| Database compatibility |
Checks if there is a difference in compatibility levels of databases and the instance. |
| Logins default database check |
This procedure performs two checks. ‘Sysadmin Logins Default Database Check’ which |
| MS SQL Server patch status |
Checks latest updates for Microsoft SQL Server. |
| Ad Hoc Distributed Queries |
Checks if the OPENROWSET and OPENDATASOURCE functions can be used to connect to remote data sources that use OLE DB (DB2, Host File systems, Oracle, etc.). |
| Asymmetric Key size |
Checks that at least a 2048-bit encryption key size is used for asymmetric keys. |
| Auto close database |
Checks if the contained databases are closed or not after a connection terminates. |
| CLR Assembly permission |
Checks if the CLR Assembly permission_set is set to SAFE access. |
| CLR Enabled |
Checks if the assemblies can be run by SQL Server. |
| Command shell setting |
Checks if the xp_cmdshell is enabled, as a security best practice it is recommended to only enable it for the duration of the actual task that requires it. |
| Contained database credentials |
Checks if the database users in contained databases are using database authentication (authentication_type = 2). |
| Cross DB Ownership Chaining |
Checks cross-database ownership chaining across all databases at the instance level. |
| Database Mail XPs |
Checks the ability to generate and transmit email messages from SQL Server. |
| Default trace enabled |
Checks that ‘Default Trace Enabled’ server configuration option is set to ‘1′. |
| Disabled sa account |
Checks if the ‘sa’ login account (principal_id=1 and sid=0×01) is set to ‘disabled’. |
| Number of ERRORLOG files |
Checks the number of error log files created on the operating file system. |
| Full-Text service account |
Checks if the service account used by the Full-Text service account is not a member of the Windows Administrator group. |
| Guest database users |
Checks that CONNECT permission (in every non system database) are revoked for the guest user. |
| Hide Instance |
Checks if the instance is hidden (not exposed by SQL Browser). |
| Instance Authentication Mode |
Checks if the Server Authentication property is set to ‘Windows Authentication Mode’ or ‘Mixed Mode’ authentication. |
| Login audit setting |
Checks if the SQL Server login audit is set to value ‘2′ (none = 0, successful logins only = 1, failed logins only = 2, both failed and successful logins = 3). |
| Login failed and successful setting |
Checks if the SQL Server login audit is set to value ‘3′ (none = 0, successful logins only = 1, failed logins only = 2, both failed and successful logins = 3). |
| Public role |
Checks that the public role in the msdb database is not granted access to SQL Agent proxies. |
| MS SQL service account |
Checks if the service account used by the MSSQLSERVER service is not a member of the Windows Administrator group. |
| Ole Automation Procedures |
Checks whether OLE Automation objects can be instantiated within Transact-SQL batches. |
| Orphaned database users |
Checks if there are orphaned database users (users for which the corresponding SQL Server login is undefined). |
| Password expiration |
Checks that CHECK_EXPIRATION option is set to ‘ON’ for all SQL authenticated logins within the sysadmin role. |
| Password policy |
Checks that CHECK_POLICY option is set to ‘ON’ for all SQL authenticated logins. |
| Public server role |
Checks if extra permissions have been granted to the public server role. |
| Remote access |
Checks if local stored procedures can execute on remote servers or remote stored procedures on local server. |
| Remote admin connections |
Checks whether a client application on a remote computer can use the Dedicated Administrator Connection (DAC). |
| Renamed sa account |
Checks if the standard ‘sa’ login account (principal_id=1 and sid=0×01) has been renamed. |
| Scan for startup procs |
Check if MS SQL Server automatically scan and run all stored procedures that are set to execute upon service startup. |
| Security and Compliance framework |
dbWatch Security framework job. Used for collecting and analysis of statistics from all Security jobs. |
| SQL Browser |
Checks if the SQL Server Browser is disabled. |
| SQL Server Protocols |
Check what SQL Server protocols are in use. |
| SQL Agent service account |
Checks if the service account used by the SQL Agent service is not a member of the Windows Administrator group. |
| Standard ports |
Verify the usage of standard ports, with TCP port 1433 being the default. |
| Symmetric Key encryption |
Checks that only AES_128, AES_192, and AES_256 symmetric key encryption algorithms are in use. |
| Trustworthy |
Check if the TRUSTWORTHY database option allows database objects to access objects in other databases. |
| Windows BUILTIN groups |
Checks that Windows BUILTIN groups are not SQL Logins. |
| Windows LOCAL groups |
Checks that Windows LOCAL groups are not SQL Logins. |