CIS Microsoft SQL Server 2016 Benchmark v1.0.0 CC€¦ · 5 | Page Overview This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft

CISMicrosoftSQLServer2016Benchmark

v1.0.0-08-11-2017

1|P a g e

ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.

2|P a g e

TableofContentsOverview......................................................................................................................................................................5

IntendedAudience..............................................................................................................................................5

ConsensusGuidance...........................................................................................................................................5

TypographicalConventions............................................................................................................................6

ScoringInformation............................................................................................................................................6

ProfileDefinitions................................................................................................................................................7

Acknowledgements.............................................................................................................................................8

Recommendations....................................................................................................................................................9

1Installation,UpdatesandPatches.............................................................................................................9

1.1EnsureLatestSQLServerServicePacksandHotfixesareInstalled(NotScored).9

1.2EnsureSingle-FunctionMemberServersareUsed(NotScored)...............................11

2SurfaceAreaReduction..............................................................................................................................13

2.1Ensure'AdHocDistributedQueries'ServerConfigurationOptionissetto'0'(Scored).......................................................................................................................................................13

2.2Ensure'CLREnabled'ServerConfigurationOptionissetto'0'(Scored)...............15

2.3Ensure'CrossDBOwnershipChaining'ServerConfigurationOptionissetto'0'(Scored).......................................................................................................................................................17

2.4Ensure'DatabaseMailXPs'ServerConfigurationOptionissetto'0'(Scored)...20

2.5Ensure'OleAutomationProcedures'ServerConfigurationOptionissetto'0'(Scored).......................................................................................................................................................22

2.6Ensure'RemoteAccess'ServerConfigurationOptionissetto'0'(Scored)..........24

2.7Ensure'RemoteAdminConnections'ServerConfigurationOptionissetto'0'(Scored).......................................................................................................................................................26

2.8Ensure'ScanForStartupProcs'ServerConfigurationOptionissetto'0'(Scored).........................................................................................................................................................................28

2.9Ensure'Trustworthy'DatabasePropertyissetto'Off'(Scored)...............................30

2.10EnsureUnnecessarySQLServerProtocolsaresetto'Disabled'(NotScored)..32

2.11EnsureSQLServerisconfiguredtousenon-standardports(Scored)..................34

2.12Ensure'HideInstance'optionissetto'Yes'forProductionSQLServerinstances(Scored).......................................................................................................................................................36

3|P a g e

2.13Ensurethe'sa'LoginAccountissetto'Disabled'(Scored)........................................38

2.14Ensurethe'sa'LoginAccounthasbeenrenamed(Scored).......................................40

2.15Ensure'xp_cmdshell'ServerConfigurationOptionissetto'0'(Scored).............42

2.16Ensure'AUTO_CLOSE'issetto'OFF'oncontaineddatabases(Scored)...............44

2.17Ensurenologinexistswiththename'sa'(Scored).......................................................46

3AuthenticationandAuthorization.........................................................................................................48

3.1Ensure'ServerAuthentication'Propertyissetto'WindowsAuthenticationMode'(Scored).........................................................................................................................................48

3.2EnsureCONNECTpermissionsonthe'guest'userisRevokedwithinallSQLServerdatabasesexcludingthemaster,msdbandtempdb(Scored)..............................50

3.3Ensure'OrphanedUsers'areDroppedFromSQLServerDatabases(Scored).....52

3.4EnsureSQLAuthenticationisnotusedincontaineddatabases(Scored)..............54

3.5EnsuretheSQLServer’sMSSQLServiceAccountisNotanAdministrator(Scored).......................................................................................................................................................56

3.6EnsuretheSQLServer’sSQLAgentServiceAccountisNotanAdministrator(Scored).......................................................................................................................................................58

3.7EnsuretheSQLServer’sFull-TextServiceAccountisNotanAdministrator(Scored).......................................................................................................................................................60

3.8EnsureonlythedefaultpermissionsspecifiedbyMicrosoftaregrantedtothepublicserverrole(Scored).................................................................................................................62

3.9EnsureWindowsBUILTINgroupsarenotSQLLogins(Scored)................................64

3.10EnsureWindowslocalgroupsarenotSQLLogins(Scored)......................................66

3.11EnsurethepublicroleinthemsdbdatabaseisnotgrantedaccesstoSQLAgentproxies(Scored)......................................................................................................................................68

4PasswordPolicies.........................................................................................................................................70

4.1Ensure'MUST_CHANGE'Optionissetto'ON'forAllSQLAuthenticatedLogins(NotScored)..............................................................................................................................................70

4.2Ensure'CHECK_EXPIRATION'Optionissetto'ON'forAllSQLAuthenticatedLoginsWithintheSysadminRole(Scored).................................................................................72

4.3Ensure'CHECK_POLICY'Optionissetto'ON'forAllSQLAuthenticatedLogins(Scored).......................................................................................................................................................74

5AuditingandLogging..................................................................................................................................76

4|P a g e

5.1Ensure'Maximumnumberoferrorlogfiles'issettogreaterthanorequalto'12'(Scored).......................................................................................................................................................76

5.2Ensure'DefaultTraceEnabled'ServerConfigurationOptionissetto'1'(Scored).........................................................................................................................................................................78

5.3Ensure'LoginAuditing'issetto'failedlogins'(Scored)................................................80

5.4Ensure'SQLServerAudit'issettocaptureboth'failed'and'successfullogins'(Scored).......................................................................................................................................................82

6ApplicationDevelopment..........................................................................................................................85

6.1EnsureSanitizeDatabaseandApplicationUserInputisSanitized(NotScored)85

6.2Ensure'CLRAssemblyPermissionSet'issetto'SAFE_ACCESS'forAllCLRAssemblies(Scored)..............................................................................................................................87

7Encryption........................................................................................................................................................89

7.1Ensure'SymmetricKeyencryptionalgorithm'issetto'AES_128'orhigherinnon-systemdatabases(Scored)........................................................................................................89

7.2EnsureAsymmetricKeySizeissetto'greaterthanorequalto2048'innon-systemdatabases(Scored).................................................................................................................91

8Appendix:AdditionalConsiderations..................................................................................................93

8.1Ensure'SQLServerBrowserService'isconfiguredcorrectly(NotScored)..........93

Appendix:SummaryTable................................................................................................................................95

Appendix:ChangeHistory.................................................................................................................................98

5|P a g e

OverviewThisdocumentprovidesprescriptiveguidanceforestablishingasecureconfigurationpostureforMicrosoftSQLServer2016.ThisguidewastestedagainstMicrosoftSQLServer2016.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].

IntendedAudience

Thisbenchmarkisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateMicrosoftSQLServer2016onaMicrosoftWindowsplatform.

ConsensusGuidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.

6|P a g e

TypographicalConventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

ScoringInformation

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

7|P a g e

ProfileDefinitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1-DatabaseEngine

Itemsinthisprofileintendto:

o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.

8|P a g e

Acknowledgements

Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:

ContributorTimHarrisonCISSP,ICP,CenterforInternetSecurityPhilippeLangloisMichelGanguinEditorNancyHidyWilsonBrianKelleyMCSE,CISA,Security+,MicrosoftMVP-SQLServer

9|P a g e

Recommendations1Installation,UpdatesandPatches

ThissectioncontainsrecommendationsrelatedtoinstallingandpatchingSQLServer.

1.1EnsureLatestSQLServerServicePacksandHotfixesareInstalled(NotScored)

ProfileApplicability:


Description:

SQLServerpatchescontainprogramupdatesthatfixsecurityandproductfunctionalityissuesfoundinthesoftware.Thesepatchescanbeinstalledwithahotfixwhichisasinglepatch,acumulativeupdatewhichisasmallgroupofpatchesoraservicepackwhichisalargecollectionofpatches.TheSQLServerversionandpatchlevelsshouldbethemostrecentcompatiblewiththeorganizations'operationalneeds.

Rationale:

UsingthemostrecentSQLServersoftware,alongwithallapplicablepatchescanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionand/orpatchesappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.

Audit:

TodetermineyourSQLServerservicepacklevel,runthefollowingcodesnippet.

SELECT SERVERPROPERTY('ProductLevel') as SP_installed, SERVERPROPERTY('ProductVersion') as Version;

FirstcolumnreturnstheinstalledServicePacklevel,thesecondistheexactbuildnumber.

Remediation:

IdentifythecurrentversionandpatchlevelofyourSQLServerinstancesandensuretheycontainthelatestsecurityfixes.Makesuretotestthesefixesinyourtestenvironmentsbeforeupdatingproductioninstances.

10|P a g e

ThemostrecentSQLServerpatchescanbefoundhere:

• HotfixesandCumulativeupdates:http://blogs.msdn.com/b/sqlreleaseservices/• ServicePacks:https://support.microsoft.com/en-us/kb/3177534

DefaultValue:

Servicepacksandpatchesarenotinstalledbydefault.

References:

1. https://support.microsoft.com/en-us/kb/3177534

CISControls:

4ContinuousVulnerabilityAssessmentandRemediation

11|P a g e

1.2EnsureSingle-FunctionMemberServersareUsed(NotScored)



Description:

ItisrecommendedthatSQLServersoftwarebeinstalledonadedicatedserver.Thisarchitecturalconsiderationaffordssecurityflexibilityinthatthedatabaseservercanbeplacedonaseparatesubnetallowingaccessonlyfromparticularhostsandoverparticularprotocols.Degreesofavailabilityareeasiertoachieveaswell-overtime,anenterprisecanmovefromasingledatabaseservertoafailovertoaclusterusingloadbalancingortosomecombinationthereof.

Rationale:

Itiseasiertomanage(i.e.reduce)theattacksurfaceoftheserverhostingSQLServersoftwareiftheonlysurfacestoconsideraretheunderlyingoperatingsystem,SQLServeritself,andanysecurity/operationaltoolingthatmayadditionallybeinstalled.Asnotedinthedescription,availabilitycanbemoreeasilyaddressedifthedatabaseisonadedicatedserver.

Audit:

Ensurethatnootherrolesareenabledfortheunderlyingoperatingsystemandthatnoexcesstoolingisinstalled,perenterprisepolicy.

Remediation:

Uninstallexcesstoolingand/orremoveunnecessaryrolesfromtheunderlyingoperatingsystem.

Impact:

Itisdifficulttoseeanyreasonablyadverseimpacttomakingthisarchitecturalchange,oncethecostsofmakingthechangehavebeenpaid.Customapplicationsmayneedtobemodifiedtoaccommodatedatabaseconnectionsoverthewireratherthanonthehost(i.e.usingTCP/IPinsteadofNamedPipes).Additionalhardwareandoperatingsystemlicensesmayberequiredtomakethesearchitecturalchanges.

