Profile ApplicaDescription: Rationale: Impact: Audit: Remediation:Default Value:

Recommendations
1  Installation, Updates and Patches
be found
here:

• Hotfixes
and
Cumulative
To updates:
determine https://docs
your SQL .microsoft.c
Server om/en-us/s
service pack ql/database-
level, run engine/insta
the ll-windows/l
following atest-
code updates-for-
snippet. microsoft-
SELECT sql-server?
SERVERPRO view=sql-
PERTY('Prod server-
uctLevel') as ver15&view
SP_installed, FallbackFro
SERVERPRO m=sql-
PERTY('Prod server-2016
uctVersion') • Service
as Version; Packs:
https://supp
ort.microso
First column ft.com/en-
returns the us/help/317
installed 7534/how-
Service Pack to-obtain-
• Level 1 - level, the the-latest-
Database second is service- Service
Engine the exact pack-for-sql- packs and
• Level 1 - build server-2016 patches are
AWS RDS number. not installed
1.1  Ensure Latest SQL Server
SQLService
ServerPacks
paUsing
andthe
Hotfixes
most recent
are Installed
SQL S (Manual) by default.

• Level 1 -
Database
Engine
• Level 1 -
AWS RDS
1.2  Ensure Single-FunctionItMember
is recommen
Servers
It is easier
are Used
t It(Manual)
is difficu Ensure that no
Uninstall excess tooling and/or remove unnece
2  Surface Area Reduction
 Run the
following T- Run the
SQL following T-
command: SQL
SELECT command:
name,
CAST(value EXECUTE
as int) as sp_configur
value_config e 'show
ured, advanced
CAST(value_ options', 1;
in_use as RECONFIGU
int) as RE;
value_in_us EXECUTE
e sp_configur
FROM e 'Ad Hoc
sys.configur Distributed
ations Queries', 0;
WHERE RECONFIGU
name = 'Ad RE;
Hoc GO
Distributed
Queries'; EXECUTE
sp_configur
• Level 1 - e 'show
Database Both value advanced
Engine columns options', 0;
• Level 1 - must show RECONFIGU
AWS RDS 0. RE;
2.1  Ensure 'Ad Hoc Distributed
Enabling
Queries'
Ad HThis
Server
feature
Configuration
can be used
Option
to is set to '0' (Automated)0 (disabled)
 created with
the riskier
UNSAFE and
EXTERNAL_
ACCESS
permission Run the
sets. To find following T-
user-created SQL
assemblies, command:
run the
following SELECT
query in all name,
databases, CAST(value
replacing as int) as
<database_ value_config
name> with ured,
each CAST(value_
database in_use as
name: int) as
USE value_in_us
[<database_ e
name>] GO
SELECT FROM
name AS sys.configur
Assembly_N ations
ame, WHERE
permission_ name = 'clr Run the
set_desc enabled'; following T-
FROM SQL
sys.assembli command:
es EXECUTE
• Level 1 - WHERE Both value sp_configur
Database is_user_defi columns e 'clr
Engine ned = 1; must show 0 enabled', 0; By default,
• Level 1 - to be RECONFIGU this option
AWS RDS GO compliant. RE; is disabled
2.2  Ensure 'CLR Enabled' Server
The clrConfiguration
enabl Enabling
Option
use is set to '0' (Automated) . 15 (0).
 Run the
following T-
SQL
command:
SELECT
name,
CAST(value
as int) as
value_config
ured,
CAST(value_
in_use as
int) as
value_in_us
e
FROM
sys.configur
ations
WHERE Run the
name = following T-
'cross db SQL
ownership command:
chaining'; EXECUTE
sp_configur
e 'cross db
• Level 1 - Both value ownership
Database columns chaining', 0;
Engine must show 0 RECONFIGU
• Level 1 - to be RE;
AWS RDS compliant. GO
2.3  Ensure 'Cross DB Ownership
The cross
Chaining'
db When
Server
enabled,
Configuration
this option
Option is set to '0' (Automated)
By default, this option is disabled
 Run the
following T-
SQL
command:
SELECT Run the
name, following T-
CAST(value SQL
as int) as command:
value_config EXECUTE
ured, sp_configur
CAST(value_ e 'show
in_use as advanced
int) as options', 1;
value_in_us RECONFIGU
e RE;
FROM EXECUTE
sys.configur sp_configur
ations e 'Database
WHERE Mail XPs', 0;
name = RECONFIGU
'Database RE;
Mail XPs'; GO
EXECUTE
sp_configur
• Level 1 - Both value e 'show
Database columns advanced
Engine must show 0 options', 0;
• Level 1 - to be RECONFIGU
AWS RDS compliant. RE;
2.4  Ensure 'Database MailThe
XPs'Database
Server Configuration
Disabling theOption
Database
is set
Maito '0' (Automated) By default, this option is disabled
 Run the
following T-
SQL Run the
command: following T-
SELECT SQL
name, command:
CAST(value EXECUTE
as int) as sp_configur
value_config e 'show
ured, advanced
CAST(value_ options', 1;
in_use as RECONFIGU
int) as RE;
value_in_us EXECUTE
e sp_configur
FROM e 'Ole
sys.configur Automation
