:AdditionalConsiderations..................................................................................................93
8.1Ensure'SQLServerBrowserService'isconfiguredcorrectly(NotScored)..........93
Appendix:SummaryTable................................................................................................................................95
Appendix:ChangeHistory.................................................................................................................................98
5|P a g e
OverviewThisdocumentprovidesprescriptiveguidanceforestablishingasecureconfigurationpostureforMicrosoftSQLServer2016.ThisguidewastestedagainstMicrosoftSQLServer2016.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
IntendedAudience
Thisbenchmarkisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateMicrosoftSQLServer2016onaMicrosoftWindowsplatform.
ConsensusGuidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.
6|P a g e
TypographicalConventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
ScoringInformation
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
7|P a g e
ProfileDefinitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1-DatabaseEngine
Itemsinthisprofileintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
8|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:
ContributorTimHarrisonCISSP,ICP,CenterforInternetSecurityPhilippeLangloisMichelGanguinEditorNancyHidyWilsonBrianKelleyMCSE,CISA,Security+,MicrosoftMVP-SQLServer
9|P a g e
Recommendations1Installation,UpdatesandPatches
ThissectioncontainsrecommendationsrelatedtoinstallingandpatchingSQLServer.
1.1EnsureLatestSQLServerServicePacksandHotfixesareInstalled(NotScored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
SQLServerpatchescontainprogramupdatesthatfixsecurityandproductfunctionalityissuesfoundinthesoftware.Thesepatchescanbeinstalledwithahotfixwhichisasinglepatch,acumulativeupdatewhichisasmallgroupofpatchesoraservicepackwhichisalargecollectionofpatches.TheSQLServerversionandpatchlevelsshouldbethemostrecentcompatiblewiththeorganizations'operationalneeds.
Rationale:
UsingthemostrecentSQLServersoftware,alongwithallapplicablepatchescanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionand/orpatchesappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.
Audit:
TodetermineyourSQLServerservicepacklevel,runthefollowingcodesnippet.
SELECT SERVERPROPERTY('ProductLevel') as SP_installed, SERVERPROPERTY('ProductVersion') as Version;
FirstcolumnreturnstheinstalledServicePacklevel,thesecondistheexactbuildnumber.
Remediation:
IdentifythecurrentversionandpatchlevelofyourSQLServerinstancesandensuretheycontainthelatestsecurityfixes.Makesuretotestthesefixesinyourtestenvironmentsbeforeupdatingproductioninstances.
10|P a g e
ThemostrecentSQLServerpatchescanbefoundhere:
• HotfixesandCumulativeupdates:http://blogs.msdn.com/b/sqlreleaseservices/• ServicePacks:https://support.microsoft.com/en-us/kb/3177534
DefaultValue:
Servicepacksandpatchesarenotinstalledbydefault.
References:
1. https://support.microsoft.com/en-us/kb/3177534
CISControls:
4ContinuousVulnerabilityAssessmentandRemediation
11|P a g e
1.2EnsureSingle-FunctionMemberServersareUsed(NotScored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
ItisrecommendedthatSQLServersoftwarebeinstalledonadedicatedserver.Thisarchitecturalconsiderationaffordssecurityflexibilityinthatthedatabaseservercanbeplacedonaseparatesubnetallowingaccessonlyfromparticularhostsandoverparticularprotocols.Degreesofavailabilityareeasiertoachieveaswell-overtime,anenterprisecanmovefromasingledatabaseservertoafailovertoaclusterusingloadbalancingortosomecombinationthereof.
Rationale:
Itiseasiertomanage(i.e.reduce)theattacksurfaceoftheserverhostingSQLServersoftwareiftheonlysurfacestoconsideraretheunderlyingoperatingsystem,SQLServeritself,andanysecurity/operationaltoolingthatmayadditionallybeinstalled.Asnotedinthedescription,availabilitycanbemoreeasilyaddressedifthedatabaseisonadedicatedserver.
Audit:
Ensurethatnootherrolesareenabledfortheunderlyingoperatingsystemandthatnoexcesstoolingisinstalled,perenterprisepolicy.
Remediation:
Uninstallexcesstoolingand/orremoveunnecessaryrolesfromtheunderlyingoperatingsystem.
Impact:
Itisdifficulttoseeanyreasonablyadverseimpacttomakingthisarchitecturalchange,oncethecostsofmakingthechangehavebeenpaid.Customapplicationsmayneedtobemodifiedtoaccommodatedatabaseconnectionsoverthewireratherthanonthehost(i.e.usingTCP/IPinsteadofNamedPipes).Additionalhardwareandoperatingsystemlicensesmayberequiredtomakethesearchitecturalchanges.
12|P a g e
CISControls:
9.5OperateCriticalServicesonDedicatedHosts(i.e.DNS,Mail,Web,Database)Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers.
13|P a g e
2SurfaceAreaReduction
SQLServeroffersvariousconfigurationoptions,someofthemcanbecontrolledbythesp_configurestoredprocedure.Thissectioncontainsthelistingofthecorrespondingrecommendations.
2.1Ensure'AdHocDistributedQueries'ServerConfigurationOptionissetto'0'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
EnablingAdHocDistributedQueriesallowsuserstoquerydataandexecutestatementsonexternaldatasources.Thisfunctionalityshouldbedisabled.
Rationale:
ThisfeaturecanbeusedtoremotelyaccessandexploitvulnerabilitiesonremoteSQLServerinstancesandtorununsafeVisualBasicforApplicationfunctions.
Audit:
RunthefollowingT-SQLcommand:
SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ad Hoc Distributed Queries';
Bothvaluecolumnsmustshow0.
Remediation:
RunthefollowingT-SQLcommand:
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ad Hoc Distributed Queries', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;
14|P a g e
DefaultValue:
0(disabled)
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ad-hoc-distributed-queries-server-configuration-option
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
15|P a g e
2.2Ensure'CLREnabled'ServerConfigurationOptionissetto'0'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Theclr enabledoptionspecifieswhetheruserassembliescanberunbySQLServer.
Rationale:
EnablinguseofCLRassemblieswidenstheattacksurfaceofSQLServerandputsitatriskfrombothinadvertentandmaliciousassemblies.
Audit:
RunthefollowingT-SQLcommand:
SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'clr enabled';
Bothvaluecolumnsmustshow0tobecompliant.
Remediation:
RunthefollowingT-SQLcommand:
EXECUTE sp_configure 'clr enabled', 0; RECONFIGURE;
Impact:
IfCLRassembliesareinuse,applicationsmayneedtoberearchitectedtoeliminatetheirusagebeforedisablingthissetting.Alternatively,someorganizationsmayallowthissettingtobeenabled1forassembliescreatedwiththeSAFEpermissionset,butdisallowassembliescreatedwiththeriskierUNSAFEandEXTERNAL_ACCESSpermissionsets.Tofinduser-createdassemblies,runthefollowingqueryinalldatabases,replacing<database_name>witheachdatabasename:
16|P a g e
USE [<database_name>] GO SELECT name AS Assembly_Name, permission_set_desc FROM sys.assemblies WHERE is_user_defined = 1; GO
DefaultValue:
Bydefault,thisoptionisdisabled(0).
References:
1. https://docs.microsoft.com/en-us/sql/t-sql/statements/create-assembly-transact-sql
CISControls:
18.9SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
17|P a g e
2.3Ensure'CrossDBOwnershipChaining'ServerConfigurationOptionissetto'0'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Thecross db ownership chainingoptioncontrolscross-databaseownershipchainingacrossalldatabasesattheinstance(orserver)level.
Rationale:
Whenenabled,thisoptionallowsamemberofthedb_ownerroleinadatabasetogainaccesstoobjectsownedbyalogininanyotherdatabase,causinganunnecessaryinformationdisclosure.Whenrequired,cross-databaseownershipchainingshouldonlybeenabledforthespecificdatabasesrequiringitinsteadofattheinstancelevelforalldatabasesbyusingtheALTER DATABASE <database_name> SET DB_CHAINING ONcommand.Thisdatabaseoptionmaynotbechangedonthemaster,model,ortempdbsystemdatabases.
Audit:
RunthefollowingT-SQLcommand:
SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations
WHERE name = 'cross db ownership chaining';
Bothvaluecolumnsmustshow0tobecompliant.
Remediation:
RunthefollowingT-SQLcommand:
EXECUTE sp_configure 'cross db ownership chaining', 0; RECONFIGURE; GO
DefaultValue:
Bydefault,thisoptionisdisabled(0).
19|P a g e
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
20|P a g e
2.4Ensure'DatabaseMailXPs'ServerConfigurationOptionissetto'0'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
TheDatabase Mail XPsoptioncontrolstheabilitytogenerateandtransmitemailmessagesfromSQLServer.
Rationale:
DisablingtheDatabase Mail XPsoptionreducestheSQLServersurface,eliminatesaDOSattackvectorandchanneltoexfiltratedatafromthedatabaseservertoaremotehost.
Audit:
RunthefollowingT-SQLcommand:
SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Database Mail XPs';
Bothvaluecolumnsmustshow0tobecompliant.
Remediation:
RunthefollowingT-SQLcommand:
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Database Mail XPs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;
DefaultValue:
Bydefault,thisoptionisdisabled(0).
21|P a g e
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/database-mail/database-mail
CISControls:
18ApplicationSoftwareSecurity
22|P a g e
2.5Ensure'OleAutomationProcedures'ServerConfigurationOptionissetto'0'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
TheOle Automation ProceduresoptioncontrolswhetherOLEAutomationobjectscanbeinstantiatedwithinTransact-SQLbatches.TheseareextendedstoredproceduresthatallowSQLServeruserstoexecutefunctionsexternaltoSQLServer.
Rationale:
EnablingthisoptionwillincreasetheattacksurfaceofSQLServerandallowuserstoexecutefunctionsinthesecuritycontextofSQLServer.
Audit:
RunthefollowingT-SQLcommand:
SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ole Automation Procedures';
Bothvaluecolumnsmustshow0tobecompliant.
Remediation:
RunthefollowingT-SQLcommand:
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ole Automation Procedures', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;
DefaultValue:
Bydefault,thisoptionisdisabled(0).
