Jobs in the Security-and-complicance category


Database compatibility Checks if there is a difference in compatibility levels of databases and the instance.
Logins default database check This procedure performs two checks. ‘Sysadmin Logins Default Database Check’ which
MS SQL Server patch status Checks latest updates for Microsoft SQL Server.
Ad Hoc Distributed Queries Checks if the OPENROWSET and OPENDATASOURCE functions can be used to connect to remote data sources that use OLE DB (DB2, Host File systems, Oracle, etc.).
Asymmetric Key size Checks that at least a 2048-bit encryption key size is used for asymmetric keys.
Auto close database Checks if the contained databases are closed or not after a connection terminates.
CLR Assembly permission Checks if the CLR Assembly permission_set is set to SAFE access.
CLR Enabled Checks if the assemblies can be run by SQL Server.
Command shell setting Checks if the xp_cmdshell is enabled, as a security best practice it is recommended to only enable it for the duration of the actual task that requires it.
Contained database credentials Checks if the database users in contained databases are using database authentication (authentication_type = 2).
Cross DB Ownership Chaining Checks cross-database ownership chaining across all databases at the instance level.
Database Mail XPs Checks the ability to generate and transmit email messages from SQL Server.
Default trace enabled Checks that ‘Default Trace Enabled’ server configuration option is set to ‘1′.
Disabled sa account Checks if the ‘sa’ login account (principal_id=1 and sid=0×01) is set to ‘disabled’.
Number of ERRORLOG files Checks the number of error log files created on the operating file system.
Full-Text service account Checks if the service account used by the Full-Text service account is not a member of the Windows Administrator group.
Guest database users Checks that CONNECT permission (in every non system database) are revoked for the guest user.
Hide Instance Checks if the instance is hidden (not exposed by SQL Browser).
Instance Authentication Mode Checks if the Server Authentication property is set to ‘Windows Authentication Mode’ or ‘Mixed Mode’ authentication.
Login audit setting Checks if the SQL Server login audit is set to value ‘2′ (none = 0, successful logins only = 1, failed logins only = 2, both failed and successful logins = 3).
Login failed and successful setting Checks if the SQL Server login audit is set to value ‘3′ (none = 0, successful logins only = 1, failed logins only = 2, both failed and successful logins = 3).
Public role Checks that the public role in the msdb database is not granted access to SQL Agent proxies.
MS SQL service account Checks if the service account used by the MSSQLSERVER service is not a member of the Windows Administrator group.
Ole Automation Procedures Checks whether OLE Automation objects can be instantiated within Transact-SQL batches.
Orphaned database users Checks if there are orphaned database users (users for which the corresponding SQL Server login is undefined).
Password expiration Checks that CHECK_EXPIRATION option is set to ‘ON’ for all SQL authenticated logins within the sysadmin role.
Password policy Checks that CHECK_POLICY option is set to ‘ON’ for all SQL authenticated logins.
Public server role Checks if extra permissions have been granted to the public server role.
Remote access Checks if local stored procedures can execute on remote servers or remote stored procedures on local server.
Remote admin connections Checks whether a client application on a remote computer can use the Dedicated Administrator Connection (DAC).
Renamed sa account Checks if the standard ‘sa’ login account (principal_id=1 and sid=0×01) has been renamed.
Scan for startup procs Check if MS SQL Server automatically scan and run all stored procedures that are set to execute upon service startup.
Security and Compliance framework dbWatch Security framework job. Used for collecting and analysis of statistics from all Security jobs.
SQL Browser Checks if the SQL Server Browser is disabled.
SQL Server Protocols Check what SQL Server protocols are in use.
SQL Agent service account Checks if the service account used by the SQL Agent service is not a member of the Windows Administrator group.
Standard ports Verify the usage of standard ports, with TCP port 1433 being the default.
Symmetric Key encryption Checks that only AES_128, AES_192, and AES_256 symmetric key encryption algorithms are in use.
Trustworthy Check if the TRUSTWORTHY database option allows database objects to access objects in other databases.
Windows BUILTIN groups Checks that Windows BUILTIN groups are not SQL Logins.
Windows LOCAL groups Checks that Windows LOCAL groups are not SQL Logins.