12|P a g e

CISControls:

9.5OperateCriticalServicesonDedicatedHosts(i.e.DNS,Mail,Web,Database)Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers.

13|P a g e

2SurfaceAreaReduction

SQLServeroffersvariousconfigurationoptions,someofthemcanbecontrolledbythesp_configurestoredprocedure.Thissectioncontainsthelistingofthecorrespondingrecommendations.

2.1Ensure'AdHocDistributedQueries'ServerConfigurationOptionissetto'0'(Scored)



Description:

EnablingAdHocDistributedQueriesallowsuserstoquerydataandexecutestatementsonexternaldatasources.Thisfunctionalityshouldbedisabled.

Rationale:

ThisfeaturecanbeusedtoremotelyaccessandexploitvulnerabilitiesonremoteSQLServerinstancesandtorununsafeVisualBasicforApplicationfunctions.

Audit:

RunthefollowingT-SQLcommand:

SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ad Hoc Distributed Queries';

Bothvaluecolumnsmustshow0.

Remediation:


EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ad Hoc Distributed Queries', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;

14|P a g e

DefaultValue:

0(disabled)

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ad-hoc-distributed-queries-server-configuration-option

CISControls:

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

15|P a g e

2.2Ensure'CLREnabled'ServerConfigurationOptionissetto'0'(Scored)



Description:

Theclr enabledoptionspecifieswhetheruserassembliescanberunbySQLServer.

Rationale:

EnablinguseofCLRassemblieswidenstheattacksurfaceofSQLServerandputsitatriskfrombothinadvertentandmaliciousassemblies.

Audit:


SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'clr enabled';

Bothvaluecolumnsmustshow0tobecompliant.

Remediation:


EXECUTE sp_configure 'clr enabled', 0; RECONFIGURE;

Impact:

IfCLRassembliesareinuse,applicationsmayneedtoberearchitectedtoeliminatetheirusagebeforedisablingthissetting.Alternatively,someorganizationsmayallowthissettingtobeenabled1forassembliescreatedwiththeSAFEpermissionset,butdisallowassembliescreatedwiththeriskierUNSAFEandEXTERNAL_ACCESSpermissionsets.Tofinduser-createdassemblies,runthefollowingqueryinalldatabases,replacing<database_name>witheachdatabasename:

16|P a g e

USE [<database_name>] GO SELECT name AS Assembly_Name, permission_set_desc FROM sys.assemblies WHERE is_user_defined = 1; GO

DefaultValue:

Bydefault,thisoptionisdisabled(0).

References:

1. https://docs.microsoft.com/en-us/sql/t-sql/statements/create-assembly-transact-sql

CISControls:

18.9SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

17|P a g e

2.3Ensure'CrossDBOwnershipChaining'ServerConfigurationOptionissetto'0'(Scored)



Description:

Thecross db ownership chainingoptioncontrolscross-databaseownershipchainingacrossalldatabasesattheinstance(orserver)level.

Rationale:

Whenenabled,thisoptionallowsamemberofthedb_ownerroleinadatabasetogainaccesstoobjectsownedbyalogininanyotherdatabase,causinganunnecessaryinformationdisclosure.Whenrequired,cross-databaseownershipchainingshouldonlybeenabledforthespecificdatabasesrequiringitinsteadofattheinstancelevelforalldatabasesbyusingtheALTER DATABASE <database_name> SET DB_CHAINING ONcommand.Thisdatabaseoptionmaynotbechangedonthemaster,model,ortempdbsystemdatabases.

Audit:


SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations

WHERE name = 'cross db ownership chaining';


Remediation:


EXECUTE sp_configure 'cross db ownership chaining', 0; RECONFIGURE; GO

DefaultValue:


18|P a g e

19|P a g e

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option

CISControls:

14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

20|P a g e

2.4Ensure'DatabaseMailXPs'ServerConfigurationOptionissetto'0'(Scored)



Description:

TheDatabase Mail XPsoptioncontrolstheabilitytogenerateandtransmitemailmessagesfromSQLServer.

Rationale:

DisablingtheDatabase Mail XPsoptionreducestheSQLServersurface,eliminatesaDOSattackvectorandchanneltoexfiltratedatafromthedatabaseservertoaremotehost.

Audit:


SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Database Mail XPs';


Remediation:


EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Database Mail XPs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;

DefaultValue:


21|P a g e

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/database-mail/database-mail

CISControls:

18ApplicationSoftwareSecurity

22|P a g e

2.5Ensure'OleAutomationProcedures'ServerConfigurationOptionissetto'0'(Scored)



Description:

TheOle Automation ProceduresoptioncontrolswhetherOLEAutomationobjectscanbeinstantiatedwithinTransact-SQLbatches.TheseareextendedstoredproceduresthatallowSQLServeruserstoexecutefunctionsexternaltoSQLServer.

Rationale:

EnablingthisoptionwillincreasetheattacksurfaceofSQLServerandallowuserstoexecutefunctionsinthesecuritycontextofSQLServer.

Audit:


SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ole Automation Procedures';


Remediation:


EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ole Automation Procedures', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;

DefaultValue:


23|P a g e

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option

CISControls:


24|P a g e

2.6Ensure'RemoteAccess'ServerConfigurationOptionissetto'0'(Scored)



Description:

Theremote accessoptioncontrolstheexecutionoflocalstoredproceduresonremoteserversorremotestoredproceduresonlocalserver.

Rationale:

FunctionalitycanbeabusedtolaunchaDenial-of-Service(DoS)attackonremoteserversbyoff-loadingqueryprocessingtoatarget.

Audit:


SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote access';


Remediation:


EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'remote access', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;

RestarttheDatabaseEngine.

25|P a g e

Impact:

PerMicrosoft:ThisfeaturewillberemovedinthenextversionofMicrosoftSQLServer.Donotusethisfeatureinnewdevelopmentwork,andmodifyapplicationsthatcurrentlyusethisfeatureassoonaspossible.Usesp_addlinkedserverinstead.

DefaultValue:

Bydefault,thisoptionisenabled(1).

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option

CISControls:


26|P a g e

2.7Ensure'RemoteAdminConnections'ServerConfigurationOptionissetto'0'(Scored)



Description:

Theremote admin connectionsoptioncontrolswhetheraclientapplicationonaremotecomputercanusetheDedicatedAdministratorConnection(DAC).

Rationale:

TheDedicatedAdministratorConnection(DAC)letsanadministratoraccessarunningservertoexecutediagnosticfunctionsorTransact-SQLstatements,ortotroubleshootproblemsontheserver,evenwhentheserverislockedorrunninginanabnormalstateandnotrespondingtoaSQLServerDatabaseEngineconnection.Inaclusterscenario,theadministratormaynotactuallybeloggedontothesamenodethatiscurrentlyhostingtheSQLServerinstanceandthusisconsidered"remote".Therefore,thissettingshouldusuallybeenabled(1)forSQLServerfailoverclusters;otherwiseitshouldbedisabled(0)whichisthedefault.

Audit:


USE master; GO SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote admin connections' AND SERVERPROPERTY('IsClustered') = 0;

Ifnodataisreturned,theinstanceisaclusterandthisrecommendationisnotapplicable.Ifdataisreturned,thenboththevaluecolumnsmustshow0tobecompliant.

Remediation:

RunthefollowingT-SQLcommandonnon-clusteredinstallations:

EXECUTE sp_configure 'remote admin connections', 0; RECONFIGURE; GO

27|P a g e

DefaultValue:

Bydefault,thisoptionisdisabled(0),onlylocalconnectionsmayusetheDAC.

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/remote-admin-connections-server-configuration-option

Notes:

Ifit'saclusteredinstallation,thisoptionmustbeenabledasaclusteredSQLServercannotbindtolocalhostandDACwillbeunavailableotherwise.Enableitforclusteredinstallations.Disableitforstandaloneinstallationswherenotrequired.

CISControls:


28|P a g e

2.8Ensure'ScanForStartupProcs'ServerConfigurationOptionissetto'0'(Scored)



Description:

Thescan for startup procsoption,ifenabled,causesSQLServertoscanforandautomaticallyrunallstoredproceduresthataresettoexecuteuponservicestartup.

Rationale:

Enforcingthiscontrolreducesthethreatofanentityleveragingthesefacilitiesformaliciouspurposes.

Audit:


SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'scan for startup procs';


Remediation:


EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'scan for startup procs', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;

RestarttheDatabaseEngine.

Impact:

SettingScanforStartupProceduresto0willpreventcertainaudittracesandothercommonlyusedmonitoringstoredproceduresfromre-startingonstartup.Additionally,

29|P a g e

replicationrequiresthissettingtobeenabled(1)andwillautomaticallychangethissettingifneeded.

DefaultValue:


References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-scan-for-startup-procs-server-configuration-option

CISControls:


30|P a g e

2.9Ensure'Trustworthy'DatabasePropertyissetto'Off'(Scored)



Description:

TheTRUSTWORTHYdatabaseoptionallowsdatabaseobjectstoaccessobjectsinotherdatabasesundercertaincircumstances.

Rationale:

ProvidesprotectionfrommaliciousCLRassembliesorextendedprocedures.

Audit:

RunthefollowingT-SQLquerytolistanydatabaseswithaTrustworthydatabasepropertyvalueofON:

SELECT name FROM sys.databases WHERE is_trustworthy_on = 1 AND name != 'msdb';

Norowsshouldbereturned.

Remediation:

ExecutethefollowingT-SQLstatementagainstthedatabases(replace<database_name>below)returnedbytheAuditProcedure:

ALTER DATABASE [<database_name>] SET TRUSTWORTHY OFF;

DefaultValue:

Bydefault,thisdatabasepropertyisOFF(is_trustworthy_on = 0),exceptforthemsdbdatabaseinwhichitisrequiredtobeON.

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/security/trustworthy-database-property

2. https://support.microsoft.com/it-it/help/2183687/guidelines-for-using-the-trustworthy-database-setting-in-sql-server

CISControls:

31|P a g e


32|P a g e

2.10EnsureUnnecessarySQLServerProtocolsaresetto'Disabled'(NotScored)



Description:

SQLServersupportsSharedMemory,NamedPipes,andTCP/IPprotocols.However,SQLServershouldbeconfiguredtousethebareminimumrequiredbasedontheorganization'sneeds.

Rationale:

UsingfewerprotocolsminimizestheattacksurfaceofSQLServerand,insomecases,canprotectitfromremoteattacks.

Audit:

OpenSQLServerConfigurationManager;gototheSQLServerNetworkConfiguration.Ensurethatonlyrequiredprotocolsareenabled.