23|P a g e
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option
CISControls:
18ApplicationSoftwareSecurity
24|P a g e
2.6Ensure'RemoteAccess'ServerConfigurationOptionissetto'0'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Theremote accessoptioncontrolstheexecutionoflocalstoredproceduresonremoteserversorremotestoredproceduresonlocalserver.
Rationale:
FunctionalitycanbeabusedtolaunchaDenial-of-Service(DoS)attackonremoteserversbyoff-loadingqueryprocessingtoatarget.
Audit:
RunthefollowingT-SQLcommand:
SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote access';
Bothvaluecolumnsmustshow0.
Remediation:
RunthefollowingT-SQLcommand:
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'remote access', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;
RestarttheDatabaseEngine.
25|P a g e
Impact:
PerMicrosoft:ThisfeaturewillberemovedinthenextversionofMicrosoftSQLServer.Donotusethisfeatureinnewdevelopmentwork,andmodifyapplicationsthatcurrentlyusethisfeatureassoonaspossible.Usesp_addlinkedserverinstead.
DefaultValue:
Bydefault,thisoptionisenabled(1).
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
26|P a g e
2.7Ensure'RemoteAdminConnections'ServerConfigurationOptionissetto'0'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Theremote admin connectionsoptioncontrolswhetheraclientapplicationonaremotecomputercanusetheDedicatedAdministratorConnection(DAC).
Rationale:
TheDedicatedAdministratorConnection(DAC)letsanadministratoraccessarunningservertoexecutediagnosticfunctionsorTransact-SQLstatements,ortotroubleshootproblemsontheserver,evenwhentheserverislockedorrunninginanabnormalstateandnotrespondingtoaSQLServerDatabaseEngineconnection.Inaclusterscenario,theadministratormaynotactuallybeloggedontothesamenodethatiscurrentlyhostingtheSQLServerinstanceandthusisconsidered"remote".Therefore,thissettingshouldusuallybeenabled(1)forSQLServerfailoverclusters;otherwiseitshouldbedisabled(0)whichisthedefault.
Audit:
RunthefollowingT-SQLcommand:
USE master; GO SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote admin connections' AND SERVERPROPERTY('IsClustered') = 0;
Ifnodataisreturned,theinstanceisaclusterandthisrecommendationisnotapplicable.Ifdataisreturned,thenboththevaluecolumnsmustshow0tobecompliant.
Remediation:
RunthefollowingT-SQLcommandonnon-clusteredinstallations:
EXECUTE sp_configure 'remote admin connections', 0; RECONFIGURE; GO
27|P a g e
DefaultValue:
Bydefault,thisoptionisdisabled(0),onlylocalconnectionsmayusetheDAC.
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/remote-admin-connections-server-configuration-option
Notes:
Ifit'saclusteredinstallation,thisoptionmustbeenabledasaclusteredSQLServercannotbindtolocalhostandDACwillbeunavailableotherwise.Enableitforclusteredinstallations.Disableitforstandaloneinstallationswherenotrequired.
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
28|P a g e
2.8Ensure'ScanForStartupProcs'ServerConfigurationOptionissetto'0'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Thescan for startup procsoption,ifenabled,causesSQLServertoscanforandautomaticallyrunallstoredproceduresthataresettoexecuteuponservicestartup.
Rationale:
Enforcingthiscontrolreducesthethreatofanentityleveragingthesefacilitiesformaliciouspurposes.
Audit:
RunthefollowingT-SQLcommand:
SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'scan for startup procs';
Bothvaluecolumnsmustshow0.
Remediation:
RunthefollowingT-SQLcommand:
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'scan for startup procs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;
RestarttheDatabaseEngine.
Impact:
SettingScanforStartupProceduresto0willpreventcertainaudittracesandothercommonlyusedmonitoringstoredproceduresfromre-startingonstartup.Additionally,
29|P a g e
replicationrequiresthissettingtobeenabled(1)andwillautomaticallychangethissettingifneeded.
DefaultValue:
Bydefault,thisoptionisdisabled(0).
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-scan-for-startup-procs-server-configuration-option
CISControls:
18ApplicationSoftwareSecurity
30|P a g e
2.9Ensure'Trustworthy'DatabasePropertyissetto'Off'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
TheTRUSTWORTHYdatabaseoptionallowsdatabaseobjectstoaccessobjectsinotherdatabasesundercertaincircumstances.
Rationale:
ProvidesprotectionfrommaliciousCLRassembliesorextendedprocedures.
Audit:
RunthefollowingT-SQLquerytolistanydatabaseswithaTrustworthydatabasepropertyvalueofON:
SELECT name FROM sys.databases WHERE is_trustworthy_on = 1 AND name != 'msdb';
Norowsshouldbereturned.
Remediation:
ExecutethefollowingT-SQLstatementagainstthedatabases(replace<database_name>below)returnedbytheAuditProcedure:
ALTER DATABASE [<database_name>] SET TRUSTWORTHY OFF;
DefaultValue:
Bydefault,thisdatabasepropertyisOFF(is_trustworthy_on = 0),exceptforthemsdbdatabaseinwhichitisrequiredtobeON.
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/security/trustworthy-database-property
2. https://support.microsoft.com/it-it/help/2183687/guidelines-for-using-the-trustworthy-database-setting-in-sql-server
CISControls:
31|P a g e
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
32|P a g e
2.10EnsureUnnecessarySQLServerProtocolsaresetto'Disabled'(NotScored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
SQLServersupportsSharedMemory,NamedPipes,andTCP/IPprotocols.However,SQLServershouldbeconfiguredtousethebareminimumrequiredbasedontheorganization'sneeds.
Rationale:
UsingfewerprotocolsminimizestheattacksurfaceofSQLServerand,insomecases,canprotectitfromremoteattacks.
Audit:
OpenSQLServerConfigurationManager;gototheSQLServerNetworkConfiguration.Ensurethatonlyrequiredprotocolsareenabled.
Remediation:
OpenSQLServerConfigurationManager;gototheSQLServerNetworkConfiguration.Ensurethatonlyrequiredprotocolsareenabled.Disableprotocolsnotnecessary.
Impact:
TheDatabaseEngine(MSSQLandSQLAgent)servicesmustbestoppedandrestartedforthechangetotakeeffect.
DefaultValue:
Bydefault,TCP/IPandSharedMemoryprotocolsareenabledonallcommercialeditions.
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-or-disable-a-server-network-protocol
33|P a g e
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
34|P a g e
2.11EnsureSQLServerisconfiguredtousenon-standardports(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Ifinstalled,adefaultSQLServerinstancewillbeassignedadefaultportofTCP:1433forTCP/IPcommunication.AdministratorscanalsomanuallyconfigurenamedinstancestouseTCP:1433forcommunication.TCP:1433isawidelyknownSQLServerportandthisportassignmentshouldbechanged.Inamulti-instancescenario,eachinstancemustbeassigneditsowndedicatedTCP/IPport.
Rationale:
Usinganon-defaultporthelpsprotectthedatabasefromattacksdirectedtothedefaultport.
Audit:
RunthefollowingT-SQLscript:
DECLARE @value nvarchar(256); EXECUTE master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'SOFTWARE\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib\Tcp\IPAll', N'TcpPort', @value OUTPUT, N'no_output'; SELECT @value AS TCP_Port WHERE @value = '1433';
Thisshouldreturnnorows.
Remediation:
1. InSQLServerConfigurationManager,intheconsolepane,expandSQLServerNetworkConfiguration,expandProtocolsfor<InstanceName>,andthendouble-clicktheTCP/IPprotocol
2. IntheTCP/IPPropertiesdialogbox,ontheIPAddressestab,severalIPaddressesappearintheformatIP1,IP2,uptoIPAll.OneoftheseisfortheIPaddressoftheloopbackadapter,127.0.0.1.AdditionalIPaddressesappearforeachIPAddressonthecomputer.
35|P a g e
3. UnderIPAll,changetheTCPPortfieldfrom1433toanon-standardportorleavetheTCPPortfieldemptyandsettheTCPDynamicPortsvalueto0toenabledynamicportassignmentandthenclickOK.
4. Intheconsolepane,clickSQLServerServices.5. Inthedetailspane,right-clickSQLServer(<InstanceName>)andthenclick
Restart,tostopandrestartSQLServer.
Impact:
ChangingthedefaultportwillforcetheDAC(DedicatedAdministratorConnection)tolistenonarandomport.Also,itmightmakebenignapplications,suchasapplicationfirewalls,requirespecialconfiguration.Ingeneral,youshouldsetastaticportforconsistentusagebyapplications,includingfirewalls,insteadofusingdynamicportswhichwillbechosenrandomlyateachSQLServerstartup.
DefaultValue:
Bydefault,defaultSQLServerinstanceslistenontoTCP/IPtrafficonTCPport1433andnamedinstancesusedynamicports.
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
36|P a g e
2.12Ensure'HideInstance'optionissetto'Yes'forProductionSQLServerinstances(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Non-clusteredSQLServerinstanceswithinproductionenvironmentsshouldbedesignatedashiddentopreventadvertisementbytheSQLServerBrowserservice.
Rationale:
DesignatingproductionSQLServerinstancesashiddenleadstoamoresecureinstallationbecausetheycannotbeenumerated.However,clusteredinstancesmaybreakifthisoptionisselected.
Audit:
PerformeithertheGUIorT-SQLmethodshown:
GUIMethod
1. InSQLServerConfigurationManager,expandSQLServerNetworkConfiguration,right-clickProtocolsfor<InstanceName>,andthenselectProperties.
2. OntheFlagstab,intheHideInstancebox,ifYesisselected,itiscompliant.
T-SQLMethodExecutethefollowingT-SQL.
DECLARE @getValue INT; EXEC master..xp_instance_regread @rootkey = N'HKEY_LOCAL_MACHINE', @key = N'SOFTWARE\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib', @value_name = N'HideInstance', @value = @getValue OUTPUT; SELECT @getValue;
Avalueof1shouldbereturnedtobecompliant.
Remediation:
PerformeithertheGUIorT-SQLmethodshown:
37|P a g e
GUIMethod
1. InSQLServerConfigurationManager,expandSQLServerNetworkConfiguration,right-clickProtocolsfor<InstanceName>,andthenselectProperties.
