Hardening MS SQL

Best practices and references used for hardening MS SQL

MS SQL 2012 CIS v 1.3.0 Settings Scored Level
1 Installation, Updates and Patches
1.1 Ensure Latest SQL Server Service Packs and Hotfixes are Installed (Not Scored) N 1
1.2 Ensure Single-Function Member Servers are Used (Not Scored) N 1
2 Surface Area Reduction
2.1 Ensure ‘Ad Hoc Distributed Queries’ Server Configuration Option is set to ‘0’ (Scored) Y 1
2.2 Ensure ‘CLR Enabled’ Server Configuration Option is set to ‘0’ (Scored) Y 1
2.3 Ensure ‘Cross DB Ownership Chaining’ Server Configuration Option is set to ‘0’ (Scored) Y 1
2.4 Ensure ‘Database Mail XPs’ Server Configuration Option is set to ‘0’ (Scored) Y 1
2.5 Ensure ‘Ole Automation Procedures’ Server Configuration Option is set to ‘0’ (Scored) Y 1
2.6 Ensure ‘Remote Access’ Server Configuration Option is set to ‘0’ (Scored) Y 1
2.7 Ensure ‘Remote Admin Connections’ Server Configuration Option is set to ‘0’(Scored) Y 1
2.8 Ensure ‘Scan for Startup Procs’ Server Configuration Option is set to ‘0’ (Scored) Y 1
2.9 Ensure ‘Trustworthy’ Database Property is set to ‘Off’ (Scored) Y 1
2.10 Ensure Unnecessary SQL Server Protocols are set to ‘Disabled’ (Not Scored) N 1
2.11 Ensure SQL Server is configured to use non-standard ports (Not Scored) N 1
2.12 Ensure ‘Hide Instance’ option is set to ‘Yes’ for Production SQL Server instances (Scored) Y 1
2.13 Ensure ‘sa’ Login Account is set to ‘Disabled’ (Scored) Y 1
2.14 Ensure ‘sa’ Login Account has been renamed (Scored) Y 1
2.15 Ensure ‘xp_cmdshell’ Server Configuration Option is set to ‘0’ (Scored) Y 1
3 Authentication and Authorization
3.1 Ensure ‘Server Authentication’ Property is set to ‘Windows Authentication mode’ (Scored) Y 1
3.2 Ensure CONNECT permissions on the ‘guest user’ is Revoked within all SQL Server databases excluding the master, msdb and tempdb (Scored) Y 1
3.3 Ensure ‘Orphaned Users’ are Dropped from SQL Server Databases (Scored) Y 1
3.4 Ensure SQL Authentication is not used in contained databases (Scored) Y 1
3.5 Ensure the SQL Server’s MSSQL Service Account is Not an Administrator (Scored) Y 1
3.6 Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator (Scored) Y 1
3.7 Ensure the SQL Server’s Full-Text Service Account is Not an Administrator (Scored) Y 1
4 Password Policies
4.1 Ensure ‘MUST_CHANGE’ Option is set to ‘ON’ for All SQL Authenticated Logins (Not Scored) N 1
4.2 Ensure ‘CHECK_EXPIRATION’ Option is set to ‘ON’ for All SQL Authenticated Logins Within the Sysadmin Role (Scored) Y 1
4.3 Ensure ‘CHECK_POLICY’ Option is set to ‘ON’ for All SQL Authenticated Logins (Scored) Y 1
5 Auditing and Logging
5.1 Ensure ‘Maximum number of error log files’ is set to greater than or equal to ’12’ (Scored) Y 1
5.2 Ensure ‘Default Trace Enabled’ Server Configuration Option is set to ‘1’ (Scored) Y 1
5.3 Ensure ‘Login Auditing’ is set to ‘failed logins’ (Not Scored) N 1
5.4 Ensure ‘SQL Server Audit’ is set to capture both ‘failed’ and ‘successful logins’ (Not Scored) N
6 Application Development
6.1 Ensure Sanitize Database and Application User Input is Sanitized (Not Scored) N 1
6.2 Ensure ‘CLR Assembly Permission Set’ is set to ‘SAFE_ACCESS’ for All CLR Assemblies (Scored) Y 1
7 Encryption
7.1 Ensure ‘Symmetric Key encryption algorithm’ is set to ‘AES_128’ or higher in non-system databases (Scored) Y 1
7.2 Ensure Asymmetric Key Size is set to’ greater than or equal to 2048′ in nonsystem databases (Scored) Y 1
8 Appendix: Additional Considerations
8.1 Ensure ‘SQL Server Browser Service’ is configured correctly (Not Scored) N 1

References

STIGS:

CIS Benchmarks:

Known vulnerabilities:

 

My submissions to the Tenable Discussions forum related to MS SQL Compliance scans: