Database compatibility |
Checks if there is a difference in compatibility levels of databases and the instance. |
Logins default database check |
This procedure performs two checks. ‘Sysadmin Logins Default Database Check’ which |
MS SQL Server patch status |
Checks latest updates for Microsoft SQL Server. |
Ad Hoc Distributed Queries |
Checks if the OPENROWSET and OPENDATASOURCE functions can be used to connect to remote data sources that use OLE DB (DB2, Host File systems, Oracle, etc.). |
Asymmetric Key size |
Checks that at least a 2048-bit encryption key size is used for asymmetric keys. |
Auto close database |
Checks if the contained databases are closed or not after a connection terminates. |
CLR Assembly permission |
Checks if the CLR Assembly permission_set is set to SAFE access. |
CLR Enabled |
Checks if the assemblies can be run by SQL Server. |
Command shell setting |
Checks if the xp_cmdshell is enabled, as a security best practice it is recommended to only enable it for the duration of the actual task that requires it. |
Contained database credentials |
Checks if the database users in contained databases are using database authentication (authentication_type = 2). |
Cross DB Ownership Chaining |
Checks cross-database ownership chaining across all databases at the instance level. |
Database Mail XPs |
Checks the ability to generate and transmit email messages from SQL Server. |
Default trace enabled |
Checks that ‘Default Trace Enabled’ server configuration option is set to ‘1′. |
Disabled sa account |
Checks if the ‘sa’ login account (principal_id=1 and sid=0×01) is set to ‘disabled’. |
Number of ERRORLOG files |
Checks the number of error log files created on the operating file system. |
Full-Text service account |
Checks if the service account used by the Full-Text service account is not a member of the Windows Administrator group. |
Guest database users |
Checks that CONNECT permission (in every non system database) are revoked for the guest user. |
Hide Instance |
Checks if the instance is hidden (not exposed by SQL Browser). |
Instance Authentication Mode |
Checks if the Server Authentication property is set to ‘Windows Authentication Mode’ or ‘Mixed Mode’ authentication. |
Login audit setting |
Checks if the SQL Server login audit is set to value ‘2′ (none = 0, successful logins only = 1, failed logins only = 2, both failed and successful logins = 3). |
Login failed and successful setting |
Checks if the SQL Server login audit is set to value ‘3′ (none = 0, successful logins only = 1, failed logins only = 2, both failed and successful logins = 3). |
Public role |
Checks that the public role in the msdb database is not granted access to SQL Agent proxies. |
MS SQL service account |
Checks if the service account used by the MSSQLSERVER service is not a member of the Windows Administrator group. |
Ole Automation Procedures |
Checks whether OLE Automation objects can be instantiated within Transact-SQL batches. |
Orphaned database users |
Checks if there are orphaned database users (users for which the corresponding SQL Server login is undefined). |
Password expiration |
Checks that CHECK_EXPIRATION option is set to ‘ON’ for all SQL authenticated logins within the sysadmin role. |
Password policy |
Checks that CHECK_POLICY option is set to ‘ON’ for all SQL authenticated logins. |
Public server role |
Checks if extra permissions have been granted to the public server role. |
Remote access |
Checks if local stored procedures can execute on remote servers or remote stored procedures on local server. |
Remote admin connections |
Checks whether a client application on a remote computer can use the Dedicated Administrator Connection (DAC). |
Renamed sa account |
Checks if the standard ‘sa’ login account (principal_id=1 and sid=0×01) has been renamed. |
Scan for startup procs |
Check if MS SQL Server automatically scan and run all stored procedures that are set to execute upon service startup. |
Security and Compliance framework |
dbWatch Security framework job. Used for collecting and analysis of statistics from all Security jobs. |
SQL Browser |
Checks if the SQL Server Browser is disabled. |
SQL Server Protocols |
Check what SQL Server protocols are in use. |
SQL Agent service account |
Checks if the service account used by the SQL Agent service is not a member of the Windows Administrator group. |
Standard ports |
Verify the usage of standard ports, with TCP port 1433 being the default. |
Symmetric Key encryption |
Checks that only AES_128, AES_192, and AES_256 symmetric key encryption algorithms are in use. |
Trustworthy |
Check if the TRUSTWORTHY database option allows database objects to access objects in other databases. |
Windows BUILTIN groups |
Checks that Windows BUILTIN groups are not SQL Logins. |
Windows LOCAL groups |
Checks that Windows LOCAL groups are not SQL Logins. |