Documentation forServer Configuration Monitor

Permissions required to monitor the SQL Server 2016 STIG policy in SCM

Most of the elements in the built-in policy for the SQL Server 2016 STIG policy can be monitored using the default public login (see Create login). Some SQL elements require the additional permissions for the [sysadmin] role (see Add [sysadmin] role).

Rule ID Rule name Default login Login added to [sysadmin] role

V-79281

SQL Server must generate audit records when unsuccessful attempts to delete security objects occur. Checkmark Checkmark

V-79279

SQL Server must generate audit records when security objects are deleted. Checkmark Checkmark
V-79269 SQL Server must generate audit records when unsuccessful attempts to modify security objects occur. Checkmark Checkmark
V-79267 SQL Server must generate audit records when security objects are modified. Checkmark Checkmark
V-79289 SQL Server must generate audit records when unsuccessful logons or connection attempts occur. Checkmark Checkmark
V-79239 SQL Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of SQL Server or database(s). Checkmark Checkmark
V-79275 SQL Server must generate audit records when privileges/permissions are deleted. Checkmark Checkmark
V-79291 SQL Server must generate audit records for all privileged activities or other system-level access. Checkmark Checkmark
V-79293 SQL Server must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur. Checkmark Checkmark
V-79295 SQL Server must generate audit records showing starting and ending time for user access to the database(s). Checkmark Checkmark
V-79277 SQL Server must generate audit records when unsuccessful attempts to delete privileges/permissions occur. Checkmark Checkmark
V-79251 SQL Server must be able to generate audit records when security objects are accessed. Checkmark Checkmark
V-79265 SQL Server must generate audit records when unsuccessful attempts to modify privileges/permissions occur. Checkmark Checkmark
V-79263 SQL Server must generate audit records when privileges/permissions are modified. Checkmark Checkmark
V-79261 SQL Server must generate audit records when unsuccessful attempts to add privileges/permissions occur. Checkmark Checkmark
V-79259 SQL Server must generate audit records when privileges/permissions are added. Checkmark Checkmark
V-79287 SQL Server must generate audit records when successful logons or connections occur. Checkmark Checkmark
V-79297 SQL Server must generate audit records when concurrent logons/connections by the same user from different workstations occur. Checkmark Checkmark
V-79149 SQL Server must be configurable to overwrite audit log records, oldest first (first in, first out [FIFO]), in the event of unavailability of space for more audit log records. Checkmark Checkmark
V-79319 SQL Server default account [sa] must have its name changed. Checkmark Checkmark
V-79147 SQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure. Checkmark Checkmark
V-79317 The SQL Server default account [sa] must be disabled. Checkmark Checkmark
V-79121 SQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. Checkmark Checkmark
V-79329 Filestream must be disabled, unless specifically required and approved. Checkmark Checkmark
V-79327 SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved. Checkmark Checkmark
V-79321 Execution of startup stored procedures must be restricted to necessary cases only. Checkmark Checkmark
V-79303 SQL Server must generate audit records for all direct access to the database(s). Checkmark Checkmark
V-79193 Contained databases must use Windows principals. Checkmark Checkmark
V-79181 Access to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved. Checkmark Checkmark
V-79171 Default demonstration and sample databases, database objects, and applications must be removed. Checkmark Checkmark
V-79157 SQL Server must protect its audit features from unauthorized access. Checkmark Checkmark
V-79159 SQL Server must protect its audit configuration from unauthorized modification. Checkmark Checkmark
V-79161 SQL Server must protect its audit features from unauthorized removal. Checkmark Checkmark
V-79203 SQL Server must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values. Checkmark Checkmark
V-79199 SQL Server must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations. Checkmark Checkmark
V-79197 SQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server. Checkmark Checkmark
V-79305 SQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server. Checkmark Checkmark
V-79307 SQL Server must implement NIST FIPS 140-2 validated cryptographic modules to generate and validate cryptographic hashes. Checkmark Checkmark
V-79309 SQL Server must implement NIST FIPS 140-2 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements. Checkmark Checkmark
V-79313 SQL Server must configure Customer Feedback and Error Reporting. Checkmark Checkmark
V-79131 SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance. Checkmark Checkmark
V-79349 The SQL Server Browser service must be disabled unless specifically required and approved. Checkmark Checkmark
V-79353 If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden. Checkmark Checkmark
V-79213 SQL Server must prevent unauthorized and unintended information transfer via shared system resources. Checkmark Checkmark
V-79233 SQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC, formerly GMT). Checkmark Checkmark
V-79323 SQL Server Mirroring endpoint must utilize AES encryption. Checkmark Checkmark
V-79325 SQL Server Service Broker endpoint must utilize AES encryption. Checkmark Checkmark
V-79227 SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. Checkmark Checkmark
V-79211 SQL Server must prevent unauthorized and unintended information transfer via shared system resources. Checkmark Checkmark
V-79243 SQL Server must maintain a separate execution domain for each executing process. Checkmark Checkmark
V-79191 If DBMS authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity and lifetime. Checkmark Checkmark
V-79183 Access to linked servers must be disabled or restricted, unless specifically required and approved. Checkmark Checkmark
V-79521 Confidentiality of controlled information during transmission through the use of an approved TLS version. Checkmark Checkmark
V-79185 SQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the PPSM CAL and vulnerability assessments. X Checkmark
V-79195 If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords. X Checkmark
V-79283 SQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is deleted. X Checkmark
V-79253 SQL Server must generate audit records when unsuccessful attempts to access security objects occur. X Checkmark
V-79255 SQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is accessed. X Checkmark
V-79285 SQL Server must generate audit records when unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur. X Checkmark
V-79139 SQL Server must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur. X Checkmark
V-79301 SQL Server must generate audit records when unsuccessful accesses to objects occur. X Checkmark
V-79257 SQL Server must generate audit records when unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur. X Checkmark
V-79137 SQL Server must generate audit records when privileges/permissions are retrieved. X Checkmark
V-79271 SQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is modified. X Checkmark
V-79273 SQL Server must generate audit records when unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur. X Checkmark
V-79299 SQL Server must generate audit records when successful accesses to objects occur. X Checkmark
V-79141 SQL Server must initiate session auditing upon startup. X Checkmark
V-79129 SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration. X Checkmark
V-79221 Use of credentials and proxies must be restricted to necessary cases only. X Checkmark
V-79179 Access to CLR code must be disabled or restricted, unless specifically required and approved. X Checkmark
V-79333 Ole Automation Procedures feature must be disabled, unless specifically required and approved. X Checkmark
V-79335 SQL Server User Options feature must be disabled, unless specifically required and approved. X Checkmark
V-79337 Remote Access feature must be disabled, unless specifically required and approved. X Checkmark
V-79341 Hadoop Connectivity feature must be disabled, unless specifically required and approved. X Checkmark
V-79343 Allow Polybase Export feature must be disabled, unless specifically required and approved. X Checkmark
V-79345 Remote Data Archive feature must be disabled, unless specifically required and approved. X Checkmark
V-79347 SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved. X Checkmark
V-79351 SQL Server Replication Xps feature must be disabled, unless specifically required and approved. X Checkmark
V-79177 Access to xp_cmdshell must be disabled, unless specifically required and approved. X Checkmark

SQL Server 2016 STIG policy permissions

Permission Command

Create login

USE [master]
GO
CREATE LOGIN [ScmUser] WITH PASSWORD=N'Password1', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF

Add [sysadmin] role

USE [master]
GO
ALTER SERVER ROLE [sysadmin] ADD MEMBER [ScmUser]
GO