ations Procedures',
WHERE 0;
name = 'Ole RECONFIGU
Automation RE;
Procedures'; GO
EXECUTE
sp_configur
• Level 1 - Both value e 'show
Database columns advanced
Engine must show 0 options', 0;
• Level 1 - to be RECONFIGU
AWS RDS compliant. RE;
2.5  Ensure 'Ole Automation
The
Procedures'
Ole Autom
Enabling
Server Configuration
this option will
Option
i is set to '0' (Automated)By default, this option is disabled
 Run the Run the
following T- following T-
SQL SQL
command: command:
SELECT
name, EXECUTE
CAST(value sp_configur
as int) as e 'show
value_config advanced
ured, options', 1;
CAST(value_ RECONFIGU
in_use as RE;
int) as EXECUTE
value_in_us sp_configur
e e 'remote
FROM access', 0;
sys.configur RECONFIGU
ations RE;
WHERE GO
name = EXECUTE
'remote sp_configur
access'; e 'show
advanced
• Level 1 - options', 0;
Database Both value RECONFIGU
Engine columns RE;
• Level 1 - must show Restart the
AWS RDS 0. Database
2.6  Ensure 'Remote Access'
The
Server
remote
Configuration
acFunctionality
Option
Per Microsoft
is set to '0' (Automated)
Engine. By default, this option is enabled
 ured,
CAST(value_
in_use as
int) as
value_in_us
e
FROM
sys.configur
ations
WHERE
name =
'remote
admin
connections'
AND
SERVERPRO
PERTY('IsClu
stered') = 0;

Run the
If no data is following T-
returned, SQL
the instance command
is a cluster on non-
and this clustered
recommend installations:
ation is not
applicable. If EXECUTE
data is sp_configur
returned, e 'remote
then both admin
• Level 1 - the value connections'
Database columns , 0;
Engine must show 0 RECONFIGU
• Level 1 - to be RE;
AWS RDS compliant. GO
2.7  Ensure 'Remote AdminThe
Connections'
remote ad
The
Server
Dedicated
Configuration
Administrator
Option is set to '0' (Automated)By default, this option is disabled
 Run the
following T-
SQL
Run the command:
following T-
SQL EXECUTE
command: sp_configur
SELECT e 'show
name, advanced
CAST(value options', 1;
as int) as RECONFIGU
value_config RE;
ured, EXECUTE
CAST(value_ sp_configur
in_use as e 'scan for
int) as startup
value_in_us procs', 0;
e RECONFIGU
FROM RE;
sys.configur GO
ations EXECUTE
WHERE sp_configur
name = e 'show
'scan for advanced
startup options', 0;
procs'; RECONFIGU
RE;
• Level 1 -
Database Both value
Engine columns Restart the
• Level 1 - must show Database
AWS RDS 0. Engine.
2.8  Ensure 'Scan For Startup
TheProcs'
scan Server
for Enforcing
Configuration
thisSetting
Option
Scanis set to '0' (Automated) By default, this option is disabled
 Run the
following T-
SQL query
to list any
databases
with a
Trustworthy Execute the
database following T-
property SQL
value of ON: statement
SELECT against the
name databases
FROM (replace By default,
sys.databas <database_ this
es name> database
WHERE below) property is
is_trustwort returned by OFF
hy_on = 1 the Audit (is_trustwor
AND name ! Procedure: thy_on = 0),
= 'msdb'; ALTER except for
DATABASE the msdb
[<database_ database in
No rows name>] SET which it is
• Level 1 - should be TRUSTWOR required to
Database returned. THY OFF; be ON.
2.9  Ensure 'Trustworthy'
Engine Database
The TRUSTWORT
Property
Provides
is setprotection
to 'Off' (Automated)
from
 Open SQL
Server
Configuratio
n Manager;
Open SQL go to the
Server SQL Server
Configuratio Network
n Manager; Configuratio
go to the n. Ensure
SQL Server that only
Network required
Configuratio protocols
n. Ensure are enabled.
that only Disable
• Level 1 - required protocols
Database protocols not
2.10  Ensure Unnecessary
Engine SQL
SQL Server
Server Protocols
suUsing fewer
are set
pThe
to Database
'Disabled'are
(Manual)
enabled. necessary. By default, TCP/IP and Shared Me
 TCP Port
field from
1433 to a
non-
standard
Run the one port or
of following leave the
T-SQL script: TCP Port
SELECT field empty
TOP(1) and set the
local_tcp_p TCP
ort FROM Dynamic
sys.dm_exec Ports value
_connection to 0 to
s WHERE enable
local_tcp_p dynamic
ort IS NOT port
NULL; assignment
and then
click OK.
Or 4. In the
SELECT console
local_tcp_p pane, click
ort SQL Server
FROM Services.
sys.dm_exec 5. In the
_connection details pane,
s WHERE right-click
session_id = SQL Server
@@SPID (<InstanceN
ame>) and
• Level 1 - then click
Database If a value of Restart, to
Engine 1433 is stop and
• Level 1 - returned restart SQL
AWS RDS this is a fail. Server.