2. OntheFlagstab,intheHideInstancebox,selectYes,andthenclickOKtoclosethedialogbox.Thechangetakeseffectimmediatelyfornewconnections.
T-SQLMethodExecutethefollowingT-SQLtoremediate:
EXEC master..xp_instance_regwrite @rootkey = N'HKEY_LOCAL_MACHINE', @key = N'SOFTWARE\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib', @value_name = N'HideInstance', @type = N'REG_DWORD', @value = 1;
Impact:
Thismethodonlypreventstheinstancefrombeinglistedonthenetwork.Iftheinstanceishidden(notexposedbySQLBrowser),thenconnectionswillneedtospecifytheserverandportinordertoconnect.Itdoesnotpreventusersfromconnectingtoserveriftheyknowtheinstancenameandport.
Ifyouhideaclusterednamedinstance,theclusterservicemaynotbeabletoconnecttotheSQLServer.PleaserefertotheMicrosoftdocumentationreference.
DefaultValue:
Bydefault,SQLServerinstancesarenothidden.
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/hide-an-instance-of-sql-server-database-engine
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
38|P a g e
2.13Ensurethe'sa'LoginAccountissetto'Disabled'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
ThesaaccountisawidelyknownandoftenwidelyusedSQLServeraccountwithsysadminprivileges.Thisistheoriginallogincreatedduringinstallationandalwayshastheprincipal_id=1andsid=0x01.
Rationale:
Enforcingthiscontrolreducestheprobabilityofanattackerexecutingbruteforceattacksagainstawell-knownprincipal.
Audit:
Usethefollowingsyntaxtodetermineifthesaaccountisdisabled.Checkingforsid=0x01ensuresthattheoriginalsaaccountisbeingcheckedincaseithasbeenrenamedperbestpractices.
SELECT name, is_disabled FROM sys.server_principals WHERE sid = 0x01 AND is_disabled = 0;
Norowsshouldbereturnedtobecompliant.Anis_disabledvalueof0indicatestheloginiscurrentlyenabledandthereforeneedsremediation.
Remediation:
ExecutethefollowingT-SQLquery:
USE [master] GO DECLARE @tsql nvarchar(max) SET @tsql = 'ALTER LOGIN ' + SUSER_NAME(0x01) + ' DISABLE' EXEC (@tsql) GO
Impact:
Itisnotagoodsecuritypracticetocodeapplicationsorscriptstousethesaaccount.However,ifthishasbeendone,disablingthesaaccountwillpreventscriptsand
39|P a g e
applicationsfromauthenticatingtothedatabaseserverandexecutingrequiredtasksorfunctions.
DefaultValue:
Bydefault,thesaloginaccountisdisabledatinstalltimewhenWindowsAuthenticationModeisselected.Ifmixedmode(SQLServerandWindowsAuthentication)isselectedatinstall,thedefaultforthesaloginisenabled.
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-principals-transact-sql
2. https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-login-transact-sql3. https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-
authentication-mode
CISControls:
5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
40|P a g e
2.14Ensurethe'sa'LoginAccounthasbeenrenamed(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
ThesaaccountisawidelyknownandoftenwidelyusedSQLServerloginwithsysadminprivileges.Thesaloginistheoriginallogincreatedduringinstallationandalwayshasprincipal_id=1andsid=0x01.
Rationale:
Itismoredifficulttolaunchpassword-guessingandbrute-forceattacksagainstthesaloginifthenameisnotknown.
Audit:
Usethefollowingsyntaxtodetermineifthesalogin(principal)isrenamed.
SELECT name FROM sys.server_principals WHERE sid = 0x01;
Anameofsaindicatestheaccounthasnotbeenrenamedandthereforeneedsremediation.
Remediation:
Replacethe<different_user>valuewithinthebelowsyntaxandexecutetorenamethesalogin.
ALTER LOGIN sa WITH NAME = <different_user>;
Impact:
Itisnotagoodsecuritypracticetocodeapplicationsorscriptstousethesalogin.However,ifthishasbeendone,renamingthesaloginwillpreventscriptsandapplicationsfromauthenticatingtothedatabaseserverandexecutingrequiredtasksorfunctions.
DefaultValue:
Bydefault,thesaloginnameis'sa'.
41|P a g e
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode
CISControls:
5ControlledUseofAdministrationPrivileges
42|P a g e
2.15Ensure'xp_cmdshell'ServerConfigurationOptionissetto'0'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Thexp_cmdshelloptioncontrolswhetherthexp_cmdshellextendedstoredprocedurecanbeusedbyanauthenticatedSQLServerusertoexecuteoperating-systemcommandshellcommandsandreturnresultsasrowswithintheSQLclient.
Rationale:
Thexp_cmdshellprocedureiscommonlyusedbyattackerstoreadorwritedatato/fromtheunderlyingOperatingSystemofadatabaseserver.
Audit:
RunthefollowingT-SQLcommand:
SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell';
Bothvaluecolumnsmustshow0tobecompliant.
Remediation:
RunthefollowingT-SQLcommand:
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;
DefaultValue:
Bydefault,thisoptionisdisabled(0).
43|P a g e
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql
2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option
CISControls:
18ApplicationSoftwareSecurity
44|P a g e
2.16Ensure'AUTO_CLOSE'issetto'OFF'oncontaineddatabases(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
AUTO_CLOSEdeterminesifagivendatabaseisclosedornotafteraconnectionterminates.Ifenabled,subsequentconnectionstothegivendatabasewillrequirethedatabasetobereopenedandrelevantprocedurecachestoberebuilt.
Rationale:
Becauseauthenticationofusersforcontaineddatabasesoccurswithinthedatabasenotattheserver\instancelevel,thedatabasemustbeopenedeverytimetoauthenticateauser.Thefrequentopening/closingofthedatabaseconsumesadditionalserverresourcesandmaycontributetoadenialofservice.
Audit:
Performthefollowingtofindcontaineddatabasesthatarenotconfiguredasprescribed:
SELECT name, containment, containment_desc, is_auto_close_on FROM sys.databases WHERE containment <> 0 and is_auto_close_on = 1;
Norowsshouldbereturned.
Remediation:
ExecutethefollowingT-SQL,replacing<database_name>witheachdatabasenamefoundbytheAuditProcedure:
ALTER DATABASE <database_name> SET AUTO_CLOSE OFF;
DefaultValue:
Bydefault,thedatabasepropertyAUTO_CLOSEisOFFwhichisequivalenttois_auto_close_on = 0.
45|P a g e
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases
CISControls:
18ApplicationSoftwareSecurity
46|P a g e
2.17Ensurenologinexistswiththename'sa'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Thesalogin(e.g.principal)isawidelyknownandoftenwidelyusedSQLServeraccount.Therefore,thereshouldnotbealogincalledsaevenwhentheoriginalsalogin(principal_id = 1)hasbeenrenamed.
Rationale:
Enforcingthiscontrolreducestheprobabilityofanattackerexecutingbruteforceattacksagainstawell-knownprincipalname.
Audit:
Usethefollowingsyntaxtodetermineifthereisanaccountnamedsa.
SELECT principal_id, name, FROM sys.server_principals WHERE name = 'sa';
Norowsshouldbereturned.
Remediation:
ExecutetheappropriateALTERorDROPstatementbelowbasedontheprincipal_idreturnedfortheloginnamedsa.Replacethe<different_name>valuewithinthebelowsyntaxandexecutetorenamethesalogin.
USE [master] GO -- If principal_id = 1 or the login owns database objects, rename the sa login ALTER LOGIN [sa] WITH NAME = <different_name>; GO -- If the login owns no database objects, then drop it -- Do NOT drop the login if it is principal_id = 1 DROP LOGIN sa
Impact:
Itisnotagoodsecuritypracticetocodeapplicationsorscriptstousethesaaccount.Giventhatitisabestpracticetorenameanddisablethesaaccount,some3rdpartyapplications
47|P a g e
checkfortheexistenceofaloginnamedsaandifitdoesn'texist,createsone.Removingthesaloginwillpreventthesescriptsandapplicationsfromauthenticatingtothedatabaseserverandexecutingrequiredtasksorfunctions.
DefaultValue:
Theloginwithprincipal_id = 1isnamedsabydefault.
CISControls:
5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
48|P a g e
3AuthenticationandAuthorization
ThissectioncontainsrecommendationsrelatedtoSQLServer'sauthenticationandauthorizationmechanisms.
3.1Ensure'ServerAuthentication'Propertyissetto'WindowsAuthenticationMode'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
UsesWindowsAuthenticationtovalidateattemptedconnections.
Rationale:
WindowsprovidesamorerobustauthenticationmechanismthanSQLServerauthentication.
Audit:
Executethefollowingsyntax:
SELECT SERVERPROPERTY('IsIntegratedSecurityOnly') as [login_mode];
Alogin_modeof1indicatestheServerAuthenticationpropertyissettoWindowsAuthenticationMode.Alogin_modeof0indicatesmixedmodeauthentication.
Remediation:
ViatheSSMSGUI-Performthefollowingsteps:
1. OpenSQLServerManagementStudio.2. OpentheObjectExplorertabandconnecttothetargetdatabaseinstance.3. RightclicktheinstancenameandselectProperties.4. SelecttheSecuritypagefromtheleftmenu.5. SettheServerauthenticationsettingtoWindowsAuthenticationMode.
or
RunthefollowingT-SQLinaQueryWindow:
49|P a g e
USE [master] GO EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 1 GO
RestarttheSQLServerserviceforthechangetotakeeffect.
Impact:
Changingtheloginmodeconfigurationrequiresarestartoftheservice.
DefaultValue:
WindowsAuthenticationMode
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-properties-security-page
CISControls:
16.9ConfigureAccountAccessCentrallyConfigureaccessforallaccountsthroughacentralizedpointofauthentication,forexampleActiveDirectoryorLDAP.Configurenetworkandsecuritydevicesforcentralizedauthenticationaswell.
50|P a g e
3.2EnsureCONNECTpermissionsonthe'guest'userisRevokedwithinallSQLServerdatabasesexcludingthemaster,msdbandtempdb(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
RemovetherightoftheguestusertoconnecttoSQLServerdatabases,exceptformaster,msdb,andtempdb.