Remediation:

OpenSQLServerConfigurationManager;gototheSQLServerNetworkConfiguration.Ensurethatonlyrequiredprotocolsareenabled.Disableprotocolsnotnecessary.

Impact:

TheDatabaseEngine(MSSQLandSQLAgent)servicesmustbestoppedandrestartedforthechangetotakeeffect.

DefaultValue:

Bydefault,TCP/IPandSharedMemoryprotocolsareenabledonallcommercialeditions.

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-or-disable-a-server-network-protocol

33|P a g e

CISControls:


34|P a g e

2.11EnsureSQLServerisconfiguredtousenon-standardports(Scored)



Description:

Ifinstalled,adefaultSQLServerinstancewillbeassignedadefaultportofTCP:1433forTCP/IPcommunication.AdministratorscanalsomanuallyconfigurenamedinstancestouseTCP:1433forcommunication.TCP:1433isawidelyknownSQLServerportandthisportassignmentshouldbechanged.Inamulti-instancescenario,eachinstancemustbeassigneditsowndedicatedTCP/IPport.

Rationale:

Usinganon-defaultporthelpsprotectthedatabasefromattacksdirectedtothedefaultport.

Audit:

RunthefollowingT-SQLscript:

DECLARE @value nvarchar(256); EXECUTE master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'SOFTWARE\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib\Tcp\IPAll', N'TcpPort', @value OUTPUT, N'no_output'; SELECT @value AS TCP_Port WHERE @value = '1433';

Thisshouldreturnnorows.

Remediation:

1. InSQLServerConfigurationManager,intheconsolepane,expandSQLServerNetworkConfiguration,expandProtocolsfor<InstanceName>,andthendouble-clicktheTCP/IPprotocol

2. IntheTCP/IPPropertiesdialogbox,ontheIPAddressestab,severalIPaddressesappearintheformatIP1,IP2,uptoIPAll.OneoftheseisfortheIPaddressoftheloopbackadapter,127.0.0.1.AdditionalIPaddressesappearforeachIPAddressonthecomputer.

35|P a g e

3. UnderIPAll,changetheTCPPortfieldfrom1433toanon-standardportorleavetheTCPPortfieldemptyandsettheTCPDynamicPortsvalueto0toenabledynamicportassignmentandthenclickOK.

4. Intheconsolepane,clickSQLServerServices.5. Inthedetailspane,right-clickSQLServer(<InstanceName>)andthenclick

Restart,tostopandrestartSQLServer.

Impact:

ChangingthedefaultportwillforcetheDAC(DedicatedAdministratorConnection)tolistenonarandomport.Also,itmightmakebenignapplications,suchasapplicationfirewalls,requirespecialconfiguration.Ingeneral,youshouldsetastaticportforconsistentusagebyapplications,includingfirewalls,insteadofusingdynamicportswhichwillbechosenrandomlyateachSQLServerstartup.

DefaultValue:

Bydefault,defaultSQLServerinstanceslistenontoTCP/IPtrafficonTCPport1433andnamedinstancesusedynamicports.

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port

CISControls:

9LimitationandControlofNetworkPorts,Protocols,andServices

36|P a g e

2.12Ensure'HideInstance'optionissetto'Yes'forProductionSQLServerinstances(Scored)



Description:

Non-clusteredSQLServerinstanceswithinproductionenvironmentsshouldbedesignatedashiddentopreventadvertisementbytheSQLServerBrowserservice.

Rationale:

DesignatingproductionSQLServerinstancesashiddenleadstoamoresecureinstallationbecausetheycannotbeenumerated.However,clusteredinstancesmaybreakifthisoptionisselected.

Audit:

PerformeithertheGUIorT-SQLmethodshown:

GUIMethod

1. InSQLServerConfigurationManager,expandSQLServerNetworkConfiguration,right-clickProtocolsfor<InstanceName>,andthenselectProperties.

2. OntheFlagstab,intheHideInstancebox,ifYesisselected,itiscompliant.

T-SQLMethodExecutethefollowingT-SQL.

DECLARE @getValue INT; EXEC master..xp_instance_regread @rootkey = N'HKEY_LOCAL_MACHINE', @key = N'SOFTWARE\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib', @value_name = N'HideInstance', @value = @getValue OUTPUT; SELECT @getValue;

Avalueof1shouldbereturnedtobecompliant.

Remediation:

PerformeithertheGUIorT-SQLmethodshown:

37|P a g e

GUIMethod

1. InSQLServerConfigurationManager,expandSQLServerNetworkConfiguration,right-clickProtocolsfor<InstanceName>,andthenselectProperties.

2. OntheFlagstab,intheHideInstancebox,selectYes,andthenclickOKtoclosethedialogbox.Thechangetakeseffectimmediatelyfornewconnections.

T-SQLMethodExecutethefollowingT-SQLtoremediate:

EXEC master..xp_instance_regwrite @rootkey = N'HKEY_LOCAL_MACHINE', @key = N'SOFTWARE\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib', @value_name = N'HideInstance', @type = N'REG_DWORD', @value = 1;

Impact:

Thismethodonlypreventstheinstancefrombeinglistedonthenetwork.Iftheinstanceishidden(notexposedbySQLBrowser),thenconnectionswillneedtospecifytheserverandportinordertoconnect.Itdoesnotpreventusersfromconnectingtoserveriftheyknowtheinstancenameandport.

Ifyouhideaclusterednamedinstance,theclusterservicemaynotbeabletoconnecttotheSQLServer.PleaserefertotheMicrosoftdocumentationreference.

DefaultValue:

Bydefault,SQLServerinstancesarenothidden.

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/hide-an-instance-of-sql-server-database-engine

CISControls:

9LimitationandControlofNetworkPorts,Protocols,andServices

38|P a g e

2.13Ensurethe'sa'LoginAccountissetto'Disabled'(Scored)



Description:

ThesaaccountisawidelyknownandoftenwidelyusedSQLServeraccountwithsysadminprivileges.Thisistheoriginallogincreatedduringinstallationandalwayshastheprincipal_id=1andsid=0x01.

Rationale:

Enforcingthiscontrolreducestheprobabilityofanattackerexecutingbruteforceattacksagainstawell-knownprincipal.

Audit:

Usethefollowingsyntaxtodetermineifthesaaccountisdisabled.Checkingforsid=0x01ensuresthattheoriginalsaaccountisbeingcheckedincaseithasbeenrenamedperbestpractices.

SELECT name, is_disabled FROM sys.server_principals WHERE sid = 0x01 AND is_disabled = 0;

Norowsshouldbereturnedtobecompliant.Anis_disabledvalueof0indicatestheloginiscurrentlyenabledandthereforeneedsremediation.

Remediation:

ExecutethefollowingT-SQLquery:

USE [master] GO DECLARE @tsql nvarchar(max) SET @tsql = 'ALTER LOGIN ' + SUSER_NAME(0x01) + ' DISABLE' EXEC (@tsql) GO

Impact:

Itisnotagoodsecuritypracticetocodeapplicationsorscriptstousethesaaccount.However,ifthishasbeendone,disablingthesaaccountwillpreventscriptsand

39|P a g e

applicationsfromauthenticatingtothedatabaseserverandexecutingrequiredtasksorfunctions.

DefaultValue:

Bydefault,thesaloginaccountisdisabledatinstalltimewhenWindowsAuthenticationModeisselected.Ifmixedmode(SQLServerandWindowsAuthentication)isselectedatinstall,thedefaultforthesaloginisenabled.

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-principals-transact-sql

2. https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-login-transact-sql3. https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-

authentication-mode

CISControls:

5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

40|P a g e

2.14Ensurethe'sa'LoginAccounthasbeenrenamed(Scored)



Description:

ThesaaccountisawidelyknownandoftenwidelyusedSQLServerloginwithsysadminprivileges.Thesaloginistheoriginallogincreatedduringinstallationandalwayshasprincipal_id=1andsid=0x01.

Rationale:

Itismoredifficulttolaunchpassword-guessingandbrute-forceattacksagainstthesaloginifthenameisnotknown.

Audit:

Usethefollowingsyntaxtodetermineifthesalogin(principal)isrenamed.

SELECT name FROM sys.server_principals WHERE sid = 0x01;

Anameofsaindicatestheaccounthasnotbeenrenamedandthereforeneedsremediation.

Remediation:

Replacethe<different_user>valuewithinthebelowsyntaxandexecutetorenamethesalogin.

ALTER LOGIN sa WITH NAME = <different_user>;

Impact:

Itisnotagoodsecuritypracticetocodeapplicationsorscriptstousethesalogin.However,ifthishasbeendone,renamingthesaloginwillpreventscriptsandapplicationsfromauthenticatingtothedatabaseserverandexecutingrequiredtasksorfunctions.

DefaultValue:

Bydefault,thesaloginnameis'sa'.

41|P a g e

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/security/choose-an-authentication-mode

CISControls:

5ControlledUseofAdministrationPrivileges

42|P a g e

2.15Ensure'xp_cmdshell'ServerConfigurationOptionissetto'0'(Scored)



Description:

Thexp_cmdshelloptioncontrolswhetherthexp_cmdshellextendedstoredprocedurecanbeusedbyanauthenticatedSQLServerusertoexecuteoperating-systemcommandshellcommandsandreturnresultsasrowswithintheSQLclient.

Rationale:

Thexp_cmdshellprocedureiscommonlyusedbyattackerstoreadorwritedatato/fromtheunderlyingOperatingSystemofadatabaseserver.

Audit:


SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell';


Remediation:


EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 0; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;

DefaultValue:


43|P a g e

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql

2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option

CISControls:


44|P a g e

2.16Ensure'AUTO_CLOSE'issetto'OFF'oncontaineddatabases(Scored)



Description:

AUTO_CLOSEdeterminesifagivendatabaseisclosedornotafteraconnectionterminates.Ifenabled,subsequentconnectionstothegivendatabasewillrequirethedatabasetobereopenedandrelevantprocedurecachestoberebuilt.

Rationale:

Becauseauthenticationofusersforcontaineddatabasesoccurswithinthedatabasenotattheserver\instancelevel,thedatabasemustbeopenedeverytimetoauthenticateauser.Thefrequentopening/closingofthedatabaseconsumesadditionalserverresourcesandmaycontributetoadenialofservice.

Audit:

Performthefollowingtofindcontaineddatabasesthatarenotconfiguredasprescribed:

SELECT name, containment, containment_desc, is_auto_close_on FROM sys.databases WHERE containment <> 0 and is_auto_close_on = 1;


Remediation:

ExecutethefollowingT-SQL,replacing<database_name>witheachdatabasenamefoundbytheAuditProcedure:

ALTER DATABASE <database_name> SET AUTO_CLOSE OFF;

DefaultValue:

Bydefault,thedatabasepropertyAUTO_CLOSEisOFFwhichisequivalenttois_auto_close_on = 0.

