TickYouOff
Sign in
Back
🔒

Microsoft SQL Server 2022 Security Checklist (STIG)

Hard 17 items · 3 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist summarizes key security hardening tasks from the Microsoft SQL Server 2022 STIG for general audiences. Use it to guide configuration, patching, and auditing of SQL Server instances in managed environments.

Source: https://ncp.nist.gov/checklist/1292

Progress
0 / 17
  1. Verify FIPS-compliant OS deployment — Ensure the host OS uses FIPS 140-2/3 validated crypto modules.
  2. Apply latest SQL Server patches and cumulative updates — Install Microsoft's latest security updates and cumulative patches.
  3. Apply Windows and network STIGs to the database host — Implement OS and network STIG controls that affect the DBMS host.
  4. Restrict sysadmin and high-privilege logins — Remove unnecessary members and audit privileged accounts.
  5. Secure or disable the 'sa' account — Disable, rename, or set a strong password for the built-in SA account.
  6. Harden SQL Server instance configuration
  7. Disable xp_cmdshell — Prevent execution of OS commands from within SQL Server.
  8. Disable SQL CLR if not required — Remove SQLCLR assemblies to reduce attack surface.
  9. Disable ad hoc distributed queries — Turn off OPENROWSET/OPENDATASOURCE if not needed.
  10. Configure least privilege for SQL Server service accounts — Use dedicated, non-interactive accounts with minimal rights.
  11. Install and bind a valid TLS certificate for SQL Server — Use a trusted certificate to enable encrypted connections.
  12. Force TLS encrypted connections — Require encryption for client and inter-node connections.
  13. Enable Transparent Data Encryption (TDE) or equivalent — Encrypt data at rest to protect database files and backups.
  14. Configure and retain comprehensive audit logging — Enable audit of logins, schema changes, and privileged actions.
  15. Configure host and network firewall rules for SQL ports — Restrict access to SQL Server ports to authorized IPs and hosts.
  16. Regularly backup system and user databases and secure backups — Schedule backups and store them encrypted and access-controlled.
  17. Enforce strong authentication and password policies; enable MFA for admins where possible — Use complex passwords and MFA for privileged accounts.
Sign in to save
📝 My Notes