Rationale:
AloginassumestheidentityoftheguestuserwhenaloginhasaccesstoSQLServerbutdoesnothaveaccesstoadatabasethroughitsownaccountandthedatabasehasaguestuseraccount.RevokingtheCONNECTpermissionfortheguestuserwillensurethataloginisnotabletoaccessdatabaseinformationwithoutexplicitaccesstodoso.
Audit:
Runthefollowingcodesnippetforeachdatabase(replacing<database_name>asappropriate)intheinstancetodetermineiftheguestuserhasCONNECTpermission.Norowsshouldbereturned.
USE [<database_name>]; GO SELECT DB_NAME() AS DatabaseName, 'guest' AS Database_User, [permission_name], [state_desc] FROM sys.database_permissions WHERE [grantee_principal_id] = DATABASE_PRINCIPAL_ID('guest') AND [state_desc] LIKE 'GRANT%' AND [permission_name] = 'CONNECT' AND DB_NAME() NOT IN ('master','tempdb','msdb');
Remediation:
ThefollowingcodesnippetrevokesCONNECTpermissionsfromtheguestuserinadatabase.Replace<database_name>asappropriate:
USE [<database_name>]; GO REVOKE CONNECT FROM guest;
51|P a g e
Impact:
WhenCONNECTpermissiontotheguestuserisrevoked,aSQLServerinstanceloginmustbemappedtoadatabaseuserexplicitlyinordertohaveaccesstothedatabase.
DefaultValue:
TheguestuseraccountisaddedtoeachnewdatabasebutwithoutCONNECTpermissionbydefault.
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/policy-based-management/guest-permissions-on-user-databases
Notes:
TheguestusercannothavetheCONNECTpermissionrevokedinmaster,msdbandtempdb,butthispermissionshouldberevokedinallotherdatabasesontheSQLServerinstance.
CISControls:
16AccountMonitoringandControl
52|P a g e
3.3Ensure'OrphanedUsers'areDroppedFromSQLServerDatabases(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
AdatabaseuserforwhichthecorrespondingSQLServerloginisundefinedorisincorrectlydefinedonaserverinstancecannotlogintotheinstanceandisreferredtoasorphanedandshouldberemoved.
Rationale:
Orphanusersshouldberemovedtoavoidpotentialmisuseofthosebrokenusersinanyway.
Audit:
RunthefollowingT-SQLqueryineachdatabasetoidentifyorphanusers.Norowsshouldbereturned.
USE [<database_name>]; GO EXEC sp_change_users_login @Action='Report';
Remediation:
IftheorphanedusercannotorshouldnotbematchedtoanexistingornewloginusingtheMicrosoftdocumentedprocessreferencedbelow,runthefollowingT-SQLqueryintheappropriatedatabasetoremoveanorphanuser:
USE [<database_name>]; GO DROP USER <username>;
References:
1. https://docs.microsoft.com/en-us/sql/sql-server/failover-clusters/troubleshoot-orphaned-users-sql-server
54|P a g e
3.4EnsureSQLAuthenticationisnotusedincontaineddatabases(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
ContaineddatabasesdonotenforcepasswordcomplexityrulesforSQLAuthenticatedusers.
Rationale:
Theabsenceofanenforcedpasswordpolicymayincreasethelikelihoodofaweakcredentialbeingestablishedinacontaineddatabase.
Audit:
ExecutethefollowingT-SQLineachcontaineddatabasetofinddatabaseusersthatareusingSQLauthentication:
SELECT name AS DBUser FROM sys.database_principals WHERE name NOT IN ('dbo','Information_Schema','sys','guest') AND type IN ('U','S','G') AND authentication_type = 2; GO
Remediation:
LeverageWindowsAuthenticatedusersincontaineddatabases.
Impact:
Whilecontaineddatabasesprovideflexibilityinrelocatingdatabasestodifferentinstancesanddifferentenvironments,thismustbebalancedwiththeconsiderationthatnopasswordpolicymechanismexistsforSQLAuthenticatedusersincontaineddatabases.
DefaultValue:
SQLAuthenticatedusers(USER WITH PASSWORDauthentication)areallowedincontaineddatabases.
55|P a g e
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases
CISControls:
16.12UseLongPasswordsforAllUserAccountsWheremulti-factorauthenticationisnotsupported,useraccountsshallberequiredtouselongpasswordsonthesystem(longerthan14characters).
56|P a g e
3.5EnsuretheSQLServer’sMSSQLServiceAccountisNotanAdministrator(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Theserviceaccountand/orserviceSIDusedbytheMSSQLSERVERserviceforadefaultinstanceorMSSQL$<InstanceName>serviceforanamedinstanceshouldnotbeamemberoftheWindowsAdministratorgroupeitherdirectlyorindirectly(viaagroup).ThisalsomeansthattheaccountknownasLocalSystem(akaNT AUTHORITY\SYSTEM)shouldnotbeusedfortheMSSQLserviceasthisaccounthashigherprivilegesthantheSQLServerservicerequires.
Rationale:
Followingtheprincipleofleastprivilege,theserviceaccountshouldhavenomoreprivilegesthanrequiredtodoitsjob.ForSQLServerservices,theSQLServerSetupwillassigntherequiredpermissionsdirectlytotheserviceSID.Noadditionalpermissionsorprivilegesshouldbenecessary.
Audit:
Verifythattheserviceaccount(incaseofalocalorADaccount)andserviceSIDarenotmembersoftheWindowsAdministratorsgroup.
Remediation:
InthecasewhereLocalSystemisused,useSQLServerConfigurationManagertochangetoalessprivilegedaccount.Otherwise,removetheaccountorserviceSIDfromtheAdministratorsgroup.YoumayneedtoruntheSQLServerConfigurationManagerifunderlyingpermissionshadbeenchangedorifSQLServerConfigurationManagerwasnotoriginallyusedtosettheserviceaccount.
Impact:
TheSQLServerConfigurationManagertoolshouldalwaysbeusedtochangetheSQLServer’sserviceaccount.Thiswillensurethattheaccounthasthenecessaryprivileges.IftheserviceneedsaccesstoresourcesotherthanthestandardMicrosoftdefineddirectoriesandregistry,thenadditionalpermissionsmayneedtobegrantedseparatelytothoseresources.
57|P a g e
DefaultValue:
Bydefault,theServiceAccount(orServiceSID)isnotamemberoftheAdministratorsgroup.
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions
CISControls:
5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
58|P a g e
3.6EnsuretheSQLServer’sSQLAgentServiceAccountisNotanAdministrator(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Theserviceaccountand/orserviceSIDusedbytheSQLSERVERAGENTserviceforadefaultinstanceorSQLAGENT$<InstanceName>serviceforanamedinstanceshouldnotbeamemberoftheWindowsAdministratorgroupeitherdirectlyorindirectly(viaagroup).ThisalsomeansthattheaccountknownasLocalSystem(akaNT AUTHORITY\SYSTEM)shouldnotbeusedfortheSQLAGENTserviceasthisaccounthashigherprivilegesthantheSQLServerservicerequires.
Rationale:
Followingtheprincipleofleastprivilege,theserviceaccountshouldhavenomoreprivilegesthanrequiredtodoitsjob.ForSQLServerservices,theSQLServerSetupwillassigntherequiredpermissionsdirectlytotheserviceSID.Noadditionalpermissionsorprivilegesshouldbenecessary.
Audit:
Verifythattheserviceaccount(incaseofalocalorADaccount)andserviceSIDarenotmembersoftheWindowsAdministratorsgroup.
Remediation:
InthecasewhereLocalSystemisused,useSQLServerConfigurationManagertochangetoalessprivilegedaccount.Otherwise,removetheaccountorserviceSIDfromtheAdministratorsgroup.YoumayneedtoruntheSQLServerConfigurationManagerifunderlyingpermissionshadbeenchangedorifSQLServerConfigurationManagerwasnotoriginallyusedtosettheserviceaccount.
Impact:
TheSQLServerConfigurationManagertoolshouldalwaysbeusedtochangetheSQLServer’sserviceaccount.Thiswillensurethattheaccounthasthenecessaryprivileges.IftheserviceneedsaccesstoresourcesotherthanthestandardMicrosoft-defineddirectoriesandregistry,thenadditionalpermissionsmayneedtobegrantedseparatelytothoseresources.
59|P a g e
Ifusingtheautorestartfeature,thentheSQLAGENTservicemustbeanAdministrator.
DefaultValue:
Bydefault,theServiceAccount(orServiceSID)isnotamemberoftheAdministratorsgroup.
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions
CISControls:
5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
60|P a g e
3.7EnsuretheSQLServer’sFull-TextServiceAccountisNotanAdministrator(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Theserviceaccountand/orserviceSIDusedbytheMSSQLFDLauncherserviceforadefaultinstanceorMSSQLFDLauncher$<InstanceName>serviceforanamedinstanceshouldnotbeamemberoftheWindowsAdministratorgroupeitherdirectlyorindirectly(viaagroup).ThisalsomeansthattheaccountknownasLocalSystem(akaNT AUTHORITY\SYSTEM)shouldnotbeusedfortheFull-TextserviceasthisaccounthashigherprivilegesthantheSQLServerservicerequires.
Rationale:
Followingtheprincipleofleastprivilege,theserviceaccountshouldhavenomoreprivilegesthanrequiredtodoitsjob.ForSQLServerservices,theSQLServerSetupwillassigntherequiredpermissionsdirectlytotheserviceSID.Noadditionalpermissionsorprivilegesshouldbenecessary.
Audit:
Verifythattheserviceaccount(incaseofalocalorADaccount)andserviceSIDarenotmembersoftheWindowsAdministratorsgroup.
Remediation:
InthecasewhereLocalSystemisused,useSQLServerConfigurationManagertochangetoalessprivilegedaccount.Otherwise,removetheaccountorserviceSIDfromtheAdministratorsgroup.YoumayneedtoruntheSQLServerConfigurationManagerifunderlyingpermissionshadbeenchangedorifSQLServerConfigurationManagerwasnotoriginallyusedtosettheserviceaccount.
Impact:
TheSQLServerConfigurationManagertoolshouldalwaysbeusedtochangetheSQLServer’sserviceaccount.Thiswillensurethattheaccounthasthenecessaryprivileges.IftheserviceneedsaccesstoresourcesotherthanthestandardMicrosoft-defineddirectoriesandregistry,thenadditionalpermissionsmayneedtobegrantedseparatelytothoseresources.