45|P a g e

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases

CISControls:


46|P a g e

2.17Ensurenologinexistswiththename'sa'(Scored)



Description:

Thesalogin(e.g.principal)isawidelyknownandoftenwidelyusedSQLServeraccount.Therefore,thereshouldnotbealogincalledsaevenwhentheoriginalsalogin(principal_id = 1)hasbeenrenamed.

Rationale:

Enforcingthiscontrolreducestheprobabilityofanattackerexecutingbruteforceattacksagainstawell-knownprincipalname.

Audit:

Usethefollowingsyntaxtodetermineifthereisanaccountnamedsa.

SELECT principal_id, name, FROM sys.server_principals WHERE name = 'sa';


Remediation:

ExecutetheappropriateALTERorDROPstatementbelowbasedontheprincipal_idreturnedfortheloginnamedsa.Replacethe<different_name>valuewithinthebelowsyntaxandexecutetorenamethesalogin.

USE [master] GO -- If principal_id = 1 or the login owns database objects, rename the sa login ALTER LOGIN [sa] WITH NAME = <different_name>; GO -- If the login owns no database objects, then drop it -- Do NOT drop the login if it is principal_id = 1 DROP LOGIN sa

Impact:

Itisnotagoodsecuritypracticetocodeapplicationsorscriptstousethesaaccount.Giventhatitisabestpracticetorenameanddisablethesaaccount,some3rdpartyapplications

47|P a g e

checkfortheexistenceofaloginnamedsaandifitdoesn'texist,createsone.Removingthesaloginwillpreventthesescriptsandapplicationsfromauthenticatingtothedatabaseserverandexecutingrequiredtasksorfunctions.

DefaultValue:

Theloginwithprincipal_id = 1isnamedsabydefault.

CISControls:


48|P a g e

3AuthenticationandAuthorization

ThissectioncontainsrecommendationsrelatedtoSQLServer'sauthenticationandauthorizationmechanisms.

3.1Ensure'ServerAuthentication'Propertyissetto'WindowsAuthenticationMode'(Scored)



Description:

UsesWindowsAuthenticationtovalidateattemptedconnections.

Rationale:

WindowsprovidesamorerobustauthenticationmechanismthanSQLServerauthentication.

Audit:

Executethefollowingsyntax:

SELECT SERVERPROPERTY('IsIntegratedSecurityOnly') as [login_mode];

Alogin_modeof1indicatestheServerAuthenticationpropertyissettoWindowsAuthenticationMode.Alogin_modeof0indicatesmixedmodeauthentication.

Remediation:

ViatheSSMSGUI-Performthefollowingsteps:

1. OpenSQLServerManagementStudio.2. OpentheObjectExplorertabandconnecttothetargetdatabaseinstance.3. RightclicktheinstancenameandselectProperties.4. SelecttheSecuritypagefromtheleftmenu.5. SettheServerauthenticationsettingtoWindowsAuthenticationMode.

or

RunthefollowingT-SQLinaQueryWindow:

49|P a g e

USE [master] GO EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 1 GO

RestarttheSQLServerserviceforthechangetotakeeffect.

Impact:

Changingtheloginmodeconfigurationrequiresarestartoftheservice.

DefaultValue:

WindowsAuthenticationMode

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-properties-security-page

CISControls:

16.9ConfigureAccountAccessCentrallyConfigureaccessforallaccountsthroughacentralizedpointofauthentication,forexampleActiveDirectoryorLDAP.Configurenetworkandsecuritydevicesforcentralizedauthenticationaswell.

50|P a g e

3.2EnsureCONNECTpermissionsonthe'guest'userisRevokedwithinallSQLServerdatabasesexcludingthemaster,msdbandtempdb(Scored)



Description:

RemovetherightoftheguestusertoconnecttoSQLServerdatabases,exceptformaster,msdb,andtempdb.

Rationale:

AloginassumestheidentityoftheguestuserwhenaloginhasaccesstoSQLServerbutdoesnothaveaccesstoadatabasethroughitsownaccountandthedatabasehasaguestuseraccount.RevokingtheCONNECTpermissionfortheguestuserwillensurethataloginisnotabletoaccessdatabaseinformationwithoutexplicitaccesstodoso.

Audit:

Runthefollowingcodesnippetforeachdatabase(replacing<database_name>asappropriate)intheinstancetodetermineiftheguestuserhasCONNECTpermission.Norowsshouldbereturned.

USE [<database_name>]; GO SELECT DB_NAME() AS DatabaseName, 'guest' AS Database_User, [permission_name], [state_desc] FROM sys.database_permissions WHERE [grantee_principal_id] = DATABASE_PRINCIPAL_ID('guest') AND [state_desc] LIKE 'GRANT%' AND [permission_name] = 'CONNECT' AND DB_NAME() NOT IN ('master','tempdb','msdb');

Remediation:

ThefollowingcodesnippetrevokesCONNECTpermissionsfromtheguestuserinadatabase.Replace<database_name>asappropriate:

USE [<database_name>]; GO REVOKE CONNECT FROM guest;

51|P a g e

Impact:

WhenCONNECTpermissiontotheguestuserisrevoked,aSQLServerinstanceloginmustbemappedtoadatabaseuserexplicitlyinordertohaveaccesstothedatabase.

DefaultValue:

TheguestuseraccountisaddedtoeachnewdatabasebutwithoutCONNECTpermissionbydefault.

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/policy-based-management/guest-permissions-on-user-databases

Notes:

TheguestusercannothavetheCONNECTpermissionrevokedinmaster,msdbandtempdb,butthispermissionshouldberevokedinallotherdatabasesontheSQLServerinstance.

CISControls:

16AccountMonitoringandControl

52|P a g e

3.3Ensure'OrphanedUsers'areDroppedFromSQLServerDatabases(Scored)



Description:

AdatabaseuserforwhichthecorrespondingSQLServerloginisundefinedorisincorrectlydefinedonaserverinstancecannotlogintotheinstanceandisreferredtoasorphanedandshouldberemoved.

Rationale:

Orphanusersshouldberemovedtoavoidpotentialmisuseofthosebrokenusersinanyway.

Audit:

RunthefollowingT-SQLqueryineachdatabasetoidentifyorphanusers.Norowsshouldbereturned.

USE [<database_name>]; GO EXEC sp_change_users_login @Action='Report';

Remediation:

IftheorphanedusercannotorshouldnotbematchedtoanexistingornewloginusingtheMicrosoftdocumentedprocessreferencedbelow,runthefollowingT-SQLqueryintheappropriatedatabasetoremoveanorphanuser:

USE [<database_name>]; GO DROP USER <username>;

References:

1. https://docs.microsoft.com/en-us/sql/sql-server/failover-clusters/troubleshoot-orphaned-users-sql-server

53|P a g e

CISControls:


54|P a g e

3.4EnsureSQLAuthenticationisnotusedincontaineddatabases(Scored)



Description:

ContaineddatabasesdonotenforcepasswordcomplexityrulesforSQLAuthenticatedusers.

Rationale:

Theabsenceofanenforcedpasswordpolicymayincreasethelikelihoodofaweakcredentialbeingestablishedinacontaineddatabase.

Audit:

ExecutethefollowingT-SQLineachcontaineddatabasetofinddatabaseusersthatareusingSQLauthentication:

SELECT name AS DBUser FROM sys.database_principals WHERE name NOT IN ('dbo','Information_Schema','sys','guest') AND type IN ('U','S','G') AND authentication_type = 2; GO

Remediation:

LeverageWindowsAuthenticatedusersincontaineddatabases.

Impact:

Whilecontaineddatabasesprovideflexibilityinrelocatingdatabasestodifferentinstancesanddifferentenvironments,thismustbebalancedwiththeconsiderationthatnopasswordpolicymechanismexistsforSQLAuthenticatedusersincontaineddatabases.

DefaultValue:

SQLAuthenticatedusers(USER WITH PASSWORDauthentication)areallowedincontaineddatabases.

55|P a g e

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases

CISControls:

16.12UseLongPasswordsforAllUserAccountsWheremulti-factorauthenticationisnotsupported,useraccountsshallberequiredtouselongpasswordsonthesystem(longerthan14characters).

56|P a g e

3.5EnsuretheSQLServer’sMSSQLServiceAccountisNotanAdministrator(Scored)



Description:

Theserviceaccountand/orserviceSIDusedbytheMSSQLSERVERserviceforadefaultinstanceorMSSQL$<InstanceName>serviceforanamedinstanceshouldnotbeamemberoftheWindowsAdministratorgroupeitherdirectlyorindirectly(viaagroup).ThisalsomeansthattheaccountknownasLocalSystem(akaNT AUTHORITY\SYSTEM)shouldnotbeusedfortheMSSQLserviceasthisaccounthashigherprivilegesthantheSQLServerservicerequires.

Rationale:

Followingtheprincipleofleastprivilege,theserviceaccountshouldhavenomoreprivilegesthanrequiredtodoitsjob.ForSQLServerservices,theSQLServerSetupwillassigntherequiredpermissionsdirectlytotheserviceSID.Noadditionalpermissionsorprivilegesshouldbenecessary.

Audit:

Verifythattheserviceaccount(incaseofalocalorADaccount)andserviceSIDarenotmembersoftheWindowsAdministratorsgroup.

Remediation:

InthecasewhereLocalSystemisused,useSQLServerConfigurationManagertochangetoalessprivilegedaccount.Otherwise,removetheaccountorserviceSIDfromtheAdministratorsgroup.YoumayneedtoruntheSQLServerConfigurationManagerifunderlyingpermissionshadbeenchangedorifSQLServerConfigurationManagerwasnotoriginallyusedtosettheserviceaccount.

Impact:

TheSQLServerConfigurationManagertoolshouldalwaysbeusedtochangetheSQLServer’sserviceaccount.Thiswillensurethattheaccounthasthenecessaryprivileges.IftheserviceneedsaccesstoresourcesotherthanthestandardMicrosoftdefineddirectoriesandregistry,thenadditionalpermissionsmayneedtobegrantedseparatelytothoseresources.

57|P a g e

DefaultValue:

Bydefault,theServiceAccount(orServiceSID)isnotamemberoftheAdministratorsgroup.

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions

CISControls:


58|P a g e

3.6EnsuretheSQLServer’sSQLAgentServiceAccountisNotanAdministrator(Scored)



Description:

Theserviceaccountand/orserviceSIDusedbytheSQLSERVERAGENTserviceforadefaultinstanceorSQLAGENT$<InstanceName>serviceforanamedinstanceshouldnotbeamemberoftheWindowsAdministratorgroupeitherdirectlyorindirectly(viaagroup).ThisalsomeansthattheaccountknownasLocalSystem(akaNT AUTHORITY\SYSTEM)shouldnotbeusedfortheSQLAGENTserviceasthisaccounthashigherprivilegesthantheSQLServerservicerequires.

