TickYouOff
Sign in
Back
🔒

SQL Server 2016 STIG Checklist

Hard 14 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist summarizes core tasks to bring a Microsoft SQL Server 2016 instance into alignment with DISA STIG guidance. It’s for DBAs, system administrators, and security teams responsible for hardening, patching, auditing, and documenting SQL Server instances in managed environments.

Source: https://ncp.nist.gov/checklist/838

Progress
0 / 14
  1. Backup system and user databases — Take full backups of system and user DBs before making configuration changes.
  2. Configure secure backup storage and encrypt backups — Store backups off-server and enable encryption to protect backups at rest.
  3. Apply latest Windows and SQL Server updates — Install relevant security patches and cumulative updates for OS and SQL Server.
  4. Verify SQL Server service accounts use least-privilege — Replace local admin accounts with dedicated low-privilege domain or managed service accounts.
  5. Harden SQL Server logins and accounts
  6. Disable or rename the SA account — Disable or rename the built-in SA account and ensure no apps rely on it.
  7. Enforce password complexity and expiration for SQL logins — Enable policy enforcement and set appropriate rotation periods.
  8. Disable xp_cmdshell and other dangerous extended procedures — Turn off xp_cmdshell and unused extended stored procedures to reduce attack surface.
  9. Restrict network protocols and enforce encryption — Disable unused protocols and require TLS for client connections.
  10. Enable and configure Transparent Data Encryption (TDE) for sensitive DBs — Protect data at rest; manage and back up keys securely.
  11. Configure server and database auditing — Enable audit of logins, privilege changes, and schema changes; retain logs securely.
  12. Configure and review SQL Server permissions and roles — Apply least-privilege for logins, remove unnecessary dbo/sysadmin assignments.
  13. Review DISA STIG resources and apply automated XCCDF/SCC content — Download and reference the STIG XCCDF and SCC content from DISA for automated checks.
  14. Document changes and schedule regular STIG compliance scans — Record configuration changes, baseline, and plan periodic scans and remediation.
Sign in to save
📝 My Notes