61|P a g e
DefaultValue:
Bydefault,theServiceAccount(orServiceSID)isnotamemberoftheAdministratorsgroup.
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions
CISControls:
5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
62|P a g e
3.8EnsureonlythedefaultpermissionsspecifiedbyMicrosoftaregrantedtothepublicserverrole(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
publicisaspecialfixedserverrolecontainingalllogins.Unlikeotherfixedserverroles,permissionscanbechangedforthepublicrole.Inkeepingwiththeprincipleofleastprivileges,thepublicserverroleshouldnotbeusedtograntpermissionsattheserverscopeasthesewouldbeinheritedbyallusers.
Rationale:
EverySQLServerloginbelongstothepublicroleandcannotberemovedfromthisrole.Therefore,anypermissionsgrantedtothisrolewillbeavailabletoallloginsunlesstheyhavebeenexplicitlydeniedtospecificloginsoruser-definedserverroles.
Audit:
Usethefollowingsyntaxtodetermineifextrapermissionshavebeengrantedtothepublicserverrole.
SELECT * FROM master.sys.server_permissions WHERE (grantee_principal_id = SUSER_SID(N'public') and state_desc LIKE 'GRANT%') AND NOT (state_desc = 'GRANT' and [permission_name] = 'VIEW ANY DATABASE' and class_desc = 'SERVER') AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 2) AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 3) AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 4) AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 5);
Thisqueryshouldnotreturnanyrows.
Remediation:
1. AddtheextraneouspermissionsfoundintheAuditqueryresultstothespecificloginstouser-definedserverroleswhichrequiretheaccess.
2. Revokethe<permission_name>fromthepublicroleasshownbelow
63|P a g e
USE [master] GO REVOKE <permission_name> FROM public; GO
Impact:
Whentheextraneouspermissionsarerevokedfromthepublicserverrole,accessmaybelostunlessthepermissionsaregrantedtotheexplicitloginsortouser-definedserverrolescontainingtheloginswhichrequiretheaccess.
DefaultValue:
Bydefault,thepublicserverroleisgrantedVIEW ANY DATABASEpermissionandtheCONNECTpermissiononthedefaultendpoints(TSQL Local Machine,TSQL Named Pipes,TSQL Default TCP,TSQL Default VIA).TheVIEW ANY DATABASEpermissionallowsallloginstoseedatabasemetadata,unlessexplicitlydenied.
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles
2. https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles#permissions-of-fixed-server-roles
CISControls:
5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
64|P a g e
3.9EnsureWindowsBUILTINgroupsarenotSQLLogins(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
PriortoSQLServer2008,theBUILTIN\AdministratorsgroupwasaddedaSQLServerloginwithsysadminprivilegesduringinstallationbydefault.BestpracticespromotecreatinganActiveDirectorylevelgroupcontainingapprovedDBAstaffaccountsandusingthiscontrolledADgroupastheloginwithsysadminprivileges.TheADgroupshouldbespecifiedduringSQLServerinstallationandtheBUILTIN\Administratorsgroupwouldthereforehavenoneedtobealogin.
Rationale:
TheBUILTINgroups(Administrators,Everyone,AuthenticatedUsers,Guests,etc.)generallycontainverybroadmembershipswhichwouldnotmeetthebestpracticeofensuringonlythenecessaryusershavebeengrantedaccesstoaSQLServerinstance.ThesegroupsshouldnotbeusedforanylevelofaccessintoaSQLServerDatabaseEngineinstance.
Audit:
UsethefollowingsyntaxtodetermineifanyBUILTINgroupsoraccountshavebeenaddedasSQLServerLogins.
SELECT pr.[name], pe.[permission_name], pe.[state_desc] FROM sys.server_principals pr JOIN sys.server_permissions pe ON pr.principal_id = pe.grantee_principal_id WHERE pr.name like 'BUILTIN%';
Thisqueryshouldnotreturnanyrows.
Remediation:
1. ForeachBUILTINlogin,ifneededcreateamorerestrictiveADgroupcontainingonlytherequireduseraccounts.
2. AddtheADgrouporindividualWindowsaccountsasaSQLServerloginandgrantitthepermissionsrequired.
3. DroptheBUILTINloginusingthesyntaxbelowafterreplacing<name>in[BUILTIN\<name>].
65|P a g e
USE [master]; GO DROP LOGIN [BUILTIN\<name>]; GO
Impact:
BeforedroppingtheBUILTINgrouplogins,ensurethatalternativeADGroupsorWindowsloginshavebeenaddedwithequivalentpermissions.Otherwise,theSQLServerinstancemaybecometotallyinaccessible.
DefaultValue:
Bydefault,noBUILTINgroupsareaddedasSQLlogins.
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
66|P a g e
3.10EnsureWindowslocalgroupsarenotSQLLogins(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
LocalWindowsgroupsshouldnotbeusedasloginsforSQLServerinstances.
Rationale:
AllowinglocalWindowsgroupsasSQLLoginsprovidesaloopholewherebyanyonewithOSleveladministratorrights(andnoSQLServerrights)couldadduserstothelocalWindowsgroupsandtherebygivethemselvesorothersaccesstotheSQLServerinstance.
Audit:
UsethefollowingsyntaxtodetermineifanylocalgroupshavebeenaddedasSQLServerLogins.
USE [master] GO SELECT pr.[name] AS LocalGroupName, pe.[permission_name], pe.[state_desc] FROM sys.server_principals pr JOIN sys.server_permissions pe ON pr.[principal_id] = pe.[grantee_principal_id] WHERE pr.[type_desc] = 'WINDOWS_GROUP' AND pr.[name] like CAST(SERVERPROPERTY('MachineName') AS nvarchar) + '%';
Thisqueryshouldnotreturnanyrows.
Remediation:
1. ForeachLocalGroupNamelogin,ifneededcreateanequivalentADgroupcontainingonlytherequireduseraccounts.
2. AddtheADgrouporindividualWindowsaccountsasaSQLServerloginandgrantitthepermissionsrequired.
3. DroptheLocalGroupNameloginusingthesyntaxbelowafterreplacing<name>.
USE [master] GO DROP LOGIN [<name>] GO
67|P a g e
Impact:
Beforedroppingthelocalgrouplogins,ensurethatalternativeADGroupsorWindowsloginshavebeenaddedwithequivalentpermissions.Otherwise,theSQLServerinstancemaybecometotallyinaccessible.
DefaultValue:
Bydefault,nolocalgroupsareaddedasSQLlogins.
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
68|P a g e
3.11EnsurethepublicroleinthemsdbdatabaseisnotgrantedaccesstoSQLAgentproxies(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Thepublicdatabaserolecontainseveryuserinthemsdbdatabase.SQLAgentproxiesdefineasecuritycontextinwhichajobstepcanrun.
Rationale:
GrantingaccesstoSQLAgentproxiesforthepublicrolewouldallowalluserstoutilizetheproxywhichmayhavehighprivileges.Thiswouldlikelybreaktheprincipleofleastprivileges.
Audit:
Usethefollowingsyntaxtodetermineifaccesstoanyproxieshavebeengrantedtothemsdbdatabase'spublicrole.
USE [msdb] GO SELECT sp.name AS proxyname FROM dbo.sysproxylogin spl JOIN sys.database_principals dp ON dp.sid = spl.sid JOIN sysproxies sp ON sp.proxy_id = spl.proxy_id WHERE principal_id = USER_ID('public'); GO
Thisqueryshouldnotreturnanyrows.
Remediation:
1. Ensuretherequiredsecurityprincipalsareexplicitlygrantedaccesstotheproxy(usesp_grant_login_to_proxy).
2. Revokeaccesstothe<proxyname>fromthepublicrole.
USE [msdb] GO EXEC dbo.sp_revoke_login_from_proxy @name = N'public', @proxy_name = N'<proxyname>'; GO
69|P a g e
Impact:
Beforerevokingthepublicrolefromtheproxy,ensurethatalternativeloginsorappropriateuser-defineddatabaseroleshavebeenaddedwithequivalentpermissions.Otherwise,SQLAgentjobstepsdependentuponthisaccesswillfail.
DefaultValue:
Bydefault,themsdbpublicdatabaseroledoesnothaveaccesstoanyproxy.
References:
1. https://support.microsoft.com/en-us/help/2160741/best-practices-in-configuring-sql-server-agent-proxy-account
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
70|P a g e
4PasswordPolicies
ThissectioncontainsrecommendationsrelatedtoSQLServer'spasswordpolicies.
4.1Ensure'MUST_CHANGE'Optionissetto'ON'forAllSQLAuthenticatedLogins(NotScored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
WheneverthisoptionissettoON,SQLServerwillpromptforanupdatedpasswordthefirsttimetheneworalteredloginisused.
Rationale:
EnforcingapasswordchangeafteraresetornewlogincreationwillpreventtheaccountadministratorsoranyoneaccessingtheinitialpasswordfrommisuseoftheSQLlogincreatedwithoutbeingnoticed.
Audit:
1. OpenSQLServerManagementStudio.2. OpenObjectExplorerandconnecttothetargetinstance.3. NavigatetotheLoginstabinObjectExplorerandexpand.Rightclickonthe
desiredloginandselectProperties.4. VerifytheUsermustchangepasswordatnextlogincheckboxischecked.
Note:Thisauditprocedureisonlyapplicableimmediatelyaftertheloginhasbeencreatedoralteredtoforcethepasswordchange.Oncethepasswordischanged,thereisnowaytoknowspecificallythatthisoptionwastheforcingmechanismbehindapasswordchange.
Remediation:
SettheMUST_CHANGEoptionforSQLAuthenticatedloginswhencreatingalogininitially:
CREATE LOGIN <login_name> WITH PASSWORD = '<password_value>' MUST_CHANGE, CHECK_EXPIRATION = ON, CHECK_POLICY = ON;
SettheMUST_CHANGEoptionforSQLAuthenticatedloginswhenresettingapassword:
ALTER LOGIN <login_name> WITH PASSWORD = '<new_password_value>' MUST_CHANGE;
71|P a g e
Impact:
CHECK_EXPIRATIONandCHECK_POLICYoptionsmustbothbeON.Endusersmusthavethemeans(application)tochangethepasswordwhenforced.