Rationale:


Audit:


Remediation:


Impact:

TheSQLServerConfigurationManagertoolshouldalwaysbeusedtochangetheSQLServer’sserviceaccount.Thiswillensurethattheaccounthasthenecessaryprivileges.IftheserviceneedsaccesstoresourcesotherthanthestandardMicrosoft-defineddirectoriesandregistry,thenadditionalpermissionsmayneedtobegrantedseparatelytothoseresources.

59|P a g e

Ifusingtheautorestartfeature,thentheSQLAGENTservicemustbeanAdministrator.

DefaultValue:


References:


CISControls:


60|P a g e

3.7EnsuretheSQLServer’sFull-TextServiceAccountisNotanAdministrator(Scored)



Description:

Theserviceaccountand/orserviceSIDusedbytheMSSQLFDLauncherserviceforadefaultinstanceorMSSQLFDLauncher$<InstanceName>serviceforanamedinstanceshouldnotbeamemberoftheWindowsAdministratorgroupeitherdirectlyorindirectly(viaagroup).ThisalsomeansthattheaccountknownasLocalSystem(akaNT AUTHORITY\SYSTEM)shouldnotbeusedfortheFull-TextserviceasthisaccounthashigherprivilegesthantheSQLServerservicerequires.

Rationale:


Audit:


Remediation:


Impact:

TheSQLServerConfigurationManagertoolshouldalwaysbeusedtochangetheSQLServer’sserviceaccount.Thiswillensurethattheaccounthasthenecessaryprivileges.IftheserviceneedsaccesstoresourcesotherthanthestandardMicrosoft-defineddirectoriesandregistry,thenadditionalpermissionsmayneedtobegrantedseparatelytothoseresources.

61|P a g e

DefaultValue:


References:


CISControls:


62|P a g e

3.8EnsureonlythedefaultpermissionsspecifiedbyMicrosoftaregrantedtothepublicserverrole(Scored)



Description:

publicisaspecialfixedserverrolecontainingalllogins.Unlikeotherfixedserverroles,permissionscanbechangedforthepublicrole.Inkeepingwiththeprincipleofleastprivileges,thepublicserverroleshouldnotbeusedtograntpermissionsattheserverscopeasthesewouldbeinheritedbyallusers.

Rationale:

EverySQLServerloginbelongstothepublicroleandcannotberemovedfromthisrole.Therefore,anypermissionsgrantedtothisrolewillbeavailabletoallloginsunlesstheyhavebeenexplicitlydeniedtospecificloginsoruser-definedserverroles.

Audit:

Usethefollowingsyntaxtodetermineifextrapermissionshavebeengrantedtothepublicserverrole.

SELECT * FROM master.sys.server_permissions WHERE (grantee_principal_id = SUSER_SID(N'public') and state_desc LIKE 'GRANT%') AND NOT (state_desc = 'GRANT' and [permission_name] = 'VIEW ANY DATABASE' and class_desc = 'SERVER') AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 2) AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 3) AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 4) AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and class_desc = 'ENDPOINT' and major_id = 5);

Thisqueryshouldnotreturnanyrows.

Remediation:

1. AddtheextraneouspermissionsfoundintheAuditqueryresultstothespecificloginstouser-definedserverroleswhichrequiretheaccess.

2. Revokethe<permission_name>fromthepublicroleasshownbelow

63|P a g e

USE [master] GO REVOKE <permission_name> FROM public; GO

Impact:

Whentheextraneouspermissionsarerevokedfromthepublicserverrole,accessmaybelostunlessthepermissionsaregrantedtotheexplicitloginsortouser-definedserverrolescontainingtheloginswhichrequiretheaccess.

DefaultValue:

Bydefault,thepublicserverroleisgrantedVIEW ANY DATABASEpermissionandtheCONNECTpermissiononthedefaultendpoints(TSQL Local Machine,TSQL Named Pipes,TSQL Default TCP,TSQL Default VIA).TheVIEW ANY DATABASEpermissionallowsallloginstoseedatabasemetadata,unlessexplicitlydenied.

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles

2. https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles#permissions-of-fixed-server-roles

CISControls:


64|P a g e

3.9EnsureWindowsBUILTINgroupsarenotSQLLogins(Scored)



Description:

PriortoSQLServer2008,theBUILTIN\AdministratorsgroupwasaddedaSQLServerloginwithsysadminprivilegesduringinstallationbydefault.BestpracticespromotecreatinganActiveDirectorylevelgroupcontainingapprovedDBAstaffaccountsandusingthiscontrolledADgroupastheloginwithsysadminprivileges.TheADgroupshouldbespecifiedduringSQLServerinstallationandtheBUILTIN\Administratorsgroupwouldthereforehavenoneedtobealogin.

Rationale:

TheBUILTINgroups(Administrators,Everyone,AuthenticatedUsers,Guests,etc.)generallycontainverybroadmembershipswhichwouldnotmeetthebestpracticeofensuringonlythenecessaryusershavebeengrantedaccesstoaSQLServerinstance.ThesegroupsshouldnotbeusedforanylevelofaccessintoaSQLServerDatabaseEngineinstance.

Audit:

UsethefollowingsyntaxtodetermineifanyBUILTINgroupsoraccountshavebeenaddedasSQLServerLogins.

SELECT pr.[name], pe.[permission_name], pe.[state_desc] FROM sys.server_principals pr JOIN sys.server_permissions pe ON pr.principal_id = pe.grantee_principal_id WHERE pr.name like 'BUILTIN%';


Remediation:

1. ForeachBUILTINlogin,ifneededcreateamorerestrictiveADgroupcontainingonlytherequireduseraccounts.

2. AddtheADgrouporindividualWindowsaccountsasaSQLServerloginandgrantitthepermissionsrequired.

3. DroptheBUILTINloginusingthesyntaxbelowafterreplacing<name>in[BUILTIN\<name>].

65|P a g e

USE [master]; GO DROP LOGIN [BUILTIN\<name>]; GO

Impact:

BeforedroppingtheBUILTINgrouplogins,ensurethatalternativeADGroupsorWindowsloginshavebeenaddedwithequivalentpermissions.Otherwise,theSQLServerinstancemaybecometotallyinaccessible.

DefaultValue:

Bydefault,noBUILTINgroupsareaddedasSQLlogins.

CISControls:


66|P a g e

3.10EnsureWindowslocalgroupsarenotSQLLogins(Scored)



Description:

LocalWindowsgroupsshouldnotbeusedasloginsforSQLServerinstances.

Rationale:

AllowinglocalWindowsgroupsasSQLLoginsprovidesaloopholewherebyanyonewithOSleveladministratorrights(andnoSQLServerrights)couldadduserstothelocalWindowsgroupsandtherebygivethemselvesorothersaccesstotheSQLServerinstance.

Audit:

UsethefollowingsyntaxtodetermineifanylocalgroupshavebeenaddedasSQLServerLogins.

USE [master] GO SELECT pr.[name] AS LocalGroupName, pe.[permission_name], pe.[state_desc] FROM sys.server_principals pr JOIN sys.server_permissions pe ON pr.[principal_id] = pe.[grantee_principal_id] WHERE pr.[type_desc] = 'WINDOWS_GROUP' AND pr.[name] like CAST(SERVERPROPERTY('MachineName') AS nvarchar) + '%';


Remediation:

1. ForeachLocalGroupNamelogin,ifneededcreateanequivalentADgroupcontainingonlytherequireduseraccounts.

2. AddtheADgrouporindividualWindowsaccountsasaSQLServerloginandgrantitthepermissionsrequired.

3. DroptheLocalGroupNameloginusingthesyntaxbelowafterreplacing<name>.

USE [master] GO DROP LOGIN [<name>] GO

67|P a g e

Impact:

Beforedroppingthelocalgrouplogins,ensurethatalternativeADGroupsorWindowsloginshavebeenaddedwithequivalentpermissions.Otherwise,theSQLServerinstancemaybecometotallyinaccessible.

DefaultValue:

Bydefault,nolocalgroupsareaddedasSQLlogins.

CISControls:


68|P a g e

3.11EnsurethepublicroleinthemsdbdatabaseisnotgrantedaccesstoSQLAgentproxies(Scored)



Description:

Thepublicdatabaserolecontainseveryuserinthemsdbdatabase.SQLAgentproxiesdefineasecuritycontextinwhichajobstepcanrun.

Rationale:

GrantingaccesstoSQLAgentproxiesforthepublicrolewouldallowalluserstoutilizetheproxywhichmayhavehighprivileges.Thiswouldlikelybreaktheprincipleofleastprivileges.

Audit:

Usethefollowingsyntaxtodetermineifaccesstoanyproxieshavebeengrantedtothemsdbdatabase'spublicrole.

USE [msdb] GO SELECT sp.name AS proxyname FROM dbo.sysproxylogin spl JOIN sys.database_principals dp ON dp.sid = spl.sid JOIN sysproxies sp ON sp.proxy_id = spl.proxy_id WHERE principal_id = USER_ID('public'); GO


Remediation:

1. Ensuretherequiredsecurityprincipalsareexplicitlygrantedaccesstotheproxy(usesp_grant_login_to_proxy).

2. Revokeaccesstothe<proxyname>fromthepublicrole.

USE [msdb] GO EXEC dbo.sp_revoke_login_from_proxy @name = N'public', @proxy_name = N'<proxyname>'; GO

69|P a g e

Impact:

Beforerevokingthepublicrolefromtheproxy,ensurethatalternativeloginsorappropriateuser-defineddatabaseroleshavebeenaddedwithequivalentpermissions.Otherwise,SQLAgentjobstepsdependentuponthisaccesswillfail.

DefaultValue:

Bydefault,themsdbpublicdatabaseroledoesnothaveaccesstoanyproxy.

References:

1. https://support.microsoft.com/en-us/help/2160741/best-practices-in-configuring-sql-server-agent-proxy-account

CISControls:


70|P a g e

4PasswordPolicies

ThissectioncontainsrecommendationsrelatedtoSQLServer'spasswordpolicies.

4.1Ensure'MUST_CHANGE'Optionissetto'ON'forAllSQLAuthenticatedLogins(NotScored)



Description:

WheneverthisoptionissettoON,SQLServerwillpromptforanupdatedpasswordthefirsttimetheneworalteredloginisused.

Rationale:

EnforcingapasswordchangeafteraresetornewlogincreationwillpreventtheaccountadministratorsoranyoneaccessingtheinitialpasswordfrommisuseoftheSQLlogincreatedwithoutbeingnoticed.