2.11  Ensure SQL Server is configured
If installed, toUsing
use non-standard
a non-dChanging
portsthe
(Automated)
d By default, default SQL Server ins
 (not DECLARE immediately
exposed by @getValue for new
SQL INT; connections.
Browser), EXEC
then master.sys.x 1.1.1.4 T-
connections p_instance_ SQL Method
will need to regread
specify the @rootkey = Execute the
server and N'HKEY_LOC following T-
port in order AL_MACHIN SQL to
to connect. E', remediate:
It does not @key = EXEC
prevent N'SOFTWAR master.sys.x
users from E\Microsoft\ p_instance_
connecting Microsoft regwrite
to server if SQL Server\ @rootkey =
they know MSSQLServe N'HKEY_LOC
the instance r\ AL_MACHIN
name and SuperSocket E',
port. NetLib', @key =
If you hide a @value_na N'SOFTWAR
clustered me = E\Microsoft\
named N'HideInsta Microsoft
instance, nce', SQL Server\
the cluster @value = MSSQLServe
service may @getValue r\
not be able OUTPUT; SuperSocket
to connect SELECT NetLib',
to the SQL @getValue; @value_na
Server. me =
Please refer N'HideInsta
to the A value of 1 nce', @type
Microsoft should be = By default,
documenta returned to N'REG_DWO SQL Server
• Level 1 - tion be RD', instances
Database reference. compliant. @value = 1; are not
2.12  Ensure 'Hide
Engine
Instance'Non-clustered
option is setDesignating
to 'Yes' for p
Production SQL Server instances (Automated)
hidden.
 being
checked in
case it has
been
renamed
per best
practices.
SELECT
name,
is_disabled
FROM
sys.server_p
rincipals
WHERE sid =
0x01
AND
is_disabled
= 0;
Execute the
following T-
No rows SQL query:
should be
returned to USE
be [master] GO
compliant. DECLARE
An @tsql
is_disabled nvarchar(ma
value of 0 x)
indicates SET @tsql =
the login is 'ALTER
currently LOGIN ' +
• Level 1 - enabled and SUSER_NAM
Database therefore E(0x01) + '
Engine needs DISABLE'
• Level 1 - remediation EXEC
AWS RDS . (@tsql) GO
2.13  Ensure the 'sa' Login Account
The sa accoun
is setEnforcing
to 'Disabled'
thisIt(Automated)
is not a go By default, the sa login account is
 Use the
following
syntax to
determine if
the sa login
(principal) is
renamed.
SELECT
name
FROM
sys.server_p
rincipals Replace the
WHERE sid = <different_u
0x01; ser> value
within the
below
A name of syntax and
sa indicates execute to
the account rename the
has not sa
been login. ALTER
renamed LOGIN sa
• Level 1 - and WITH NAME
Database therefore =
Engine needs <different_u
• Level 1 - remediation ser>;
AWS RDS .
2.14  Ensure the 'sa' Login Account
The sa accoun
has been
It is more
renamed
dif It(Automated)
is not a go By default, the sa login name is 's
 Run the
following T-
SQL
command: Run the
SELECT following T-
name, SQL
CAST(value command:
as int) as EXECUTE
value_config sp_configur
ured, e 'show
CAST(value_ advanced
in_use as options', 1;
int) as RECONFIGU
value_in_us RE;
e EXECUTE
FROM sp_configur
sys.configur e
ations 'xp_cmdshel
WHERE l', 0;
name = RECONFIGU
'xp_cmdshel RE;
l'; GO
EXECUTE
sp_configur
• Level 1 - Both value e 'show
Database columns advanced
Engine must show 0 options', 0;
• Level 1 - to be RECONFIGU
AWS RDS compliant. RE;
2.15  Ensure 'xp_cmdshell'The
Server
xp_cmdshe
Configuration
The xp_cmdshell
Option isprocedure
set to '0' (Automated) 42 By default, this option is disabled
 Perform the
following to
find
contained
databases
that are not
configured
as
prescribed:
SELECT
name,
containmen
t,
containmen Execute the
t_desc, following T-
is_auto_clos SQL,
e_on FROM replacing
sys.databas <database_
es name> with By default,
WHERE each the
containmen database database
t <> 0 and name found property
is_auto_clos by the Audit AUTO_CLOS
e_on = 1; Procedure: E is OFF
• Level 1 - ALTER which is
Database DATABASE equivalent
Engine No rows <database_ to
• Level 1 - should be name> SET is_auto_clos
AWS RDS returned. AUTO_CLOS e_on = 0.
2.16  Ensure 'AUTO_CLOSE'AUTO_CLOSE
is set to 'OFF'
Because
deon contained
authentication
databases
of (Automated) .E44
OFF;
2.17 Ensure no login exists with the name
 ame> value
within the
below
syntax and
execute to
rename the
sa login.