DefaultValue:
ONwhencreatinganewloginviatheSSMSGUI.
OFFwhencreatinganewloginusingT-SQLCREATE LOGINunlesstheMUST_CHANGEoptionisexplicitlyincludedalongwithCHECK_EXPIRATION = ON.
References:
1. https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-login-transact-sql2. https://docs.microsoft.com/en-us/sql/t-sql/statements/create-login-transact-sql
CISControls:
16AccountMonitoringandControl
72|P a g e
4.2Ensure'CHECK_EXPIRATION'Optionissetto'ON'forAllSQLAuthenticatedLoginsWithintheSysadminRole(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
AppliesthesamepasswordexpirationpolicyusedinWindowstopasswordsusedinsideSQLServer.
Rationale:
EnsuringSQLloginscomplywiththesecurepasswordpolicyappliedbytheWindowsServerBenchmarkwillensurethepasswordsforSQLloginswithsysadminprivilegesarechangedonafrequentbasistohelppreventcompromiseviaabruteforceattack.CONTROL SERVERisanequivalentpermissiontosysadminandloginswiththatpermissionshouldalsoberequiredtohaveexpiringpasswords.
Audit:
RunthefollowingT-SQLstatementtofindsysadminorequivalentloginswithCHECK_EXPIRATION = OFF.Norowsshouldbereturned.
SELECT l.[name], 'sysadmin membership' AS 'Access_Method' FROM sys.sql_logins AS l WHERE IS_SRVROLEMEMBER('sysadmin',name) = 1 AND l.is_expiration_checked <> 1 UNION ALL SELECT l.[name], 'CONTROL SERVER' AS 'Access_Method' FROM sys.sql_logins AS l JOIN sys.server_permissions AS p ON l.principal_id = p.grantee_principal_id WHERE p.type = 'CL' AND p.state IN ('G', 'W') AND l.is_expiration_checked <> 1;
Remediation:
Foreach<login_name>foundbytheAuditProcedure,executethefollowingT-SQLstatement:
ALTER LOGIN [<login_name>] WITH CHECK_EXPIRATION = ON;
73|P a g e
Impact:
ThisisamitigatingrecommendationforsystemswhichcannotfollowtherecommendationtouseonlyWindowsAuthenticatedlogins.
RegardinglimitingthisruletoonlyloginswithsysadminandCONTROL SERVERprivileges,therearetoomanycasesofapplicationsthatrunwithlessthansysadminlevelprivilegesthathavehard-codedpasswordsoreffectivelyhard-codedpasswords(whateverissetthefirsttimeisnearlyimpossibletochange).Thereareseveralline-of-businessapplicationsthatareconsideredbestofbreedwhichhasthisfailing.
Also,keepinmindthatthepasswordpolicyistakenfromthecomputer'slocalpolicy,whichwilltakefromtheDefaultDomainPolicysetting.Manyorganizationshaveadifferentpasswordpolicywithregardstoserviceaccounts.ThesearehandledinADbysettingtheaccount'spasswordnottoexpireandhavingsomeotherprocesstrackwhentheyneedtobechanged.Withthissecondcontrolinplace,thisisperfectlyacceptablefromanauditperspective.IfyoutreataSQLServerloginasaserviceaccount,thenyouhavetodothesame.Thisensuresthatthepasswordchangehappensduringacommunicateddowntimewindowandnotarbitrarily.
DefaultValue:
CHECK_EXPIRATIONisONbydefaultwhenusingSSMStocreateaSQLauthenticatedlogin.
CHECK_EXPIRATIONisOFFbydefaultwhenusingT-SQLCREATE LOGINsyntaxwithoutspecifyingtheCHECK_EXPIRATIONoption.
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy
CISControls:
16.2AllAccountsHaveAMonitoredExpirationDateEnsurethatallaccountshaveanexpirationdatethatismonitoredandenforced.
74|P a g e
4.3Ensure'CHECK_POLICY'Optionissetto'ON'forAllSQLAuthenticatedLogins(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
AppliesthesamepasswordcomplexitypolicyusedinWindowstopasswordsusedinsideSQLServer.
Rationale:
EnsureSQLauthenticatedloginpasswordscomplywiththesecurepasswordpolicyappliedbytheWindowsServerBenchmarksothattheycannotbeeasilycompromisedviabruteforceattack.
Audit:
UsethefollowingcodesnippettodeterminethestatusofSQLLoginsandiftheirpasswordcomplexityisenforced.
SELECT name, is_disabled FROM sys.sql_logins WHERE is_policy_checked = 0;
Theis_policy_checkedvalueof0indicatesthattheCHECK_POLICYoptionisOFF;valueof1isON.Ifis_disabledvalueis1,thentheloginisdisabledandunusable.IfnorowsarereturnedtheneithernoSQLAuthenticatedloginsexistortheyallhaveCHECK_POLICYON.
Remediation:
ALTER LOGIN [<login_name>] WITH CHECK_POLICY = ON;
Impact:
ThisisamitigatingrecommendationforsystemswhichcannotfollowtherecommendationtouseonlyWindowsAuthenticatedlogins.
Weakpasswordscanleadtocompromisedsystems.SQLServerauthenticatedloginswillutilizethethepasswordpolicysetinthecomputer'slocalpolicy,whichistypicallysetbytheDefaultDomainPolicysetting.
Thesettingisonlyenforcedwhenthepasswordischanged.Thissettingdoesnotforceexistingweakpasswordstobechanged.
75|P a g e
DefaultValue:
CHECK_POLICYisON
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy
CISControls:
16AccountMonitoringandControl
76|P a g e
5AuditingandLogging
ThissectioncontainsrecommendationsrelatedtoSQLServer'sauditandloggingmechanisms.
5.1Ensure'Maximumnumberoferrorlogfiles'issettogreaterthanorequalto'12'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
SQLServererrorlogfilesmustbeprotectedfromloss.Thelogfilesmustbebackedupbeforetheyareoverwritten.Retainingmoreerrorlogshelpspreventlossfromfrequentrecyclingbeforebackupscanoccur.
Rationale:
TheSQLServererrorlogcontainsimportantinformationaboutmajorservereventsandloginattemptinformationaswell.
Audit:
1. OpenSQLServerManagementStudio.2. OpenObjectExplorerandconnecttothetargetinstance.3. NavigatetotheManagementtabinObjectExplorerandexpand.Rightclickonthe
SQLServerLogsfileandselectConfigure.4. VerifytheLimitthenumberoferrorlogfilesbeforetheyarerecycledcheckbox
ischecked5. VerifytheMaximumnumberoferrorlogfilesisgreaterthanorequalto12
OR
RunthefollowingT-SQL.TheNumberOfLogFilesreturnedshouldbegreaterthanorequalto12.
DECLARE @NumErrorLogs int; EXEC master.sys.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'NumErrorLogs', @NumErrorLogs OUTPUT; SELECT ISNULL(@NumErrorLogs, -1) AS [NumberOfLogFiles];
77|P a g e
Remediation:
Adjustthenumberoflogstopreventdataloss.Thedefaultvalueof6maybeinsufficientforaproductionenvironment.
1. OpenSQLServerManagementStudio.2. OpenObjectExplorerandconnecttothetargetinstance.3. NavigatetotheManagementtabinObjectExplorerandexpand.Rightclickonthe
SQLServerLogsfileandselectConfigure4. ChecktheLimitthenumberoferrorlogfilesbeforetheyarerecycled5. SettheMaximumnumberoferrorlogfilestogreaterthanorequalto12
OR
RunthefollowingT-SQLtochangethenumberoferrorlogfiles,replace<NumberAbove12>withyourdesirednumberoferrorlogfiles:
EXEC master.sys.xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'NumErrorLogs', REG_DWORD, <NumberAbove12>;
Impact:
Oncethemaxnumberoferrorlogsisreached,theoldesterrorlogfileisdeletedeachtimeSQLServerrestartsorsp_cycle_errorlogisexecuted.
DefaultValue:
6SQLServererrorlogfilesinadditiontothecurrenterrorlogfileareretainedbydefault.
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/scm-services-configure-sql-server-error-logs
CISControls:
6.3EnsureAuditLoggingSystemsAreNotSubjectToLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.
78|P a g e
5.2Ensure'DefaultTraceEnabled'ServerConfigurationOptionissetto'1'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Thedefaulttraceprovidesauditloggingofdatabaseactivityincludingaccountcreations,privilegeelevationandexecutionofDBCCcommands.
Rationale:
Defaulttraceprovidesvaluableauditinformationregardingsecurity-relatedactivitiesontheserver.
Audit:
RunthefollowingT-SQLcommand:
SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'default trace enabled';
Bothvaluecolumnsmustshow1.
Remediation:
RunthefollowingT-SQLcommand:
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'default trace enabled', 1; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;
DefaultValue:
1(on)
79|P a g e
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/default-trace-enabled-server-configuration-option
CISControls:
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
80|P a g e
5.3Ensure'LoginAuditing'issetto'failedlogins'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
ThissettingwillrecordfailedauthenticationattemptsforSQLServerloginstotheSQLServerErrorlog.ThisisthedefaultsettingforSQLServer.
Historically,thissettinghasbeenavailableinallversionsandeditionsofSQLServer.PriortotheavailabilityofSQLServerAudit,thiswastheonlyprovidedmechanismforcapturinglogins(successfulorfailed).
Rationale:
Capturingfailedloginsprovideskeyinformationthatcanbeusedtodetect\confirmpasswordguessingattacks.Capturingsuccessfulloginattemptscanbeusedtoconfirmserveraccessduringforensicinvestigations,butusingthisauditlevelsettingtoalsocapturesuccessfulloginscreatesexcessivenoiseintheSQLServerErrorlogwhichcanhamperaDBAtryingtotroubleshootproblems.Elsewhereinthisbenchmark,werecommendusingthenewerlightweightSQLServerAuditfeaturetocapturebothsuccessfulandfailedlogins.