Audit:

1. OpenSQLServerManagementStudio.2. OpenObjectExplorerandconnecttothetargetinstance.3. NavigatetotheLoginstabinObjectExplorerandexpand.Rightclickonthe

desiredloginandselectProperties.4. VerifytheUsermustchangepasswordatnextlogincheckboxischecked.

Note:Thisauditprocedureisonlyapplicableimmediatelyaftertheloginhasbeencreatedoralteredtoforcethepasswordchange.Oncethepasswordischanged,thereisnowaytoknowspecificallythatthisoptionwastheforcingmechanismbehindapasswordchange.

Remediation:

SettheMUST_CHANGEoptionforSQLAuthenticatedloginswhencreatingalogininitially:

CREATE LOGIN <login_name> WITH PASSWORD = '<password_value>' MUST_CHANGE, CHECK_EXPIRATION = ON, CHECK_POLICY = ON;

SettheMUST_CHANGEoptionforSQLAuthenticatedloginswhenresettingapassword:

ALTER LOGIN <login_name> WITH PASSWORD = '<new_password_value>' MUST_CHANGE;

71|P a g e

Impact:

CHECK_EXPIRATIONandCHECK_POLICYoptionsmustbothbeON.Endusersmusthavethemeans(application)tochangethepasswordwhenforced.

DefaultValue:

ONwhencreatinganewloginviatheSSMSGUI.

OFFwhencreatinganewloginusingT-SQLCREATE LOGINunlesstheMUST_CHANGEoptionisexplicitlyincludedalongwithCHECK_EXPIRATION = ON.

References:

1. https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-login-transact-sql2. https://docs.microsoft.com/en-us/sql/t-sql/statements/create-login-transact-sql

CISControls:


72|P a g e

4.2Ensure'CHECK_EXPIRATION'Optionissetto'ON'forAllSQLAuthenticatedLoginsWithintheSysadminRole(Scored)



Description:

AppliesthesamepasswordexpirationpolicyusedinWindowstopasswordsusedinsideSQLServer.

Rationale:

EnsuringSQLloginscomplywiththesecurepasswordpolicyappliedbytheWindowsServerBenchmarkwillensurethepasswordsforSQLloginswithsysadminprivilegesarechangedonafrequentbasistohelppreventcompromiseviaabruteforceattack.CONTROL SERVERisanequivalentpermissiontosysadminandloginswiththatpermissionshouldalsoberequiredtohaveexpiringpasswords.

Audit:

RunthefollowingT-SQLstatementtofindsysadminorequivalentloginswithCHECK_EXPIRATION = OFF.Norowsshouldbereturned.

SELECT l.[name], 'sysadmin membership' AS 'Access_Method' FROM sys.sql_logins AS l WHERE IS_SRVROLEMEMBER('sysadmin',name) = 1 AND l.is_expiration_checked <> 1 UNION ALL SELECT l.[name], 'CONTROL SERVER' AS 'Access_Method' FROM sys.sql_logins AS l JOIN sys.server_permissions AS p ON l.principal_id = p.grantee_principal_id WHERE p.type = 'CL' AND p.state IN ('G', 'W') AND l.is_expiration_checked <> 1;

Remediation:

Foreach<login_name>foundbytheAuditProcedure,executethefollowingT-SQLstatement:

ALTER LOGIN [<login_name>] WITH CHECK_EXPIRATION = ON;

73|P a g e

Impact:

ThisisamitigatingrecommendationforsystemswhichcannotfollowtherecommendationtouseonlyWindowsAuthenticatedlogins.

RegardinglimitingthisruletoonlyloginswithsysadminandCONTROL SERVERprivileges,therearetoomanycasesofapplicationsthatrunwithlessthansysadminlevelprivilegesthathavehard-codedpasswordsoreffectivelyhard-codedpasswords(whateverissetthefirsttimeisnearlyimpossibletochange).Thereareseveralline-of-businessapplicationsthatareconsideredbestofbreedwhichhasthisfailing.

Also,keepinmindthatthepasswordpolicyistakenfromthecomputer'slocalpolicy,whichwilltakefromtheDefaultDomainPolicysetting.Manyorganizationshaveadifferentpasswordpolicywithregardstoserviceaccounts.ThesearehandledinADbysettingtheaccount'spasswordnottoexpireandhavingsomeotherprocesstrackwhentheyneedtobechanged.Withthissecondcontrolinplace,thisisperfectlyacceptablefromanauditperspective.IfyoutreataSQLServerloginasaserviceaccount,thenyouhavetodothesame.Thisensuresthatthepasswordchangehappensduringacommunicateddowntimewindowandnotarbitrarily.

DefaultValue:

CHECK_EXPIRATIONisONbydefaultwhenusingSSMStocreateaSQLauthenticatedlogin.

CHECK_EXPIRATIONisOFFbydefaultwhenusingT-SQLCREATE LOGINsyntaxwithoutspecifyingtheCHECK_EXPIRATIONoption.

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy

CISControls:

16.2AllAccountsHaveAMonitoredExpirationDateEnsurethatallaccountshaveanexpirationdatethatismonitoredandenforced.

74|P a g e

4.3Ensure'CHECK_POLICY'Optionissetto'ON'forAllSQLAuthenticatedLogins(Scored)



Description:

AppliesthesamepasswordcomplexitypolicyusedinWindowstopasswordsusedinsideSQLServer.

Rationale:

EnsureSQLauthenticatedloginpasswordscomplywiththesecurepasswordpolicyappliedbytheWindowsServerBenchmarksothattheycannotbeeasilycompromisedviabruteforceattack.

Audit:

UsethefollowingcodesnippettodeterminethestatusofSQLLoginsandiftheirpasswordcomplexityisenforced.

SELECT name, is_disabled FROM sys.sql_logins WHERE is_policy_checked = 0;

Theis_policy_checkedvalueof0indicatesthattheCHECK_POLICYoptionisOFF;valueof1isON.Ifis_disabledvalueis1,thentheloginisdisabledandunusable.IfnorowsarereturnedtheneithernoSQLAuthenticatedloginsexistortheyallhaveCHECK_POLICYON.

Remediation:

ALTER LOGIN [<login_name>] WITH CHECK_POLICY = ON;

Impact:

ThisisamitigatingrecommendationforsystemswhichcannotfollowtherecommendationtouseonlyWindowsAuthenticatedlogins.

Weakpasswordscanleadtocompromisedsystems.SQLServerauthenticatedloginswillutilizethethepasswordpolicysetinthecomputer'slocalpolicy,whichistypicallysetbytheDefaultDomainPolicysetting.

Thesettingisonlyenforcedwhenthepasswordischanged.Thissettingdoesnotforceexistingweakpasswordstobechanged.

75|P a g e

DefaultValue:

CHECK_POLICYisON

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy

CISControls:


76|P a g e

5AuditingandLogging

ThissectioncontainsrecommendationsrelatedtoSQLServer'sauditandloggingmechanisms.

5.1Ensure'Maximumnumberoferrorlogfiles'issettogreaterthanorequalto'12'(Scored)



Description:

SQLServererrorlogfilesmustbeprotectedfromloss.Thelogfilesmustbebackedupbeforetheyareoverwritten.Retainingmoreerrorlogshelpspreventlossfromfrequentrecyclingbeforebackupscanoccur.

Rationale:

TheSQLServererrorlogcontainsimportantinformationaboutmajorservereventsandloginattemptinformationaswell.

Audit:

1. OpenSQLServerManagementStudio.2. OpenObjectExplorerandconnecttothetargetinstance.3. NavigatetotheManagementtabinObjectExplorerandexpand.Rightclickonthe

SQLServerLogsfileandselectConfigure.4. VerifytheLimitthenumberoferrorlogfilesbeforetheyarerecycledcheckbox

ischecked5. VerifytheMaximumnumberoferrorlogfilesisgreaterthanorequalto12

OR

RunthefollowingT-SQL.TheNumberOfLogFilesreturnedshouldbegreaterthanorequalto12.

DECLARE @NumErrorLogs int; EXEC master.sys.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'NumErrorLogs', @NumErrorLogs OUTPUT; SELECT ISNULL(@NumErrorLogs, -1) AS [NumberOfLogFiles];

77|P a g e

Remediation:

Adjustthenumberoflogstopreventdataloss.Thedefaultvalueof6maybeinsufficientforaproductionenvironment.

1. OpenSQLServerManagementStudio.2. OpenObjectExplorerandconnecttothetargetinstance.3. NavigatetotheManagementtabinObjectExplorerandexpand.Rightclickonthe

SQLServerLogsfileandselectConfigure4. ChecktheLimitthenumberoferrorlogfilesbeforetheyarerecycled5. SettheMaximumnumberoferrorlogfilestogreaterthanorequalto12

OR

RunthefollowingT-SQLtochangethenumberoferrorlogfiles,replace<NumberAbove12>withyourdesirednumberoferrorlogfiles:

EXEC master.sys.xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'NumErrorLogs', REG_DWORD, <NumberAbove12>;

Impact:

Oncethemaxnumberoferrorlogsisreached,theoldesterrorlogfileisdeletedeachtimeSQLServerrestartsorsp_cycle_errorlogisexecuted.

DefaultValue:

6SQLServererrorlogfilesinadditiontothecurrenterrorlogfileareretainedbydefault.

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/scm-services-configure-sql-server-error-logs

CISControls:

6.3EnsureAuditLoggingSystemsAreNotSubjectToLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.

78|P a g e

5.2Ensure'DefaultTraceEnabled'ServerConfigurationOptionissetto'1'(Scored)



Description:

Thedefaulttraceprovidesauditloggingofdatabaseactivityincludingaccountcreations,privilegeelevationandexecutionofDBCCcommands.

Rationale:

Defaulttraceprovidesvaluableauditinformationregardingsecurity-relatedactivitiesontheserver.

Audit:


SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'default trace enabled';


Remediation:


EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'default trace enabled', 1; RECONFIGURE; GO EXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;

DefaultValue:

1(on)

79|P a g e

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/default-trace-enabled-server-configuration-option

CISControls:

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

80|P a g e

5.3Ensure'LoginAuditing'issetto'failedlogins'(Scored)



Description:

ThissettingwillrecordfailedauthenticationattemptsforSQLServerloginstotheSQLServerErrorlog.ThisisthedefaultsettingforSQLServer.

Historically,thissettinghasbeenavailableinallversionsandeditionsofSQLServer.PriortotheavailabilityofSQLServerAudit,thiswastheonlyprovidedmechanismforcapturinglogins(successfulorfailed).