USE
[master] GO

-- If
principal_id
= 1 or the
login owns
database
objects,
Use the rename the
following sa login
syntax to ALTER
determine if LOGIN [sa]
there is an WITH NAME
account =
named sa. <different_n
SELECT ame>; GO
principal_id, -- If the
name FROM login owns
sys.server_p no database
rincipals objects,
WHERE then drop it
name = 'sa'; -- Do NOT
• Level 1 - drop the The login
Database login if it is with
Engine No rows principal_id principal_id
• Level 1 - should be = 1 DROP = 1 is named
AWS RDS returned. LOGIN sa sa by
2.17 The sa login Enforcing thi It is not a go default.
3  Authentication and Authorization
 on Mode.

1.1.1.6 T-
SQL Method

Run the
following T-
Execute the SQL in a
following Query
syntax: Window:
SELECT USE
SERVERPRO [master] GO
PERTY('IsInt EXEC
egratedSecu xp_instance
rityOnly') as _regwrite
[login_mode N'HKEY_LOC
]; AL_MACHIN
E',
N'Software\
A Microsoft\
login_mode MSSQLServe
of 1 r\
indicates MSSQLServe
the Server r',
Authenticati N'LoginMod
on property e',
is set to REG_DWOR
Windows D, 1 GO
Authenticati
on Mode. A
login_mode Restart the
• Level 1 - of 0 SQL Server
Database indicates service for
Engine mixed mode the change
• Level 1 - authenticati to take
AWS RDS on. effect.
3.1  Ensure 'Server Authentication'
Uses Windows
Property
Windows
is set prov
to 'Windows
Changing the
Authentication Mode' (Automated)
Windows Authentication Mode
 name>; GO
SELECT
DB_NAME()
AS
DatabaseNa
me, 'guest'
AS
Database_U
ser,
[permission
_name],
[state_desc]
FROM
sys.databas
e_permissio
ns The
WHERE following
[grantee_pri code
ncipal_id] = snippet
DATABASE_ revokes
PRINCIPAL_I CONNECT
D('guest') permissions
AND from the
[state_desc] guest user in
LIKE 'GRANT a database.
%' Replace
AND <database_
[permission name> as
_name] = appropriate:
'CONNECT' USE
AND <database_
• Level 1 - DB_NAME() name>; GO
Database NOT IN REVOKE
Engine ('master','te CONNECT
• Level 1 - mpdb','msd FROM
AWS RDS b'); guest;
3.2  Ensure CONNECT permissions
Removeon
thethe
riA 'guest'
login assum
userWhen
is Revoked
CONNECT
within all SQL Server databases
Theexcluding
guest userthe
account
master,
is added
msdb a
 If the
orphaned
user cannot
or should
not be
matched to
an existing
or new login
using the
Microsoft
Run the documented
following T- process
SQL query in referenced
each below, run
database to the
identify following T-
orphan SQL query in
users. No the
rows should appropriate
be returned. database to
USE remove an
[<database_ orphan user:
name>]; GO USE
• Level 1 - EXEC [<database_
Database sp_change_ name>]; GO
Engine users_login DROP USER
• Level 1 - @Action='R <username>
AWS RDS eport'; ;
3.3  Ensure 'Orphaned Users'
A database
are Dropped
usOrphan
Fromusers
SQL Server
shouldDatabases
be rem (Automated)
 Execute the
following T-
SQL in each
contained
database to
find
database
users that
are using
SQL
authenticati
on:
SELECT
name AS
DBUser
FROM
sys.databas
e_principals
WHERE
name NOT
IN
('dbo','Infor
mation_Sch
ema','sys','g
uest') AND
type IN
• Level 1 - ('U','S','G') Leverage
Database AND Windows
Engine authenticati Authenticat
• Level 1 - on_type = 2; ed users in
AWS RDS GO contained
3.4  Ensure SQL Authentication
Contained
is not dat
used
Theinabsence
contained
oWhile
databases
contain(Automated) databases.
54 SQL Authenticated users (USER W
 where
LocalSystem
is used, use
SQL Server
Configuratio
n Manager
to change to
a less
privileged
account.
Otherwise,
remove the
account or
service SID
from the
Administrat
ors group.
You may
need to run
the SQL
Server
Configuratio
n Manager if

Verify that underlying

the service permissions
account (in had been
case of a changed or
local or AD if SQL Server
account) Configuratio
and service n Manager
• Level 1 - SID are not was not
Database members of originally
Engine the used to set
• Level 1 - Windows the service
AWS RDS Administrat account.
3.5  Ensure the SQL Server’s
TheMSSQL
service
Service
a Following
Account
theisThe
NotSQL
an Serve
Administrator
ors group.(Manual) By default, the Service Account (o
 service
account. In the case
This will where
ensure that LocalSystem
the account is used, use
has the SQL Server
necessary Configuratio
privileges. If n Manager
the service to change to
needs a less
access to privileged
resources account.
other than Otherwise,
the remove the
standard account or
Microsoft- service SID
defined from the
directories Administrat
and registry, ors group.
then You may
additional need to run
permissions the SQL
may need to Server
be granted Configuratio
separately Verify that n Manager if
to those the service underlying
resources. account (in permissions
If using the case of a had been
auto restart local or AD changed or By default,
feature, account) if SQL Server the Service
then the and service Configuratio Account (or
• Level 1 - SQLAGENT SID are not n Manager Service SID)
Database service must members of was not is not a
Engine be an the originally member of
• Level 1 - Administrat Windows used to set the
AWS RDS or. Administrat the service Administrat
3.6  Ensure the SQL Server’s
TheSQLAgent
service aService
Following
Account
the is Not an Administrator
ors group. (Manual)
account. ors group.
 where
LocalSystem
is used, use
SQL Server
Configuratio
n Manager
to change to
a less
privileged
account.