Audit:
EXEC xp_loginconfig 'audit level';
Aconfig_valueoffailureindicatesaserverloginauditingsettingofFailedloginsonly.Ifaconfig_valueofallappears,thenbothfailedandsuccessfulloginsarebeinglogged.Bothsettingsshouldalsobeconsideredvalid,butasmentionedcapturingsuccessfulloginsusingthismethodcreateslotsofnoiseintheSQLServerErrorlog.
Remediation:
PerformthefollowingstepstosetthelevelofauditingusingSSMS:
1. OpenSQLServerManagementStudio.2. RightclickthetargetinstanceandselectPropertiesandnavigatetotheSecurity
tab.3. SelecttheoptionFailedloginsonlyundertheLoginAuditingsectionandclickOK.4. RestarttheSQLServerinstance.
81|P a g e
PerformthefollowingstepstosetthelevelofauditingusingT-SQL:
1. Run:
EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'AuditLevel', REG_DWORD, 2
2. RestarttheSQLServerinstance.
Impact:
Ataminimum,wewanttoensurefailedloginsarecapturedinordertodetectifanadversaryisattemptingtobruteforcepasswordsorotherwiseattemptingtoaccessaSQLServerimproperly.
ChangingthesettingrequiresarestartoftheSQLServerservice.
DefaultValue:
Bydefault,onlyfailedloginattemptsarecaptured.
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-properties-security-page
CISControls:
16.10ProfileUserAccountUsageandMonitorforAnomaliesProfileeachuser’stypicalaccountusagebydeterminingnormaltime-of-dayaccessandaccessduration.Reportsshouldbegeneratedthatindicateuserswhohaveloggedinduringunusualhoursorhaveexceededtheirnormalloginduration.Thisincludesflaggingtheuseoftheuser’scredentialsfromacomputerotherthancomputersonwhichtheusergenerallyworks.
82|P a g e
5.4Ensure'SQLServerAudit'issettocaptureboth'failed'and'successfullogins'(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
SQLServerAuditiscapableofcapturingbothfailedandsuccessfulloginsandwritingthemtooneofthreeplaces:theapplicationeventlog,thesecurityeventlog,orthefilesystem.WewilluseittocaptureanyloginattempttoSQLServer,aswellasanyattemptstochangeauditpolicy.Thiswillalsoservetobeasecondsourcetorecordfailedloginattempts.
Rationale:
ByutilizingAuditinsteadofthetraditionalsettingundertheSecuritytabtocapturesuccessfullogins,wereducethenoiseintheERRORLOG.ThiskeepsitsmallerandeasiertoreadforDBAswhoareattemptingtotroubleshootissueswiththeSQLServer.Also,theAuditobjectcanwritetothesecurityeventlog,thoughthisrequiresoperatingsystemconfiguration.Thisgivesanadditionaloptionforwheretostoreloginevents,especiallyinconjunctionwithanSIEM.
Audit:
SELECT S.name AS 'Audit Name' , CASE S.is_state_enabled WHEN 1 THEN 'Y' WHEN 0 THEN 'N' END AS 'Audit Enabled' , S.type_desc AS 'Write Location' , SA.name AS 'Audit Specification Name' , CASE SA.is_state_enabled WHEN 1 THEN 'Y' WHEN 0 THEN 'N' END AS 'Audit Specification Enabled' , SAD.audit_action_name , SAD.audited_result FROM sys.server_audit_specification_details AS SAD JOIN sys.server_audit_specifications AS SA ON SAD.server_specification_id = SA.server_specification_id JOIN sys.server_audits AS S ON SA.audit_guid = S.audit_guid WHERE SAD.audit_action_id IN ('CNAU', 'LGFL', 'LGSD');
Theresultsetshouldcontain3rows,oneforeachofthefollowingaudit_action_names:• AUDIT_CHANGE_GROUP• FAILED_LOGIN_GROUP
83|P a g e
• SUCCESSFUL_LOGIN_GROUP
BoththeAuditandAuditspecificationshouldbeenabledandtheaudited_resultshouldincludebothsuccessandfailure.
Remediation:
ViatheSSMSGUIInterface:
1. ExpandtheSQLServerinObjectExplorer.2. ExpandtheSecurityFolder3. Right-clickontheAuditsfolderandchooseNewAudit...4. SpecifyanamefortheServerAudit.5. SpecifytheauditdestinationdetailsandthenclickOKtosavetheServerAudit.6. Right-clickonServerAuditSpecificationsandchooseNewServerAudit
Specification...7. NametheServerAuditSpecification8. SelectthejustcreatedServerAuditintheAuditdrop-downselection.9. Clickthedrop-downunderAuditActionTypeandselectAUDIT_CHANGE_GROUP.10. Clickthenewdrop-downAuditActionTypeandselectFAILED_LOGIN_GROUP.11. Clickthenewdrop-downunderAuditActionTypeandselect
SUCCESSFUL_LOGIN_GROUP.12. ClickOKtosavetheServerAuditSpecification.13. Right-clickonthenewServerAuditSpecificationandselectEnableServerAudit
Specification.14. Right-clickonthenewServerAuditandselectEnableServerAudit.
ViaT-SQL:
Executecodesimilarto:
CREATE SERVER AUDIT TrackLogins TO APPLICATION_LOG; GO CREATE SERVER AUDIT SPECIFICATION TrackAllLogins FOR SERVER AUDIT TrackLogins ADD (FAILED_LOGIN_GROUP), ADD (SUCCESSFUL_LOGIN_GROUP), ADD (AUDIT_CHANGE_GROUP) WITH (STATE = ON); GO ALTER SERVER AUDIT TrackLogins WITH (STATE = ON); GO
84|P a g e
Note:IfthewritedestinationfortheAuditobjectistobethesecurityeventlog,seetheBooksOnlinetopicWriteSQLServerAuditEventstotheSecurityLogandfollowtheappropriatesteps.
Impact:
Withthepreviousrecommendation,onlyfailedloginsarecaptured.IftheAuditobjectisnotimplementedwiththeappropriatesetting,SQLServerwillnotcapturesuccessfullogins,whichmightproveofuseforforensics.
DefaultValue:
Bydefault,therearenoauditobjecttrackingloginevents.
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification
CISControls:
5.5LogFailedAdministrativeLoginAttemptsConfiguresystemstoissuealogentryandalertonanyunsuccessfullogintoanadministrativeaccount.
85|P a g e
6ApplicationDevelopment
ThissectioncontainsrecommendationsrelatedtodevelopingapplicationsthatinterfacewithSQLServer.
6.1EnsureSanitizeDatabaseandApplicationUserInputisSanitized(NotScored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
Alwaysvalidateuserinputreceivedfromadatabaseclientorapplicationbytestingtype,length,format,andrangepriortotransmittingittothedatabaseserver.
Rationale:
SanitizinguserinputdrasticallyminimizesriskofSQLinjection.
Audit:
CheckwiththeapplicationteamstoensureanydatabaseinteractionisthroughtheuseofstoredproceduresandnotdynamicSQL.RevokeanyINSERT,UPDATE,orDELETEprivilegestouserssothatmodificationstodatamustbedonethroughstoredprocedures.Verifythatthere'snoSQLqueryintheapplicationcodeproducedbystringconcatenation.
Remediation:
ThefollowingstepscanbetakentoremediateSQLinjectionvulnerabilities:
• ReviewTSQLandapplicationcodeforSQLInjection• Onlypermitminimallyprivilegedaccountstosenduserinputtotheserver• MinimizetheriskofSQLinjectionattackbyusingparameterizedcommandsand
storedprocedures• Rejectuserinputcontainingbinarydata,escapesequences,andcomment
characters• AlwaysvalidateuserinputanddonotuseitdirectlytobuildSQLstatements
Impact:
Sanitizeuserinputmayrequirechangestoapplicationcodeordatabaseobjectsyntax.Thesechangescanrequireapplicationsordatabasestobetakentemporarilyoff-line.Any
86|P a g e
changetoTSQLorapplicationcodeshouldbethoroughlytestedintestingenvironmentbeforeproductionimplementation.
References:
1. https://www.owasp.org/index.php/SQL_Injection
CISControls:
18.3SanitizeInputforIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
87|P a g e
6.2Ensure'CLRAssemblyPermissionSet'issetto'SAFE_ACCESS'forAllCLRAssemblies(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
SettingCLRAssemblyPermissionSetstoSAFE_ACCESSwillpreventassembliesfromaccessingexternalsystemresourcessuchasfiles,thenetwork,environmentvariables,ortheregistry.
Rationale:
AssemblieswithEXTERNAL_ACCESSorUNSAFEpermissionsetscanbeusedtoaccesssensitiveareasoftheoperatingsystem,stealand/ortransmitdataandalterthestateandotherprotectionmeasuresoftheunderlyingWindowsOperatingSystem.
AssemblieswhichareMicrosoft-created(is_user_defined = 0)areexcludedfromthischeckastheyarerequiredforoverallsystemfunctionality.
Audit:
ExecutethefollowingSQLstatement:
SELECT name, permission_set_desc FROM sys.assemblies where is_user_defined = 1;
AllthereturnedassembliesshouldshowSAFE_ACCESSinthepermission_set_desccolumn.
Remediation:
ALTER ASSEMBLY <assembly_name> WITH PERMISSION_SET = SAFE;
Impact:
TheremediationmeasureshouldfirstbetestedwithinatestenvironmentpriortoproductiontoensuretheassemblystillfunctionsasdesignedwithSAFEpermissionsetting.
DefaultValue:
SAFEpermissionissetbydefault.
88|P a g e
References:
1. https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/security/clr-integration-code-access-security
2. https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-assemblies-transact-sql
3. https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-assembly-transact-sql
CISControls:
18ApplicationSoftwareSecurity
89|P a g e
7Encryption
Theserecommendationspertaintoencryption-relatedaspectsofSQLServer.
7.1Ensure'SymmetricKeyencryptionalgorithm'issetto'AES_128'orhigherinnon-systemdatabases(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
PertheMicrosoftBestPractices,onlytheSQLServerAESalgorithmoptions,AES_128,AES_192,andAES_256,shouldbeusedforasymmetrickeyencryptionalgorithm.
Rationale:
Thefollowingalgorithms(asreferredtobySQLServer)areconsideredweakordeprecatedandshouldnolongerbeusedinSQLServer:DES,DESX,RC2,RC4,RC4_128.
