STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft SQL Server 2022 Instance Security Technical Implementation Guide

Version

V1R4

Benchmark ID

MS_SQL_Server_2022_Instance_STIG

Total Checks

79

Tags

database

CAT I: 14CAT II: 65CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (79)

V-271263MEDIUMSQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.V-271264HIGHSQL Server must be configured to use the most-secure authentication method available.V-271265HIGHSQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.V-271266HIGHSQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.V-271267MEDIUMSQL Server must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the instance.V-271268MEDIUMSQL Server must protect against a user falsely repudiating by ensuring the NT AUTHORITY SYSTEM account is not used for administration.V-271269MEDIUMSQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.V-271270MEDIUMSQL Server must be configured to generate audit records for DOD-defined auditable events within all DBMS/database components.V-271271MEDIUMSQL Server must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-271272MEDIUMSQL Server must generate audit records when attempts to access privileges, categorized information, and security objects occur.V-271273MEDIUMSQL Server must initiate session auditing upon startup.V-271280MEDIUMSQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.V-271282MEDIUMThe audit information produced by SQL Server must be protected from unauthorized access, modification, and deletion.V-271283MEDIUMSQL Server must protect its audit configuration from authorized and unauthorized access and modification.V-271284MEDIUMSQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.V-271285MEDIUMSQL Server must limit privileges to change software modules and links to software external to SQL Server.V-271286HIGHSQL Server software installation account must be restricted to authorized users.V-271287MEDIUMDatabase software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.V-271290MEDIUMDefault demonstration and sample databases, database objects, and applications must be removed.V-271291MEDIUMUnused database components, DBMS software, and database objects must be removed.V-271292MEDIUMThe SQL Server Replication Xps feature must be disabled unless specifically required and approved.V-271293MEDIUMThe SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved.V-271295MEDIUMThe remote Data Archive feature must be disabled unless specifically required and approved.V-271296MEDIUMThe "Allow Polybase Export" feature must be disabled, unless specifically required and approved.V-271297MEDIUMThe "Hadoop Connectivity" feature must be disabled unless specifically required and approved.V-271298MEDIUMThe "Remote Access" feature must be disabled unless specifically required and approved.V-271299MEDIUMAccess to linked servers must be disabled or restricted, unless specifically required and approved.V-271300MEDIUMAccess to nonstandard, extended stored procedures must be disabled or restricted, unless specifically required and approved.V-271301MEDIUMAccess to common language runtime (CLR) code must be disabled or restricted unless specifically required and approved.V-271302MEDIUMAccess to xp_cmdshell must be disabled unless specifically required and approved.V-271303MEDIUMSQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.V-271304MEDIUMSQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.V-271305MEDIUMSQL Server must uniquely identify and authenticate users (or processes acting on behalf of organizational users).V-271306HIGHContained databases must use Windows principals.V-271307HIGHIf DBMS authentication using passwords is employed, SQL Server must enforce the DOD standards for password complexity and lifetime.V-271309HIGHIf passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords.V-271310HIGHConfidentiality of information during transmission must be controlled through the use of an approved TLS version.V-271313HIGHWhen using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.V-271314HIGHSQL Server must use NIST FIPS 140-2 or 140-3 validated cryptographic operations for encryption, hashing, and signing.V-271322HIGHThe Master Key must be backed up and stored in a secure location that is not on the SQL Server.V-271323HIGHThe Service Master Key must be backed up and stored in a secure location that is not on the SQL Server.V-271324HIGHSQL Server must protect the confidentiality and integrity of all information at rest.V-271327MEDIUMSQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI).V-271328MEDIUMSQL Server must prevent unauthorized and unintended information transfer via shared system resources.V-271329MEDIUMAccess to database files must be limited to relevant processes and to authorized, administrative users.V-271331MEDIUMSQL Server and associated applications must reserve the use of dynamic code execution for situations that require it.V-271332MEDIUMSQL Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.V-271334MEDIUMSQL Server must reveal detailed error messages only to documented and approved individuals or roles.V-271341MEDIUMSQL Server must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.V-271342MEDIUMUse of credentials and proxies must be restricted to necessary cases only.V-271343MEDIUMSQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-271344MEDIUMSQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.V-271345MEDIUMSQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.V-271346MEDIUMSQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC), formerly Greenwich Mean Time (GMT).V-271349MEDIUMWindows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.V-271350MEDIUMSQL Server must enforce access restrictions associated with changes to the configuration of the instance.V-271351MEDIUMSQL Server must produce audit records when attempts to modify SQL Server configuration and privileges occur within the database(s).V-271358MEDIUMSQL Server services must be configured to run under unique dedicated user accounts.V-271359MEDIUMSQL Server must maintain a separate execution domain for each executing process.V-271362MEDIUMWhen invalid inputs are received, the SQL Server must behave in a predictable and documented manner that reflects organizational and system objectives.V-271364MEDIUMSecurity-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).V-271365HIGHMicrosoft SQL Server products must be a version supported by the vendor.V-271370MEDIUMSQL Server must generate audit records when successful and unsuccessful attempts to modify or delete security objects occur.V-271375MEDIUMSQL Server must generate audit records when successful and unsuccessful logons or connection attempts occur.V-271381MEDIUMSQL Server must generate audit records for all direct access to the database(s).V-271385MEDIUMThe system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.V-271387MEDIUMThe SQL Server Browser service must be disabled unless specifically required and approved.V-271388MEDIUMSQL Server must configure SQL Server Usage and Error Reporting Auditing.V-271389MEDIUMSQL Server must configure Customer Feedback and Error Reporting.V-271400MEDIUMSQL Server must, for password-based authentication, require immediate selection of a new password upon account recovery.V-274444MEDIUMThe SQL Server default account [sa] must be disabled.V-274445MEDIUMThe SQL Server default account [sa] must have its name changed.V-274446MEDIUMExecution of startup stored procedures must be restricted to necessary cases only.V-274447MEDIUMThe SQL Server Mirroring endpoint must use AES encryption.V-274448MEDIUMThe SQL Server Service Broker endpoint must use AES encryption.V-274449MEDIUMSQL Server execute permissions to access the registry must be revoked unless specifically required and approved.V-274450MEDIUMFilestream must be disabled unless specifically required and approved.V-274451MEDIUMThe Ole Automation Procedures feature must be disabled unless specifically required and approved.V-274452MEDIUMThe SQL Server User Options feature must be disabled unless specifically required and approved.