Rationale:

Capturingfailedloginsprovideskeyinformationthatcanbeusedtodetect\confirmpasswordguessingattacks.Capturingsuccessfulloginattemptscanbeusedtoconfirmserveraccessduringforensicinvestigations,butusingthisauditlevelsettingtoalsocapturesuccessfulloginscreatesexcessivenoiseintheSQLServerErrorlogwhichcanhamperaDBAtryingtotroubleshootproblems.Elsewhereinthisbenchmark,werecommendusingthenewerlightweightSQLServerAuditfeaturetocapturebothsuccessfulandfailedlogins.

Audit:

EXEC xp_loginconfig 'audit level';

Aconfig_valueoffailureindicatesaserverloginauditingsettingofFailedloginsonly.Ifaconfig_valueofallappears,thenbothfailedandsuccessfulloginsarebeinglogged.Bothsettingsshouldalsobeconsideredvalid,butasmentionedcapturingsuccessfulloginsusingthismethodcreateslotsofnoiseintheSQLServerErrorlog.

Remediation:

PerformthefollowingstepstosetthelevelofauditingusingSSMS:

1. OpenSQLServerManagementStudio.2. RightclickthetargetinstanceandselectPropertiesandnavigatetotheSecurity

tab.3. SelecttheoptionFailedloginsonlyundertheLoginAuditingsectionandclickOK.4. RestarttheSQLServerinstance.

81|P a g e

PerformthefollowingstepstosetthelevelofauditingusingT-SQL:

1. Run:

EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'AuditLevel', REG_DWORD, 2

2. RestarttheSQLServerinstance.

Impact:

Ataminimum,wewanttoensurefailedloginsarecapturedinordertodetectifanadversaryisattemptingtobruteforcepasswordsorotherwiseattemptingtoaccessaSQLServerimproperly.

ChangingthesettingrequiresarestartoftheSQLServerservice.

DefaultValue:

Bydefault,onlyfailedloginattemptsarecaptured.

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-properties-security-page

CISControls:

16.10ProfileUserAccountUsageandMonitorforAnomaliesProfileeachuser’stypicalaccountusagebydeterminingnormaltime-of-dayaccessandaccessduration.Reportsshouldbegeneratedthatindicateuserswhohaveloggedinduringunusualhoursorhaveexceededtheirnormalloginduration.Thisincludesflaggingtheuseoftheuser’scredentialsfromacomputerotherthancomputersonwhichtheusergenerallyworks.

82|P a g e

5.4Ensure'SQLServerAudit'issettocaptureboth'failed'and'successfullogins'(Scored)



Description:

SQLServerAuditiscapableofcapturingbothfailedandsuccessfulloginsandwritingthemtooneofthreeplaces:theapplicationeventlog,thesecurityeventlog,orthefilesystem.WewilluseittocaptureanyloginattempttoSQLServer,aswellasanyattemptstochangeauditpolicy.Thiswillalsoservetobeasecondsourcetorecordfailedloginattempts.

Rationale:

ByutilizingAuditinsteadofthetraditionalsettingundertheSecuritytabtocapturesuccessfullogins,wereducethenoiseintheERRORLOG.ThiskeepsitsmallerandeasiertoreadforDBAswhoareattemptingtotroubleshootissueswiththeSQLServer.Also,theAuditobjectcanwritetothesecurityeventlog,thoughthisrequiresoperatingsystemconfiguration.Thisgivesanadditionaloptionforwheretostoreloginevents,especiallyinconjunctionwithanSIEM.

Audit:

SELECT S.name AS 'Audit Name' , CASE S.is_state_enabled WHEN 1 THEN 'Y' WHEN 0 THEN 'N' END AS 'Audit Enabled' , S.type_desc AS 'Write Location' , SA.name AS 'Audit Specification Name' , CASE SA.is_state_enabled WHEN 1 THEN 'Y' WHEN 0 THEN 'N' END AS 'Audit Specification Enabled' , SAD.audit_action_name , SAD.audited_result FROM sys.server_audit_specification_details AS SAD JOIN sys.server_audit_specifications AS SA ON SAD.server_specification_id = SA.server_specification_id JOIN sys.server_audits AS S ON SA.audit_guid = S.audit_guid WHERE SAD.audit_action_id IN ('CNAU', 'LGFL', 'LGSD');

Theresultsetshouldcontain3rows,oneforeachofthefollowingaudit_action_names:• AUDIT_CHANGE_GROUP• FAILED_LOGIN_GROUP

83|P a g e

• SUCCESSFUL_LOGIN_GROUP

BoththeAuditandAuditspecificationshouldbeenabledandtheaudited_resultshouldincludebothsuccessandfailure.

Remediation:

ViatheSSMSGUIInterface:

1. ExpandtheSQLServerinObjectExplorer.2. ExpandtheSecurityFolder3. Right-clickontheAuditsfolderandchooseNewAudit...4. SpecifyanamefortheServerAudit.5. SpecifytheauditdestinationdetailsandthenclickOKtosavetheServerAudit.6. Right-clickonServerAuditSpecificationsandchooseNewServerAudit

Specification...7. NametheServerAuditSpecification8. SelectthejustcreatedServerAuditintheAuditdrop-downselection.9. Clickthedrop-downunderAuditActionTypeandselectAUDIT_CHANGE_GROUP.10. Clickthenewdrop-downAuditActionTypeandselectFAILED_LOGIN_GROUP.11. Clickthenewdrop-downunderAuditActionTypeandselect

SUCCESSFUL_LOGIN_GROUP.12. ClickOKtosavetheServerAuditSpecification.13. Right-clickonthenewServerAuditSpecificationandselectEnableServerAudit

Specification.14. Right-clickonthenewServerAuditandselectEnableServerAudit.

ViaT-SQL:

Executecodesimilarto:

CREATE SERVER AUDIT TrackLogins TO APPLICATION_LOG; GO CREATE SERVER AUDIT SPECIFICATION TrackAllLogins FOR SERVER AUDIT TrackLogins ADD (FAILED_LOGIN_GROUP), ADD (SUCCESSFUL_LOGIN_GROUP), ADD (AUDIT_CHANGE_GROUP) WITH (STATE = ON); GO ALTER SERVER AUDIT TrackLogins WITH (STATE = ON); GO

84|P a g e

Note:IfthewritedestinationfortheAuditobjectistobethesecurityeventlog,seetheBooksOnlinetopicWriteSQLServerAuditEventstotheSecurityLogandfollowtheappropriatesteps.

Impact:

Withthepreviousrecommendation,onlyfailedloginsarecaptured.IftheAuditobjectisnotimplementedwiththeappropriatesetting,SQLServerwillnotcapturesuccessfullogins,whichmightproveofuseforforensics.

DefaultValue:

Bydefault,therearenoauditobjecttrackingloginevents.

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification

CISControls:

5.5LogFailedAdministrativeLoginAttemptsConfiguresystemstoissuealogentryandalertonanyunsuccessfullogintoanadministrativeaccount.

85|P a g e

6ApplicationDevelopment

ThissectioncontainsrecommendationsrelatedtodevelopingapplicationsthatinterfacewithSQLServer.

6.1EnsureSanitizeDatabaseandApplicationUserInputisSanitized(NotScored)



Description:

Alwaysvalidateuserinputreceivedfromadatabaseclientorapplicationbytestingtype,length,format,andrangepriortotransmittingittothedatabaseserver.

Rationale:

SanitizinguserinputdrasticallyminimizesriskofSQLinjection.

Audit:

CheckwiththeapplicationteamstoensureanydatabaseinteractionisthroughtheuseofstoredproceduresandnotdynamicSQL.RevokeanyINSERT,UPDATE,orDELETEprivilegestouserssothatmodificationstodatamustbedonethroughstoredprocedures.Verifythatthere'snoSQLqueryintheapplicationcodeproducedbystringconcatenation.

Remediation:

ThefollowingstepscanbetakentoremediateSQLinjectionvulnerabilities:

• ReviewTSQLandapplicationcodeforSQLInjection• Onlypermitminimallyprivilegedaccountstosenduserinputtotheserver• MinimizetheriskofSQLinjectionattackbyusingparameterizedcommandsand

storedprocedures• Rejectuserinputcontainingbinarydata,escapesequences,andcomment

characters• AlwaysvalidateuserinputanddonotuseitdirectlytobuildSQLstatements

Impact:

Sanitizeuserinputmayrequirechangestoapplicationcodeordatabaseobjectsyntax.Thesechangescanrequireapplicationsordatabasestobetakentemporarilyoff-line.Any

86|P a g e

changetoTSQLorapplicationcodeshouldbethoroughlytestedintestingenvironmentbeforeproductionimplementation.

References:

1. https://www.owasp.org/index.php/SQL_Injection

CISControls:

18.3SanitizeInputforIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

87|P a g e

6.2Ensure'CLRAssemblyPermissionSet'issetto'SAFE_ACCESS'forAllCLRAssemblies(Scored)



Description:

SettingCLRAssemblyPermissionSetstoSAFE_ACCESSwillpreventassembliesfromaccessingexternalsystemresourcessuchasfiles,thenetwork,environmentvariables,ortheregistry.

Rationale:

AssemblieswithEXTERNAL_ACCESSorUNSAFEpermissionsetscanbeusedtoaccesssensitiveareasoftheoperatingsystem,stealand/ortransmitdataandalterthestateandotherprotectionmeasuresoftheunderlyingWindowsOperatingSystem.

AssemblieswhichareMicrosoft-created(is_user_defined = 0)areexcludedfromthischeckastheyarerequiredforoverallsystemfunctionality.

Audit:

ExecutethefollowingSQLstatement:

SELECT name, permission_set_desc FROM sys.assemblies where is_user_defined = 1;

AllthereturnedassembliesshouldshowSAFE_ACCESSinthepermission_set_desccolumn.

Remediation:

ALTER ASSEMBLY <assembly_name> WITH PERMISSION_SET = SAFE;

Impact:

TheremediationmeasureshouldfirstbetestedwithinatestenvironmentpriortoproductiontoensuretheassemblystillfunctionsasdesignedwithSAFEpermissionsetting.

DefaultValue:

SAFEpermissionissetbydefault.

88|P a g e

References:

1. https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/security/clr-integration-code-access-security

2. https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-assemblies-transact-sql

3. https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-assembly-transact-sql

CISControls:


89|P a g e

7Encryption

Theserecommendationspertaintoencryption-relatedaspectsofSQLServer.

7.1Ensure'SymmetricKeyencryptionalgorithm'issetto'AES_128'orhigherinnon-systemdatabases(Scored)



Description:

PertheMicrosoftBestPractices,onlytheSQLServerAESalgorithmoptions,AES_128,AES_192,andAES_256,shouldbeusedforasymmetrickeyencryptionalgorithm.

