Checklist Summary:

The SQL Server 2012 Overview, along with the SQL Server 2012 Security Technical Implementation Guide (STIG), provides the technical security policies, requirements and implementation details for applying security concepts to Microsoft SQL Server 2012. This document is meant to improve the security of Department of Defense (DoD) information systems. The requirements in the accompanying STIG do not necessarily prevent or mitigate all attacks against a poorly designed application which uses SQL Server. Please refer to the Application Security and Development STIG for application requirements. Consideration must be given to the placement of SQL server inside a forest to ensure evaluation of risk within the environment is considered. Risk includes introduction of risk to SQL Server from other applications or workstations as well as risk from introduction of SQL server itself into an established environment. Please note additional guidance exists that applies to SQL Server, even though it is non-SQL specific and therefore not explicitly called out in the SQL Server 2012 STIG. This includes the Windows environment as well as the networking requirements including firewall protection,DMZ requirements, and Windows host requirements. The security requirements contained within the SQL Server 2012 STIG are broken into two parts. The SQL Server Instance STIG will be used for the setting to apply to the actual instance (or installation) of SQL Server 2012. The SQL Server 2012 Database STIG should be used for each individual database (including those that are vendor-supplied, such as master).

Checklist Role:

• Database Server
• Database Management System

Known Issues:

Not provided.

Target Audience:

This document is a requirement for all DoD-administered systems and all systems connected to DoD networks. These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD system design, development, implementation, certification, and accreditation efforts.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

The execution of the manual procedures may require Administrator (Windows Server) and SQL Server DBA privileges in both the system database and user-defined database instances. This may vary based on the permissions assigned to the account used. It is expected that an authorized DBA or the IAO log and monitor this account. It is assumed that SQL Server 2012 is running on a version of Windows Server 2008 or later. Running the queries could have an impact on the database performance based on the priority of the queries and the number of database objects. For example, the number of users can affect the permissions queries. If queries run with a hit priority, as most DBA accounts do, the assessment queries could interfere with successful processing by regular users. If this occurs, using a lower account priority, or running SQL queries during SQL Server lower service times could reduce or eliminate the effects to regular users. The SQL Server 2012 STIG has many references to third-party tools. These third-party tools are assumed to satisfy a specific functionality quickly and easily without a large SQL scripting development effort. For example, one requirement asks for real-time viewing of a user session, and an example solution was given using the SQL Server "fn_get_audit_file" function. However, there are existing third-party tools that can view audit file information in a GUI format, while reducing extraneous data. Though there are many references to third-party tools within the SQL Server 2012 STIG, almost none are mentioned by name, except those that Microsoft provides directly, e.g., Security Labeling via Codeplex.

Regulatory Compliance:

DoD Directive (DoDD) 8500.1 and DoD Directive (DoDD) 8500.2

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via email to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Disclaimer:

Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via email to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Point of Contact:

Comments or proposed revisions to this document should be sent via email to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Version 1, Release 3 - 25 July 2014
Version 1, Release 2 - 28 January 2014
Version 1, Release 1 - 9 January 2014
Version 1, Release 4 - 30 October 2014
Updated status to "Final" - 07 January 2015
Version 1, Release 5 - 25 January 2015

Dependency/Requirements:

URL	Description
http://iase.disa.mil/stigs/Documents/u_sql_server2012_stigs_v1_memo.pdf	SQL Server 2012 Release Memo

References:

Reference URL	Description

NIST checklist record last modified on 03/12/2015