STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

MS SQL Server 2016 Instance Security Technical Implementation Guide

Version

V3R6

Benchmark ID

MS_SQL_Server_2016_Instance_STIG

Total Checks

84

Tags

database

CAT I: 13CAT II: 69CAT III: 2

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (84)

V-213929MEDIUMSQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.V-213930HIGHSQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.V-213931MEDIUMSQL Server must be configured to utilize the most-secure authentication method available.V-213932HIGHSQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.V-213933MEDIUMSQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.V-213934MEDIUMSQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.V-213935MEDIUMSQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.V-213936MEDIUMSQL Server must be configured to generate audit records for DoD-defined auditable events within all DBMS/database components.V-213937MEDIUMSQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-213939MEDIUMSQL Server must generate audit records when attempts to access privileges, categorized information, and security objects occur.V-213940MEDIUMSQL Server must initiate session auditing upon startup.V-213941MEDIUMSQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.V-213942MEDIUMSQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.V-213943MEDIUMSQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.V-213944MEDIUMThe audit information produced by SQL Server must be protected from unauthorized access, modification, and deletion.V-213948MEDIUMSQL Server must protect its audit configuration from authorized and unauthorized access and modification.V-213950MEDIUMSQL Server must limit privileges to change software modules and links to software external to SQL Server.V-213951MEDIUMSQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.V-213952HIGHSQL Server software installation account must be restricted to authorized users.V-213953MEDIUMDatabase software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.V-213954MEDIUMDefault demonstration and sample databases, database objects, and applications must be removed.V-213955MEDIUMUnused database components, DBMS software, and database objects must be removed.V-213956MEDIUMUnused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.V-213957MEDIUMAccess to xp_cmdshell must be disabled, unless specifically required and approved.V-213958MEDIUMAccess to CLR code must be disabled or restricted, unless specifically required and approved.V-213959MEDIUMAccess to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved.V-213960MEDIUMAccess to linked servers must be disabled or restricted, unless specifically required and approved.V-213961MEDIUMSQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.V-213964HIGHIf DBMS authentication using passwords is employed, SQL Server must enforce the DOD standards for password complexity and lifetime.V-213965MEDIUMContained databases must use Windows principals.V-213966HIGHIf passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords.V-213967HIGHConfidentiality of information during transmission is controlled through the use of an approved TLS version.V-213968HIGHSQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server.V-213969HIGHSQL Server must use NIST FIPS 140-2/140-3-validated cryptographic operations for encryption, hashing, and signing.V-213970MEDIUMSQL Server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).V-213972HIGHSQL Server must protect the confidentiality and integrity of all information at rest.V-213973MEDIUMThe Service Master Key must be backed up and stored in a secure location that is not on the SQL Server.V-213974MEDIUMThe Master Key must be backed up and stored in a secure location that is not on the SQL Server.V-213975MEDIUMSQL Server must prevent unauthorized and unintended information transfer via shared system resources.V-213976MEDIUMSQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI).V-213977MEDIUMAccess to database files must be limited to relevant processes and to authorized, administrative users.V-213978MEDIUMSQL Server must reveal detailed error messages only to documented and approved individuals or roles.V-213979MEDIUMSQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.V-213980MEDIUMUse of credentials and proxies must be restricted to necessary cases only.V-213983MEDIUMSQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-213984MEDIUMSQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.V-213985MEDIUMSQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.V-213986MEDIUMSQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC, formerly GMT).V-213987MEDIUMSQL Server must enforce access restrictions associated with changes to the configuration of the instance.V-213988MEDIUMWindows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.V-213989MEDIUMSQL Server must produce audit records when attempts to modify SQL Server configuration and privileges occur within the database(s).V-213991MEDIUMSQL Server must maintain a separate execution domain for each executing process.V-213992MEDIUMSQL Server services must be configured to run under unique dedicated user accounts.V-213993MEDIUMWhen updates are applied to SQL Server software, any software components that have been replaced or made unnecessary must be removed.V-213994MEDIUMSecurity-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).V-214000MEDIUMSQL Server must generate audit records when successful and unsuccessful attempts to add privileges/permissions occur.V-214002MEDIUMSQL Server must generate audit records when successful and unsuccessful attempts to modify privileges/permissions occur.V-214004MEDIUMSQL Server must generate audit records when successful and unsuccessful attempts to modify security objects occur.V-214008MEDIUMSQL Server must generate audit records when successful and unsuccessful attempts to delete privileges/permissions occur.V-214014MEDIUMSQL Server must generate audit records when successful and unsuccessful logons or connection attempts occur.V-214021MEDIUMSQL Server must generate audit records for all direct access to the database(s).V-214025MEDIUMThe system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.V-214026MEDIUMSQL Server must configure Customer Feedback and Error Reporting.V-214027MEDIUMSQL Server must configure SQL Server Usage and Error Reporting Auditing.V-214028HIGHThe SQL Server default account [sa] must be disabled.V-214029MEDIUMSQL Server default account [sa] must have its name changed.V-214030MEDIUMExecution of startup stored procedures must be restricted to necessary cases only.V-214031MEDIUMSQL Server Mirroring endpoint must utilize AES encryption.V-214032MEDIUMSQL Server Service Broker endpoint must utilize AES encryption.V-214033MEDIUMSQL Server execute permissions to access the registry must be revoked, unless specifically required and approved.V-214034MEDIUMFilestream must be disabled, unless specifically required and approved.V-214035MEDIUMOle Automation Procedures feature must be disabled, unless specifically required and approved.V-214036MEDIUMSQL Server User Options feature must be disabled, unless specifically required and approved.V-214037MEDIUMRemote Access feature must be disabled, unless specifically required and approved.V-214038MEDIUMHadoop Connectivity feature must be disabled, unless specifically required and approved.V-214039MEDIUMAllow Polybase Export feature must be disabled, unless specifically required and approved.V-214040MEDIUMRemote Data Archive feature must be disabled, unless specifically required and approved.V-214041MEDIUMSQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved.V-214042LOWThe SQL Server Browser service must be disabled unless specifically required and approved.V-214043MEDIUMSQL Server Replication Xps feature must be disabled, unless specifically required and approved.V-214044LOWIf the SQL Server Browser Service is specifically required and approved, SQL instances must be hidden.V-214045HIGHWhen using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.V-214046HIGHApplications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.V-265870HIGHMicrosoft SQL Server products must be a version supported by the vendor.