Otherwise,
remove the
account or
service SID
from the
Administrat
ors group.
You may
need to run
the SQL
Server
Configuratio
n Manager if

Verify that underlying

the service permissions
account (in had been
case of a changed or
local or AD if SQL Server
account) Configuratio
and service n Manager
• Level 1 - SID are not was not
Database members of originally
Engine the used to set
• Level 1 - Windows the service
AWS RDS Administrat account.
3.7  Ensure the SQL Server’s
TheFull-Text
serviceService
a Following
Account
theThe
is Not
SQLan
Serve
Administrator
ors group. (Manual) By default, the Service Account (o
 major_id =
3)
AND NOT
(state_desc
= 'GRANT'
and
[permission
_name] =
'CONNECT' 1. Add the
and extraneous
class_desc = permissions
'ENDPOINT' found in the
and Audit query
major_id = results to
4) the specific
logins to
AND NOT user-defined
(state_desc server roles
= 'GRANT' which
and require the
[permission access.
_name] = 2. Revoke
'CONNECT' the
and <permission
class_desc = _name>
'ENDPOINT' from the
and public role
major_id = as shown
5); below
4 USE
[master] GO
• Level 1 - 5 REVOKE
Database This query <permission
Engine should not _name>
• Level 1 - return any FROM
AWS RDS rows. public; GO
3.8  Ensure only the defaultpublic
permissions
is a sp Every
specified
SQL by
Serv
Microsoft
When the are
extrgranted to the public server
Byrole
default,
(Automated)
the public server role
 following BUILTIN
syntax to login, if
determine if needed
any BUILTIN create a
groups or more
accounts restrictive
have been AD group
added as containing
SQL Server only the
Logins. required
SELECT pr. user
[name], pe. accounts.
[permission 2. Add the
_name], pe. AD group or
[state_desc] individual
FROM Windows
sys.server_p accounts as
rincipals pr a SQL Server
JOIN login and
sys.server_p grant it the
ermissions permissions
pe required.
ON 3. Drop the
pr.principal_ BUILTIN
id = login using
pe.grantee_ the syntax
principal_id below after
WHERE replacing
pr.name like <name> in
'BUILTIN%'; [BUILTIN\
<name>].
• Level 1 - USE
Database This query [master] GO
Engine should not DROP LOGIN
• Level 1 - return any [BUILTIN\
AWS RDS rows. <name>] GO
3.9  Ensure Windows BUILTIN
Prior
groups
to SQLareThe
notBUILTIN
SQL Logins
gBefore
(Automated)
droppi By default, no BUILTIN groups are
 LocalGroup 1. For each
Name, pe. LocalGroup
[permission Name login,
_name], pe. if needed
[state_desc] create an
FROM equivalent
sys.server_p AD group
rincipals pr containing
JOIN only the
sys.server_p required
ermissions user
pe accounts.
ON pr. 2. Add the
[principal_id AD group or
] = pe. individual
[grantee_pri Windows
ncipal_id] accounts as
WHERE pr. a SQL Server
[type_desc] login and
= grant it the
'WINDOWS_ permissions
GROUP' required.
AND pr. 3. Drop the
[name] like LocalGroup
CAST(SERVE Name login
RPROPERTY( using the
'MachineNa syntax
me') AS below after
nvarchar) + replacing
'%'; <name>.

• Level 1 - USE
Database This query [master] GO
Engine should not DROP LOGIN
• Level 1 - return any [<name>]
AWS RDS rows. GO
3.10  Ensure Windows localLocal
groups
Windows
are not
Allowing
SQL Logins
locaBefore
(Automated)
droppi By default, no local groups are ad
 the
msdb
database's
public role.
USE [msdb] 1. Ensure
GO the required
SELECT security
sp.name AS principals
proxyname are explicitly
FROM granted
dbo.sysprox access to
ylogin spl the proxy
JOIN (use
sys.databas sp_grant_lo
e_principals gin_to_prox
dp ON y).
dp.sid =
spl.sid 2. Revoke
JOIN access to
sysproxies the
sp <proxyname
ON > from the
sp.proxy_id public role.
