Permissions required to monitor the SQL Server 2016 STIG policy in SCM
Most of the elements in the built-in policy for the SQL Server 2016 STIG policy can be monitored using the default public login (see Create login). Some SQL elements require the additional permissions for the [sysadmin] role (see Add [sysadmin] role).
| Rule ID | Rule name | Default login | Login added to [sysadmin] role |
|---|---|---|---|
|
V-79281 |
SQL Server must generate audit records when unsuccessful attempts to delete security objects occur. |
|
|
|
V-79279 |
SQL Server must generate audit records when security objects are deleted. |
|
|
| V-79269 | SQL Server must generate audit records when unsuccessful attempts to modify security objects occur. |
|
|
| V-79267 | SQL Server must generate audit records when security objects are modified. |
|
|
| V-79289 | SQL Server must generate audit records when unsuccessful logons or connection attempts occur. |
|
|
| V-79239 | SQL Server must produce audit records of its enforcement of access restrictions associated with changes to the configuration of SQL Server or database(s). |
|
|
| V-79275 | SQL Server must generate audit records when privileges/permissions are deleted. |
|
|
| V-79291 | SQL Server must generate audit records for all privileged activities or other system-level access. |
|
|
| V-79293 | SQL Server must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur. |
|
|
| V-79295 | SQL Server must generate audit records showing starting and ending time for user access to the database(s). |
|
|
| V-79277 | SQL Server must generate audit records when unsuccessful attempts to delete privileges/permissions occur. |
|
|
| V-79251 | SQL Server must be able to generate audit records when security objects are accessed. |
|
|
| V-79265 | SQL Server must generate audit records when unsuccessful attempts to modify privileges/permissions occur. |
|
|
| V-79263 | SQL Server must generate audit records when privileges/permissions are modified. |
|
|
| V-79261 | SQL Server must generate audit records when unsuccessful attempts to add privileges/permissions occur. |
|
|
| V-79259 | SQL Server must generate audit records when privileges/permissions are added. |
|
|
| V-79287 | SQL Server must generate audit records when successful logons or connections occur. |
|
|
| V-79297 | SQL Server must generate audit records when concurrent logons/connections by the same user from different workstations occur. |
|
|
| V-79149 | SQL Server must be configurable to overwrite audit log records, oldest first (first in, first out [FIFO]), in the event of unavailability of space for more audit log records. |
|
|
| V-79319 | SQL Server default account [sa] must have its name changed. |
|
|
| V-79147 | SQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure. |
|
|
| V-79317 | The SQL Server default account [sa] must be disabled. |
|
|
| V-79121 | SQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. |
|
|
| V-79329 | Filestream must be disabled, unless specifically required and approved. |
|
|
| V-79327 | SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved. |
|
|
| V-79321 | Execution of startup stored procedures must be restricted to necessary cases only. |
|
|
| V-79303 | SQL Server must generate audit records for all direct access to the database(s). |
|
|
| V-79193 | Contained databases must use Windows principals. |
|
|
| V-79181 | Access to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved. |
|
|
| V-79171 | Default demonstration and sample databases, database objects, and applications must be removed. |
|
|
| V-79157 | SQL Server must protect its audit features from unauthorized access. |
|
|
| V-79159 | SQL Server must protect its audit configuration from unauthorized modification. |
|
|
| V-79161 | SQL Server must protect its audit features from unauthorized removal. |
|
|
| V-79203 | SQL Server must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values. |
|
|
| V-79199 | SQL Server must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations. |
|
|
| V-79197 | SQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server. |
|
|
| V-79305 | SQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server. |
|
|
| V-79307 | SQL Server must implement NIST FIPS 140-2 validated cryptographic modules to generate and validate cryptographic hashes. |
|
|
| V-79309 | SQL Server must implement NIST FIPS 140-2 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements. |
|
|
| V-79313 | SQL Server must configure Customer Feedback and Error Reporting. |
|
|
| V-79131 | SQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance. |
|
|
| V-79349 | The SQL Server Browser service must be disabled unless specifically required and approved. |
|
|
| V-79353 | If the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden. |
|
|
| V-79213 | SQL Server must prevent unauthorized and unintended information transfer via shared system resources. |
|
|
| V-79233 | SQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC, formerly GMT). |
|
|
| V-79323 | SQL Server Mirroring endpoint must utilize AES encryption. |
|
|
| V-79325 | SQL Server Service Broker endpoint must utilize AES encryption. |
|
|
| V-79227 | SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. |
|
|
| V-79211 | SQL Server must prevent unauthorized and unintended information transfer via shared system resources. |
|
|
| V-79243 | SQL Server must maintain a separate execution domain for each executing process. |
|
|
| V-79191 | If DBMS authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity and lifetime. |
|
|
| V-79183 | Access to linked servers must be disabled or restricted, unless specifically required and approved. |
|
|
| V-79521 | Confidentiality of controlled information during transmission through the use of an approved TLS version. |
|
|
| V-79185 | SQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the PPSM CAL and vulnerability assessments. |
|
|
| V-79195 | If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords. |
|
|
| V-79283 | SQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is deleted. |
|
|
| V-79253 | SQL Server must generate audit records when unsuccessful attempts to access security objects occur. |
|
|
| V-79255 | SQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is accessed. |
|
|
| V-79285 | SQL Server must generate audit records when unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur. |
|
|
| V-79139 | SQL Server must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur. |
|
|
| V-79301 | SQL Server must generate audit records when unsuccessful accesses to objects occur. |
|
|
| V-79257 | SQL Server must generate audit records when unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur. |
|
|
| V-79137 | SQL Server must generate audit records when privileges/permissions are retrieved. |
|
|
| V-79271 | SQL Server must generate audit records when categorized information (e.g., classification levels/security levels) is modified. |
|
|
| V-79273 | SQL Server must generate audit records when unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur. |
|
|
| V-79299 | SQL Server must generate audit records when successful accesses to objects occur. |
|
|
| V-79141 | SQL Server must initiate session auditing upon startup. |
|
|
| V-79129 | SQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration. |
|
|
| V-79221 | Use of credentials and proxies must be restricted to necessary cases only. |
|
|
| V-79179 | Access to CLR code must be disabled or restricted, unless specifically required and approved. |
|
|
| V-79333 | Ole Automation Procedures feature must be disabled, unless specifically required and approved. |
|
|
| V-79335 | SQL Server User Options feature must be disabled, unless specifically required and approved. |
|
|
| V-79337 | Remote Access feature must be disabled, unless specifically required and approved. |
|
|
| V-79341 | Hadoop Connectivity feature must be disabled, unless specifically required and approved. |
|
|
| V-79343 | Allow Polybase Export feature must be disabled, unless specifically required and approved. |
|
|
| V-79345 | Remote Data Archive feature must be disabled, unless specifically required and approved. |
|
|
| V-79347 | SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved. |
|
|
| V-79351 | SQL Server Replication Xps feature must be disabled, unless specifically required and approved. |
|
|
| V-79177 | Access to xp_cmdshell must be disabled, unless specifically required and approved. |
|
|
SQL Server 2016 STIG policy permissions
| Permission | Command |
|---|---|
USE [master] GO CREATE LOGIN [ScmUser] WITH PASSWORD=N'Password1', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF |
|
USE [master] GO ALTER SERVER ROLE [sysadmin] ADD MEMBER [ScmUser] GO |