ManyorganizationsmayaccepttheTripleDESalgorithms(TDEA)whichusekeyingoptions1(3keyaka3TDEA)orkeyingoption2(2keyaka2TDEA).InSQLServer,thesearereferredtoasTRIPLE_DES_3KEYandTRIPLE_DESrespectively.Additionally,theSQLServeralgorithmnamedDESXisactuallythesameimplementationastheTRIPLE_DES_3KEYoption.However,usingtheDESXidentifierasthealgorithmtypehasbeendeprecatedanditsusageisnowdiscouraged.
Audit:
Runthefollowingcodeforeachindividualuserdatabase:
USE [<database_name>] GO SELECT db_name() AS Database_Name, name AS Key_Name FROM sys.symmetric_keys WHERE algorithm_desc NOT IN ('AES_128','AES_192','AES_256') AND db_id() > 4; GO
Forcompliance,norowsshouldbereturned.
90|P a g e
Remediation:
RefertoMicrosoftSQLServerBooksOnlineALTERSYMMETRICKEYentry:https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-symmetric-key-transact-sql
Impact:
Eliminatesuseofweakanddeprecatedalgorithmswhichmayputasystemathigherriskofanattackerbreakingthekey.
Encrypteddatacannotbecompressed,butcompresseddatacanbeencrypted.Ifyouusecompression,youshouldcompressdatabeforeencryptingit.
DefaultValue:
none
References:
1. https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-symmetric-key-transact-sql
CISControls:
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
91|P a g e
7.2EnsureAsymmetricKeySizeissetto'greaterthanorequalto2048'innon-systemdatabases(Scored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
MicrosoftBestPracticesrecommendtouseatleasta2048-bitencryptionalgorithmforasymmetrickeys.
Rationale:
TheRSA_2048encryptionalgorithmforasymmetrickeysinSQLServeristhehighestbit-levelprovidedandthereforethemostsecureavailablechoice(otherchoicesareRSA_512andRSA_1024).
Audit:
Runthefollowingcodeforeachindividualuserdatabase:
USE <database_name>; GO SELECT db_name() AS Database_Name, name AS Key_Name FROM sys.asymmetric_keys WHERE key_length < 2048 AND db_id() > 4; GO
Forcompliance,norowsshouldbereturned.
Remediation:
RefertoMicrosoftSQLServerBooksOnlineALTERASYMMETRICKEYentry:https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-asymmetric-key-transact-sql
Impact:
Thehigher-bitlevelmayresultinslowerperformance,butreducesthelikelihoodofanattackerbreakingthekey.
Encrypteddatacannotbecompressed,butcompresseddatacanbeencrypted.Ifyouusecompression,youshouldcompressdatabeforeencryptingit.
92|P a g e
DefaultValue:
none
References:
1. https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-asymmetric-key-transact-sql
CISControls:
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
93|P a g e
8Appendix:AdditionalConsiderations
Thisappendixdiscussespossibleconfigurationoptionsforwhichnorecommendationisbeinggiven.
8.1Ensure'SQLServerBrowserService'isconfiguredcorrectly(NotScored)
ProfileApplicability:
• Level1-DatabaseEngine
Description:
NorecommendationisbeinggivenondisablingtheSQLServerBrowserservice.
Rationale:
Inthecaseofadefaultinstanceinstallation,theSQLServerBrowserserviceisdisabledbydefault.Unlessthereisanamedinstanceonthesameserver,thereistypicallynoreasonfortheSQLServerBrowserservicetoberunning.InthiscaseitisstronglysuggestedthattheSQLServerBrowserserviceremaindisabled.
Whenitcomestonamedinstances,giventhatasecurityscancanfingerprintaSQLServerlisteningonanyport,it'sthereforeoflimitedbenefittodisabletheSQLServerBrowserservice.
However,ifallconnectionsagainstthenamedinstanceareviaapplicationsandarenotvisibletoendusers,thenconfiguringthenamedinstancetolisteningonastaticport,disablingtheSQLServerBrowserservice,andconfiguringtheappstoconnecttothespecifiedportshouldbethedirectiontaken.Thisfollowsthegeneralpracticeofreducingthesurfacearea,especiallyforanunneededfeature.
Ontheotherhand,ifendusersaredirectlyconnectingtodatabasesontheinstance,thentypicallyhavingthemuseServerName\InstanceNameisbest.ThisrequirestheSQLServerBrowserservicetoberunning.DisablingtheSQLServerBrowserservicewouldmeantheenduserswouldhavetorememberportnumbersfortheinstances.Whentheydon'tthatwillgenerateservicecallstoITstaff.Giventhelimitedbenefitofdisablingtheservice,thetrade-offisprobablynotworthit,meaningitmakesmorebusinesssensetoleavetheSQLServerBrowserserviceenabled.
Audit:
94|P a g e
ChecktheSQLBrowserservice'sstatusviaservices.mscorsimilarmethods.
Remediation:
Enableordisabletheserviceasneededforyourenvironment.
DefaultValue:
TheSQLServerBrowserserviceisdisabledifonlyadefaultinstanceisinstalledontheserver.Ifanamedinstanceisinstalled,thedefaultvalueisfortheSQLServerBrowserservicetobeconfiguredasAutomaticforstartup.
References:
1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/sql-server-browser-service-database-engine-and-ssas
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
95|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 Installation,UpdatesandPatches1.1 EnsureLatestSQLServerServicePacksandHotfixesare
Installed(NotScored) o o
1.2 EnsureSingle-FunctionMemberServersareUsed(NotScored) o o
2 SurfaceAreaReduction2.1 Ensure'AdHocDistributedQueries'ServerConfiguration
Optionissetto'0'(Scored) o o
2.2 Ensure'CLREnabled'ServerConfigurationOptionissetto'0'(Scored) o o
2.3 Ensure'CrossDBOwnershipChaining'ServerConfigurationOptionissetto'0'(Scored) o o
2.4 Ensure'DatabaseMailXPs'ServerConfigurationOptionissetto'0'(Scored) o o
2.5 Ensure'OleAutomationProcedures'ServerConfigurationOptionissetto'0'(Scored) o o
2.6 Ensure'RemoteAccess'ServerConfigurationOptionissetto'0'(Scored) o o
2.7 Ensure'RemoteAdminConnections'ServerConfigurationOptionissetto'0'(Scored) o o
2.8 Ensure'ScanForStartupProcs'ServerConfigurationOptionissetto'0'(Scored) o o
2.9 Ensure'Trustworthy'DatabasePropertyissetto'Off'(Scored) o o
2.10 EnsureUnnecessarySQLServerProtocolsaresetto'Disabled'(NotScored) o o
2.11 EnsureSQLServerisconfiguredtousenon-standardports(Scored) o o
2.12 Ensure'HideInstance'optionissetto'Yes'forProductionSQLServerinstances(Scored) o o
2.13 Ensurethe'sa'LoginAccountissetto'Disabled'(Scored) o o2.14 Ensurethe'sa'LoginAccounthasbeenrenamed(Scored) o o2.15 Ensure'xp_cmdshell'ServerConfigurationOptionissetto
'0'(Scored) o o
2.16 Ensure'AUTO_CLOSE'issetto'OFF'oncontaineddatabases(Scored) o o
2.17 Ensurenologinexistswiththename'sa'(Scored) o o3 AuthenticationandAuthorization
96|P a g e
3.1 Ensure'ServerAuthentication'Propertyissetto'WindowsAuthenticationMode'(Scored) o o
3.2 EnsureCONNECTpermissionsonthe'guest'userisRevokedwithinallSQLServerdatabasesexcludingthemaster,msdbandtempdb(Scored)
o o
3.3 Ensure'OrphanedUsers'areDroppedFromSQLServerDatabases(Scored) o o
3.4 EnsureSQLAuthenticationisnotusedincontaineddatabases(Scored) o o
3.5 EnsuretheSQLServer’sMSSQLServiceAccountisNotanAdministrator(Scored) o o
3.6 EnsuretheSQLServer’sSQLAgentServiceAccountisNotanAdministrator(Scored) o o
3.7 EnsuretheSQLServer’sFull-TextServiceAccountisNotanAdministrator(Scored) o o
3.8 EnsureonlythedefaultpermissionsspecifiedbyMicrosoftaregrantedtothepublicserverrole(Scored) o o
3.9 EnsureWindowsBUILTINgroupsarenotSQLLogins(Scored) o o
3.10 EnsureWindowslocalgroupsarenotSQLLogins(Scored) o o3.11 Ensurethepublicroleinthemsdbdatabaseisnotgranted
accesstoSQLAgentproxies(Scored) o o
4 PasswordPolicies4.1 Ensure'MUST_CHANGE'Optionissetto'ON'forAllSQL
AuthenticatedLogins(NotScored) o o
4.2 Ensure'CHECK_EXPIRATION'Optionissetto'ON'forAllSQLAuthenticatedLoginsWithintheSysadminRole(Scored)
o o
4.3 Ensure'CHECK_POLICY'Optionissetto'ON'forAllSQLAuthenticatedLogins(Scored) o o
5 AuditingandLogging5.1 Ensure'Maximumnumberoferrorlogfiles'issettogreater
thanorequalto'12'(Scored) o o
5.2 Ensure'DefaultTraceEnabled'ServerConfigurationOptionissetto'1'(Scored) o o
5.3 Ensure'LoginAuditing'issetto'failedlogins'(Scored) o o5.4 Ensure'SQLServerAudit'issettocaptureboth'failed'and
'successfullogins'(Scored) o o
6 ApplicationDevelopment6.1 EnsureSanitizeDatabaseandApplicationUserInputis
Sanitized(NotScored) o o
6.2 Ensure'CLRAssemblyPermissionSet'issetto'SAFE_ACCESS'forAllCLRAssemblies(Scored) o o
7 Encryption
97|P a g e
7.1 Ensure'SymmetricKeyencryptionalgorithm'issetto'AES_128'orhigherinnon-systemdatabases(Scored) o o
7.2 EnsureAsymmetricKeySizeissetto'greaterthanorequalto2048'innon-systemdatabases(Scored) o o
8 Appendix:AdditionalConsiderations8.1 Ensure'SQLServerBrowserService'isconfiguredcorrectly
(NotScored) o o