= 6 USE
spl.proxy_id [msdb] GO
WHERE 7 EXEC
principal_id dbo.sp_revo
= ke_login_fro
USER_ID('pu m_proxy
blic'); GO @name =
N'public',
@proxy_na
This query me =
should not N'<proxyna
·    Level 1 - return any me>';
Database rows. 8 GO
3.11  Ensure the
Enginepublic roleThe
in the
public
msdbdaGranting
databaseacces
is not
Before
granted
revoki
access to SQL Agent proxies (Automated)
By default, the msdb public datab
4  Password Policies
 Properties. <login_nam
4. Verify the e> WITH
User must PASSWORD
change =
password at '<password_
next login value>'
checkbox is MUST_CHA
checked. NGE,
CHECK_EXPI
Note: This RATION =
audit ON,
procedure is CHECK_POLI
only CY = ON;
applicable
immediately
after the
login has Set the
been MUST_CHA
created or NGE option
altered to for SQL
force the Authenticat
password ed logins
change. when
Once the resetting a
password is password:
changed, ALTER
there is no LOGIN
way to know <login_nam
specifically e> WITH
that this PASSWORD
option was =
the forcing '<new_pass
mechanism word_value
behind a >'
• Level 1 - password MUST_CHA
Database change. NGE;
4.1  Ensure 'MUST_CHANGE'
Engine Whenever
Option isthis
set
Enforcing
to 'ON' for
a pCHECK_EXPIRA
All SQL Authenticated Logins (Manual) ON when creating a new login via
 some other sys.sql_login
process s AS l
track when WHERE
the IS_SRVROLE
password MEMBER('sy
needs to be sadmin',na
changed. me) = 1 AND
With this l.is_expiratio
second n_checked
control in <> 1
place, this is UNION ALL
perfectly SELECT l.
acceptable [name], CHECK_EXPI
from an 'CONTROL RATION is
audit SERVER' AS ON by
perspective. 'Access_Met default
If you treat hod' FROM when using
a SQL Server sys.sql_login SSMS to
login as a s AS l create a SQL
service JOIN authenticate
account, sys.server_p For each d login.
then you ermissions <login_nam CHECK_EXPI
have to do AS p e> found by RATION is
the same. ON the Audit OFF by
This ensures l.principal_i Procedure, default
that the d= execute the when using
password p.grantee_p following T- T-SQL
change rincipal_id SQL CREATE
happens WHERE statement: LOGIN
during a p.type = 'CL' ALTER syntax
communicat AND p.state LOGIN without
• Level 1 - ed IN ('G', 'W') [<login_nam specifying
Database downtime AND e>] WITH the
Engine window and l.is_expiratio CHECK_EXPI CHECK_EXPI
• Level 1 - not n_checked RATION = RATION
AWS RDS arbitrarily. <> 1; ON; option.
4.2  Ensure 'CHECK_EXPIRATION'
AppliesOption
the s Ensuring
is set to SQL
'ON' for All SQL Authenticated Logins Within the Sysadmin Role (Automated)
 ed logins. name,
Weak is_disabled
passwords FROM
can lead to sys.sql_login
compromise s
d systems. WHERE
SQL Server is_policy_ch
authenticate ecked = 0;
d logins will
utilize the
password The
policy set in is_policy_ch
the ecked value
computer's of 0
local policy, indicates
which is that the
typically set CHECK_POLI
by the CY option is
Default OFF; value
Domain of 1 is ON. If
Policy is_disabled
setting. value is 1,
The setting then the
is only login is
enforced disabled and
when the unusable. If
password is no rows are
changed. returned
This setting then either
does not no SQL
force Authenticat
• Level 1 - existing ed logins ALTER
Database weak exist or they LOGIN
Engine passwords all have [<login_nam
• Level 1 - to be CHECK_POLI e>] WITH
AWS RDS changed. CY ON. CHECK_POLI CHECK_POLI
4.3  Ensure 'CHECK_POLICY'Applies
Optionthe
is set
s Ensure
to 'ON'SQL
forau
All SQL Authenticated Logins CY(Automated)
= ON; CY is ON
5  Auditing and Logging
 following T- 1.1.1.10 T-
SQL. The SQL Method
NumberOfL
ogFiles Run the
returned following T-
should be SQL to
greater than change the
or equal to number of
12. error log
DECLARE files, replace
@NumError <NumberAb
Logs int; ove12>
EXEC with your
master.sys.x desired
p_instance_ number of
regread error log
N'HKEY_LOC files:
AL_MACHIN EXEC
E', master.sys.x
N'Software\ p_instance_
Microsoft\ regwrite
MSSQLServe N'HKEY_LOC
r\ AL_MACHIN
MSSQLServe E',
r', N'Software\
N'NumError Microsoft\
Logs', MSSQLServe
@NumError r\
Logs MSSQLServe
OUTPUT; r',
SELECT N'NumError
• Level 1 - ISNULL(@N Logs',
Database umErrorLogs REG_DWOR
Engine , -1) AS D,
• Level 1 - [NumberOfL <NumberAb
AWS RDS ogFiles]; ove12>;
5.1  Ensure 'Maximum number
SQL Server
of errorerThe
log files'
SQL isServe
setOnce
to greater
the max
than or equal to '12' (Automated)
11 SQL Server error log files in ad
 Run the
following T-
SQL
command: Run the
SELECT following T-
name, SQL
CAST(value command:
as int) as EXECUTE
value_config sp_configur
ured, e 'show
CAST(value_ advanced
in_use as options', 1;
int) as RECONFIGU
value_in_us RE;
e EXECUTE
FROM sp_configur
sys.configur e 'default
ations trace
WHERE enabled', 1;
name = RECONFIGU
'default RE;
trace GO
enabled'; EXECUTE
sp_configur
• Level 1 - e 'show
Database Both value advanced
Engine columns options', 0;
• Level 1 - must show RECONFIGU
AWS RDS 1. RE;
5.2  Ensure 'Default Trace Enabled'
The default
Server
t Default
Configuration
trace provides
Optionvalu
is set to '1' (Automated) 1 (on)
 fig 'audit the Login
This setting level'; Auditing
will record section and
failed A click OK.
authenticati config_value 4. Restart
on attempts of failure the SQL
for SQL indicates a Server
Server server login instance.
logins to the auditing
SQL Server setting of 1.1.1.12 T-
Errorlog. At a Failed logins SQL Method
This is the minimum, only. If a
default we want to config_value
setting for ensure of all 1. Run:
SQL Server. failed logins appears, 2 EXEC
Historically, are then both xp_instance
this setting captured in failed and _regwrite
has been order to successful N'HKEY_LOC
available in detect if an logins are AL_MACHIN
all versions adversary is being E',
and editions attempting logged. Both N'Software\
of SQL to brute settings Microsoft\
Server. Prior force should also MSSQLServe
to the passwords be r\
availability or otherwise considered MSSQLServe
of SQL attempting valid, but as r',
Server to access a mentioned N'AuditLevel
Audit, this SQL Server capturing ',
was the only improperly. successful REG_DWOR
provided Changing logins using D, 2
mechanism the setting this method
• Level 1 - for requires a creates lots By default,
Database capturing restart of of noise in 1. Restart only failed
Engine logins the SQL the SQL the SQL login
• Level 1 - (successful Server Server Server attempts
AWS RDS or failed). service. Errorlog. instance. are
5.3  Ensure 'Login Auditing' is set to 'failed
Capturing
logins' (Automated)
fai captured.
 (AUDIT_CHA
SQL Server NGE_GROU
Audit is The result P)
capable of set should WITH
capturing contain 3 (STATE =
both failed rows, one ON);
and for each of GO
successful the ALTER
logins and following SERVER
writing audit_action AUDIT
them to one _names: TrackLogins
of three WITH
places: the • (STATE =
application AUDIT_CHA ON);
event log, NGE_GROU GO
the security P
event log, or •
the file FAILED_LOG Note: If the
system. IN_GROUP write
We will use • destination
it to capture SUCCESSFUL for the Audit
any login _LOGIN_GR object is to
attempt to OUP be the
SQL Server, security
as well as Both the event log,
any Audit and see the
attempts to Audit Books
change specification Online topic
audit policy. should be Write SQL
This will also enabled and Server Audit
serve to be the Events to
• Level 1 - a second audited_res the Security
Database source to ult should Log and By default,
Engine record failed include both follow the there are no
• Level 1 - login success and appropriate audit object
AWS RDS attempts. failure. steps. tracking
5.4  Ensure 'SQL Server Audit' is set to capture
By utilizing
bothA'failed'
With the
andprev
'successful logins' (Automated)
login events.
6  Application Development
 Check with permit
the minimally
application privileged
teams to accounts to
ensure any send user
database input to the
interaction server
is through • Minimize
the use of the risk of
stored SQL
procedures injection
and not attack by
dynamic using
SQL. Revoke parameteriz
any INSERT, ed
UPDATE, or commands
DELETE and stored
privileges to procedures
users so • Reject
that user input
modification containing
s to data binary data,
must be escape
done sequences,
through and
stored comment
procedures. characters
Verify that
there's no • Always
SQL query in validate
the user input
application and do not
code use it
produced by directly to
• Level 1 - string build SQL
Database concatenati statements
6.1  Ensure Database
Engine and Application
Always validat
User
Sanitizing
Input isuseSanitize
Sanitized (Manual)
user on.
 sets can be
used to
access
sensitive
areas of the
operating
system,
steal and/or
transmit Execute the
data and following
alter the SQL
state and statement:
other USE
protection <database_
measures of name>; GO
the SELECT
underlying name,
Windows permission_
Operating set_desc
System. FROM
Assemblies sys.assembli
which are es
Microsoft- WHERE
created is_user_defi
(is_user_de ned = 1;
fined = 0)
are USE
excluded All the <database_
from this returned name>; GO
check as assemblies ALTER
they are should show ASSEMBLY
• Level 1 - required for SAFE_ACCES <assembly_
Database overall S in the name>
Engine system permission_ WITH SAFE
• Level 1 - functionality set_desc PERMISSION permission
AWS RDS . column. _SET = SAFE; is set by
6.2  Ensure 'CLR Assembly Permission
Setting CLR Set'
A is set to 'SAFE_ACCESS'
The remediatifor All CLR Assemblies (Automated)
default.
