Back
🔒
Microsoft SQL Server 2022 Instance STIG Checklist
Hard
12 items
·
2 hours
testuser
Published 1 month ago
A concise checklist to verify Microsoft SQL Server 2022 instance-level hardening against DISA STIG requirements. Ideal for DBAs, security engineers, and auditors preparing an instance for DoD or high-security environments.
Progress
0 / 12
- Document SQL Server instance and version — Record edition, build, instance name, and patch level.
- Apply latest SQL Server and host OS security patches
- Ensure host OS is FIPS-compliant and cryptography enabled — Use FIPS 140-2/140-3 validated modules where required.
- Disable or secure the 'sa' account — Rename, disable, or enforce a strong password and limit usage.
- Restrict sysadmin role and enforce least privilege — Assign minimal privileges to service and user accounts.
- Enable and configure server-level auditing — Log logins, failed logins, privilege changes, and retain logs.
- Enforce encrypted connections (TLS) for client-server traffic — Require TLS and disable insecure protocols.
- Restrict SQL Server network access and firewall rules — Close unused ports and allow only trusted hosts.
- Disable or remove unused features and extended procedures — Disable CLR, xp_cmdshell, and other unnecessary features.
- Configure automated, encrypted backups for system and user DBs — Schedule full and transaction log backups and encrypt files.
- Include system and user databases in backup schedule
- Run STIG/XCCDF scans and remediate findings — Use DISA STIG content or SCAP scanner and document fixes.
Your Stats
🏆
0
Completed
📅
—
Last Done
⏱️
—
Last Time
Completion Rate
Items checked per run
⚡
—
Fastest Run
🔥
0
Streak
🚫
—
Most Skipped Step
🔄
0
Resets
📝 My Notes