Rationale:

Thefollowingalgorithms(asreferredtobySQLServer)areconsideredweakordeprecatedandshouldnolongerbeusedinSQLServer:DES,DESX,RC2,RC4,RC4_128.

ManyorganizationsmayaccepttheTripleDESalgorithms(TDEA)whichusekeyingoptions1(3keyaka3TDEA)orkeyingoption2(2keyaka2TDEA).InSQLServer,thesearereferredtoasTRIPLE_DES_3KEYandTRIPLE_DESrespectively.Additionally,theSQLServeralgorithmnamedDESXisactuallythesameimplementationastheTRIPLE_DES_3KEYoption.However,usingtheDESXidentifierasthealgorithmtypehasbeendeprecatedanditsusageisnowdiscouraged.

Audit:

Runthefollowingcodeforeachindividualuserdatabase:

USE [<database_name>] GO SELECT db_name() AS Database_Name, name AS Key_Name FROM sys.symmetric_keys WHERE algorithm_desc NOT IN ('AES_128','AES_192','AES_256') AND db_id() > 4; GO

Forcompliance,norowsshouldbereturned.

90|P a g e

Remediation:

RefertoMicrosoftSQLServerBooksOnlineALTERSYMMETRICKEYentry:https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-symmetric-key-transact-sql

Impact:

Eliminatesuseofweakanddeprecatedalgorithmswhichmayputasystemathigherriskofanattackerbreakingthekey.

Encrypteddatacannotbecompressed,butcompresseddatacanbeencrypted.Ifyouusecompression,youshouldcompressdatabeforeencryptingit.

DefaultValue:

none

References:

1. https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-symmetric-key-transact-sql

CISControls:

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

91|P a g e

7.2EnsureAsymmetricKeySizeissetto'greaterthanorequalto2048'innon-systemdatabases(Scored)



Description:

MicrosoftBestPracticesrecommendtouseatleasta2048-bitencryptionalgorithmforasymmetrickeys.

Rationale:

TheRSA_2048encryptionalgorithmforasymmetrickeysinSQLServeristhehighestbit-levelprovidedandthereforethemostsecureavailablechoice(otherchoicesareRSA_512andRSA_1024).

Audit:

Runthefollowingcodeforeachindividualuserdatabase:

USE <database_name>; GO SELECT db_name() AS Database_Name, name AS Key_Name FROM sys.asymmetric_keys WHERE key_length < 2048 AND db_id() > 4; GO

Forcompliance,norowsshouldbereturned.

Remediation:

RefertoMicrosoftSQLServerBooksOnlineALTERASYMMETRICKEYentry:https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-asymmetric-key-transact-sql

Impact:

Thehigher-bitlevelmayresultinslowerperformance,butreducesthelikelihoodofanattackerbreakingthekey.

Encrypteddatacannotbecompressed,butcompresseddatacanbeencrypted.Ifyouusecompression,youshouldcompressdatabeforeencryptingit.

92|P a g e

DefaultValue:

none

References:

1. https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-asymmetric-key-transact-sql

CISControls:

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

93|P a g e

8Appendix:AdditionalConsiderations

Thisappendixdiscussespossibleconfigurationoptionsforwhichnorecommendationisbeinggiven.

8.1Ensure'SQLServerBrowserService'isconfiguredcorrectly(NotScored)



Description:

NorecommendationisbeinggivenondisablingtheSQLServerBrowserservice.

Rationale:

Inthecaseofadefaultinstanceinstallation,theSQLServerBrowserserviceisdisabledbydefault.Unlessthereisanamedinstanceonthesameserver,thereistypicallynoreasonfortheSQLServerBrowserservicetoberunning.InthiscaseitisstronglysuggestedthattheSQLServerBrowserserviceremaindisabled.

Whenitcomestonamedinstances,giventhatasecurityscancanfingerprintaSQLServerlisteningonanyport,it'sthereforeoflimitedbenefittodisabletheSQLServerBrowserservice.

However,ifallconnectionsagainstthenamedinstanceareviaapplicationsandarenotvisibletoendusers,thenconfiguringthenamedinstancetolisteningonastaticport,disablingtheSQLServerBrowserservice,andconfiguringtheappstoconnecttothespecifiedportshouldbethedirectiontaken.Thisfollowsthegeneralpracticeofreducingthesurfacearea,especiallyforanunneededfeature.

Ontheotherhand,ifendusersaredirectlyconnectingtodatabasesontheinstance,thentypicallyhavingthemuseServerName\InstanceNameisbest.ThisrequirestheSQLServerBrowserservicetoberunning.DisablingtheSQLServerBrowserservicewouldmeantheenduserswouldhavetorememberportnumbersfortheinstances.Whentheydon'tthatwillgenerateservicecallstoITstaff.Giventhelimitedbenefitofdisablingtheservice,thetrade-offisprobablynotworthit,meaningitmakesmorebusinesssensetoleavetheSQLServerBrowserserviceenabled.

Audit:

94|P a g e

ChecktheSQLBrowserservice'sstatusviaservices.mscorsimilarmethods.

Remediation:

Enableordisabletheserviceasneededforyourenvironment.

DefaultValue:

TheSQLServerBrowserserviceisdisabledifonlyadefaultinstanceisinstalledontheserver.Ifanamedinstanceisinstalled,thedefaultvalueisfortheSQLServerBrowserservicetobeconfiguredasAutomaticforstartup.

References:

1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/sql-server-browser-service-database-engine-and-ssas

CISControls:


95|P a g e

Appendix:SummaryTableControl Set

CorrectlyYes No

1 Installation,UpdatesandPatches1.1 EnsureLatestSQLServerServicePacksandHotfixesare

Installed(NotScored) o o

1.2 EnsureSingle-FunctionMemberServersareUsed(NotScored) o o

2 SurfaceAreaReduction2.1 Ensure'AdHocDistributedQueries'ServerConfiguration

Optionissetto'0'(Scored) o o

2.2 Ensure'CLREnabled'ServerConfigurationOptionissetto'0'(Scored) o o

2.3 Ensure'CrossDBOwnershipChaining'ServerConfigurationOptionissetto'0'(Scored) o o

2.4 Ensure'DatabaseMailXPs'ServerConfigurationOptionissetto'0'(Scored) o o

2.5 Ensure'OleAutomationProcedures'ServerConfigurationOptionissetto'0'(Scored) o o

2.6 Ensure'RemoteAccess'ServerConfigurationOptionissetto'0'(Scored) o o

2.7 Ensure'RemoteAdminConnections'ServerConfigurationOptionissetto'0'(Scored) o o

2.8 Ensure'ScanForStartupProcs'ServerConfigurationOptionissetto'0'(Scored) o o

2.9 Ensure'Trustworthy'DatabasePropertyissetto'Off'(Scored) o o

2.10 EnsureUnnecessarySQLServerProtocolsaresetto'Disabled'(NotScored) o o

2.11 EnsureSQLServerisconfiguredtousenon-standardports(Scored) o o

2.12 Ensure'HideInstance'optionissetto'Yes'forProductionSQLServerinstances(Scored) o o

2.13 Ensurethe'sa'LoginAccountissetto'Disabled'(Scored) o o2.14 Ensurethe'sa'LoginAccounthasbeenrenamed(Scored) o o2.15 Ensure'xp_cmdshell'ServerConfigurationOptionissetto

'0'(Scored) o o

2.16 Ensure'AUTO_CLOSE'issetto'OFF'oncontaineddatabases(Scored) o o

2.17 Ensurenologinexistswiththename'sa'(Scored) o o3 AuthenticationandAuthorization

96|P a g e

3.1 Ensure'ServerAuthentication'Propertyissetto'WindowsAuthenticationMode'(Scored) o o

3.2 EnsureCONNECTpermissionsonthe'guest'userisRevokedwithinallSQLServerdatabasesexcludingthemaster,msdbandtempdb(Scored)

o o

3.3 Ensure'OrphanedUsers'areDroppedFromSQLServerDatabases(Scored) o o

3.4 EnsureSQLAuthenticationisnotusedincontaineddatabases(Scored) o o

3.5 EnsuretheSQLServer’sMSSQLServiceAccountisNotanAdministrator(Scored) o o

3.6 EnsuretheSQLServer’sSQLAgentServiceAccountisNotanAdministrator(Scored) o o

3.7 EnsuretheSQLServer’sFull-TextServiceAccountisNotanAdministrator(Scored) o o

3.8 EnsureonlythedefaultpermissionsspecifiedbyMicrosoftaregrantedtothepublicserverrole(Scored) o o

3.9 EnsureWindowsBUILTINgroupsarenotSQLLogins(Scored) o o

3.10 EnsureWindowslocalgroupsarenotSQLLogins(Scored) o o3.11 Ensurethepublicroleinthemsdbdatabaseisnotgranted

accesstoSQLAgentproxies(Scored) o o

4 PasswordPolicies4.1 Ensure'MUST_CHANGE'Optionissetto'ON'forAllSQL

AuthenticatedLogins(NotScored) o o

4.2 Ensure'CHECK_EXPIRATION'Optionissetto'ON'forAllSQLAuthenticatedLoginsWithintheSysadminRole(Scored)

o o

4.3 Ensure'CHECK_POLICY'Optionissetto'ON'forAllSQLAuthenticatedLogins(Scored) o o

5 AuditingandLogging5.1 Ensure'Maximumnumberoferrorlogfiles'issettogreater

thanorequalto'12'(Scored) o o

5.2 Ensure'DefaultTraceEnabled'ServerConfigurationOptionissetto'1'(Scored) o o

5.3 Ensure'LoginAuditing'issetto'failedlogins'(Scored) o o5.4 Ensure'SQLServerAudit'issettocaptureboth'failed'and

'successfullogins'(Scored) o o

6 ApplicationDevelopment6.1 EnsureSanitizeDatabaseandApplicationUserInputis

Sanitized(NotScored) o o

6.2 Ensure'CLRAssemblyPermissionSet'issetto'SAFE_ACCESS'forAllCLRAssemblies(Scored) o o

7 Encryption

97|P a g e

7.1 Ensure'SymmetricKeyencryptionalgorithm'issetto'AES_128'orhigherinnon-systemdatabases(Scored) o o

7.2 EnsureAsymmetricKeySizeissetto'greaterthanorequalto2048'innon-systemdatabases(Scored) o o

8 Appendix:AdditionalConsiderations8.1 Ensure'SQLServerBrowserService'isconfiguredcorrectly

(NotScored) o o

98|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

07-2017 1.0.0 InitialRelease

Documents

CIS Microsoft SQL Server 2016 Benchmark v1.0.0 CC€¦ · 5 | Page Overview This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft