TickYouOff
Sign in
Back
🔒

Microsoft SQL Server 2016 Security Checklist (Y26M01)

Hard 20 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

A practical checklist to harden Microsoft SQL Server 2016 according to DISA STIG guidance. Designed for DBAs, IT security teams, and administrators who need a concise set of actions to improve server security and compliance.

Source: https://ncp.nist.gov/checklist/838

Progress
0 / 20
  1. Backup all databases and system databases — Create full backups of user DBs plus master, msdb, and model before changes.
  2. Apply latest SQL Server cumulative updates and security patches — Install Microsoft CUs and security updates for SQL Server 2016.
  3. Restart SQL Server services after patching — Restart to complete patch installation and verify service health.
  4. Enforce least-privilege service accounts — Run SQL services under dedicated, low-privileged domain or local accounts.
  5. Restrict membership in the sysadmin fixed server role — Remove unnecessary accounts and document required sysadmin users.
  6. Disable or remove unused features and services — Turn off SQL Browser, unused endpoints, and unneeded components.
  7. Disable xp_cmdshell and other unsafe extended procedures — Turn off or restrict extended procedures that allow OS access.
  8. Enforce strong password policies and account lockout — Apply complexity, expiration, and lockout via Windows or SQL policies.
  9. Enable and enforce TLS encryption for data in transit — Install valid certs and force encryption on SQL endpoints.
  10. Configure Transparent Data Encryption (TDE) for sensitive DBs — Enable TDE and manage keys with secure key backup and storage.
  11. Enable and configure auditing — Turn on audits to capture security-relevant server and DB events.
  12. Create server and database audit specifications — Include logins, schema changes, privilege use, and admin actions.
  13. Route audit logs to a secure external destination (SIEM) — Forward logs to SIEM or WEF to prevent local tampering.
  14. Configure regular vulnerability scans and STIG compliance checks — Use DISA STIG XCCDF, CIS tools, or vulnerability scanners regularly.
  15. Harden database permissions and remove public access — Grant least privilege for schemas, roles, and objects.
  16. Secure backups and test restore procedures — Encrypt backups, store offsite, and validate restores regularly.
  17. Maintain and review SQL Server logs and failed login alerts — Monitor error logs, agent logs, and configure alerts for failures.
  18. Apply OS hardening and firewall rules for SQL ports — Harden Windows host and restrict TCP/1433 (and other) access.
  19. Disable or harden legacy authentication protocols — Disable NTLM where possible and prefer Kerberos or modern auth.
  20. Document configuration, patch schedule, and recovery plans — Keep runbooks, change logs, and contacts up to date.
Sign in to save
📝 My Notes