U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

SQL Server 2012 STIG Version 1, Release 20 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Microsoft SQL Server 2012 cpe:/a:microsoft:sql_server:2012 (View CVEs)

Checklist Highlights

Checklist Name:
SQL Server 2012 STIG
Checklist ID:
474
Version:
Version 1, Release 20
Type:
Compliance
Review Status:
Archived
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
04/28/2017

Checklist Summary:

The SQL Server 2012 Overview, along with the SQL Server 2012 Security Technical Implementation Guide (STIG), provides the technical security policies, requirements and implementation details for applying security concepts to Microsoft SQL Server 2012. This document is meant to improve the security of Department of Defense (DoD) information systems. The requirements in the accompanying STIG do not necessarily prevent or mitigate all attacks against a poorly designed application which uses SQL Server. Please refer to the Application Security and Development STIG for application requirements. Consideration must be given to the placement of SQL server inside a forest to ensure evaluation of risk within the environment is considered. Risk includes introduction of risk to SQL Server from other applications or workstations as well as risk from introduction of SQL server itself into an established environment. Please note additional guidance exists that applies to SQL Server, even though it is non-SQL specific and therefore not explicitly called out in the SQL Server 2012 STIG. This includes the Windows environment as well as the networking requirements including firewall protection,DMZ requirements, and Windows host requirements. The security requirements contained within the SQL Server 2012 STIG are broken into two parts. The SQL Server Instance STIG will be used for the setting to apply to the actual instance (or installation) of SQL Server 2012. The SQL Server 2012 Database STIG should be used for each individual database (including those that are vendor-supplied, such as master).

Checklist Role:

  • Database Server
  • Database Management System

Known Issues:

Not provided.

Target Audience:

This document is a requirement for all DoD-administered systems and all systems connected to DoD networks. These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD system design, development, implementation, certification, and accreditation efforts.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

The execution of the manual procedures may require Administrator (Windows Server) and SQL Server DBA privileges in both the system database and user-defined database instances. This may vary based on the permissions assigned to the account used. It is expected that an authorized DBA or the IAO log and monitor this account. It is assumed that SQL Server 2012 is running on a version of Windows Server 2008 or later. Running the queries could have an impact on the database performance based on the priority of the queries and the number of database objects. For example, the number of users can affect the permissions queries. If queries run with a hit priority, as most DBA accounts do, the assessment queries could interfere with successful processing by regular users. If this occurs, using a lower account priority, or running SQL queries during SQL Server lower service times could reduce or eliminate the effects to regular users. The SQL Server 2012 STIG has many references to third-party tools. These third-party tools are assumed to satisfy a specific functionality quickly and easily without a large SQL scripting development effort. For example, one requirement asks for real-time viewing of a user session, and an example solution was given using the SQL Server "fn_get_audit_file" function. However, there are existing third-party tools that can view audit file information in a GUI format, while reducing extraneous data. Though there are many references to third-party tools within the SQL Server 2012 STIG, almost none are mentioned by name, except those that Microsoft provides directly, e.g., Security Labeling via Codeplex.

Regulatory Compliance:

DoD Directive (DoDD) 8500.1 and DoD Directive (DoDD) 8500.2

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Disclaimer:

Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Point of Contact:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Sponsor:

Not provided.

Licensing:

Not provided.

Change History: 

Version 1, Release 7 - 06 August 2015
Updated status from "under review" to "final" - 22 June 2015
Version 1, Release 3 - 25 July 2014
Version 1, Release 2 - 28 January 2014
Version 1, Release 1 - 9 January 2014
Version 1, Release 4 - 30 October 2014
Updated status to "Final" - 07 January 2015
Version 1, Release 5 - 25 January 2015
Changed status from "under review" to "final" - 11 September 2015
Version 1, Release 8 - 29 October 2015
Changing status from "Under Review" to "Final" - 01 December 2015
Version 1, Release 9 - 29 January 2016
3/8/2016 - Promote to Final
4/28/2016 - Version 1, Release 10
moved to FINAL - 6/7/2016
updated to v1, r11 - 07/22/2016
Updated to FINAL - 09/12/2016
Updated STIG to V1, R12 - 10-28-2016
updated to FINAL - 12/07/2016
Updated to Ver 1, Rel 13 - 01/27/2017
Updated to FINAL - 03/13/2017
Updated to Version 1, Release 14 - 04/24/2017
Updated to FINAL - 05/22/2017
Updated URL to reflect change to the DISA website - http --> https
Updated to FINAL - 08/16/2017
corrected resource title - 1/24/2018
updated to v1,r16 - 02/16/2018
Updated to FINAL - 3/18/2018
updated to v1,r17 - 4/25/18
Updated to FINAL - 5/25/18
updated to Version 1, Release 18- 1/23/19
Corrected SHA - 1/28/19
Status Updated to FINAL - 3/1/19
Updated URLs - 6/11/19
Updated URLs - 8/14/19
Sunset per DISA - 8/15/19
updated URLs - 9/11/19
updated resource - 2/5/2020
updated per DISA website - 2/6/2020
Updated SHA value per DISA - 2/19/2020

Dependency/Requirements:

URL Description
https://dl.dod.cyber.mil/wp-content/uploads/stigs/pdf/u_sql_server2012_stigs_v1_memo.pdf Sunset - Microsoft SQL Server 2012 STIG - Release Memo

References:

Reference URL Description

NIST checklist record last modified on 02/19/2020