7  Encryption
 key aka code for
2TDEA). In each
SQL Server, individual
these are user
referred to database:
as
TRIPLE_DES USE
_3KEY and <database_
TRIPLE_DES name> GO
respectively. Eliminates
Additionally, use of weak SELECT
the SQL and db_name()
Server deprecated AS
algorithm algorithms Database_N
named DESX which may ame, name
is actually put a system AS
the same at higher Key_Name
implementa risk of an FROM
tion as the attacker sys.symmetr
TRIPLE_DES breaking the ic_keys
_3KEY key. WHERE Refer to
option. Encrypted algorithm_d Microsoft
However, data cannot esc NOT IN SQL Server
using the be ('AES_128',' Books
DESX compressed, AES_192','A Online
identifier as but ES_256') ALTER
the compressed AND db_id() SYMMETRIC
algorithm data can be > 4; KEY entry:
type has encrypted. If GO https://docs
been you use .microsoft.c
deprecated compression om/en-us/s
• Level 1 - and its , you should For ql/t-sql/stat
Database usage is compress compliance, ements/alte
Engine now data before no rows r-
• Level 1 - discouraged encrypting should be symmetric-
AWS RDS . it. returned. key-
7.1  Ensure 'Symmetric KeyPer
encryption
the Micro
algorithm' is set to 'AES_128' or higher intransact-sql
non-system databases
none (Automated)
 Run the
following
code for
each
individual
user
The higher- database:
bit level may USE
result in <database_
slower name> GO
performanc SELECT
e, but db_name()
reduces the AS
likelihood of Database_N
an attacker ame, name
breaking the AS
key. Key_Name Refer to
Encrypted FROM Microsoft
data cannot sys.asymme SQL Server
be tric_keys Books
compressed, WHERE Online
but key_length ALTER
compressed < 2048 AND ASYMMETRI
data can be db_id() > 4; C KEY entry:
encrypted. If GO https://docs
you use .microsoft.c
compression om/en-us/s
• Level 1 - , you should For ql/t-sql/stat
Database compress compliance, ements/alte
Engine data before no rows r-
• Level 1 - encrypting should be asymmetric-
AWS RDS it. returned. key-
7.2  Ensure Asymmetric KeyMicrosoft
Size is setBesThe
to 'greater
RSA_2048
than or equal to 2048' in non- transact-
system databases
sql None(Automated)
8  Appendix: Additional Considerations
 the SQL
Server
Browser
service
would mean
the end
users would
have to
remember
port
numbers for
the
instances.
When they
don't that The SQL
will Server
generate Browser
service calls service is
to IT staff. disabled if
Given the only a
limited default
benefit of instance is
disabling the installed on
service, the the server. If
trade-off is a named
probably instance is
not worth it, installed,
meaning it the default
makes more value is for
business the SQL
sense to Check the Enable or Server
leave the SQL Browser disable the Browser
SQL Server service's service as service to be
Browser status via needed for configured
• Level 1 - service services.msc your as
Database enabled. or similar environmen Automatic
8.1  Ensure 'SQL
Engine
Server Browser
No recommenda
Service' is configured correctly (Manual)
methods. t. for startup.
Appendix: Recommendation Summary Table
efault Value:

s tooling and/or remove unnecessary roles from the underlying operating system.
y default, this option is disabled (0).
y default, this option is disabled (0).
y default, this option is disabled (0).
y default, this option is enabled (1).
y default, this option is disabled (0), only local connections may use the DAC.
y default, this option is disabled (0).
y default, TCP/IP and Shared Memory protocols are enabled on all commercial editions.
y default, default SQL Server instances listen on to TCP/IP traffic on TCP port 1433 and named instances use dynamic ports.
y default, the sa login account is disabled at install time when Windows Authentication Mode is selected. If mixed mode (SQL Server and W
y default, the sa login name is 'sa'.
y default, this option is disabled (0).
Windows Authentication Mode
he guest user account is added to each new database but without CONNECT permission by default.
QL Authenticated users (USER WITH PASSWORD authentication) are allowed in contained databases.
y default, the Service Account (or Service SID) is not a member of the Administrators group.
y default, the Service Account (or Service SID) is not a member of the Administrators group.
y default, the public server role is granted VIEW ANY DATABASE permission and the CONNECT permission on the default endpoints (TSQL
y default, no BUILTIN groups are added as SQL logins.
y default, no local groups are added as SQL logins.
y default, the msdb public database role does not have access to any proxy.
N when creating a new login via the SSMS GUI. OFF when creating a new login using T-SQL CREATE LOGIN unless the MUST_CHANGE opti
1 SQL Server error log files in addition to the current error log file are retained by default.
e dynamic ports.
f mixed mode (SQL Server and Windows Authentication) is selected at install, the default for the sa login is enabled.
on the default endpoints (TSQL Local Machine, TSQL Named Pipes, TSQL Default TCP, TSQL Default VIA). The VIEW ANY DATABASE permis
unless the MUST_CHANGE option is explicitly included along with CHECK_EXPIRATION = ON.
he VIEW ANY DATABASE permission allows all logins to see database metadata, unless explicitly denied.