web viewprint 'rule title: sql server must implement required cryptographic protections using...
TRANSCRIPT
/* Declare variables used in script */
DECLARE @id Int --Used for traceid loop queries
PRINT 'SQL Server 2012 DB V1R2 STIG Checks'
PRINT 'Rule Title: SQL Server must be protected from unauthorized access by developers.';PRINT 'STIG ID: SQL2-00-009200'
SELECT name AS 'Account Name' , create_date AS 'Account Create Date' , LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Password Last Set on' FROM sys.server_principals WHERE NOT TYPE IN ('C', 'R', 'U') -- ('C', 'G', 'K', 'R', 'S', 'U') AND NOT name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##') AND sid <> CONVERT(VARBINARY(85), 0x01) -- no 'sa' account AND is_disabled <> 1 ORDER BY name; PRINT '---------------------------------------------------------------------------------------'; PRINT 'Rule Title: SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.'PRINT 'STIG ID: SQL2-00-011050'Select * from sys.server_permissionsPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must provide audit record generation capability for organization-defined auditable events within the database.'PRINT 'STIG ID: SQL2-00-011200'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE cDEALLOCATE c
PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must be monitored to discover unauthorized changes to functions.'PRINT 'STIG ID: SQL2-00-014900'
PRINT 'This STIG item will require the name of a job that checks for changes to functions.'PRINT 'use the code below if you know what your job name is'PRINT '/* Start code block */DECLARE @Job_title varchar(20)-- user-defined VARIABLE <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<SET @Job_title = ''<''enter Function modification job name''>''-- user-defined VARIABLE <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
EXEC sp_help_job @job_name = @Job_titleGO/* end of code block */'
PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must be monitored to discover unauthorized changes to triggers.'PRINT 'STIG ID: SQL2-00-015100'
PRINT 'This STIG item will require the name of a job that checks for changes to functions.'PRINT 'use the code below if you know what your job name is'PRINT '/* Start code block */DECLARE @Job_title varchar(20)-- user-defined VARIABLE <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<SET @Job_title = ''<''enter Trigger modification job name''>''-- user-defined VARIABLE <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
EXEC sp_help_job @job_name = @Job_titleGO/* end of code block */'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must be monitored to discover unauthorized changes to stored procedures.'PRINT 'STIG ID: SQL2-00-015200'
PRINT 'This STIG item will require the name of a job that checks for changes to functions.'PRINT 'use the code below if you know what your job name is'PRINT '/* Start code block */
DECLARE @Job_title varchar(20)-- user-defined VARIABLE <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
SET @Job_title = ''<''enter Stored Procedure modification job name''>''-- user-defined VARIABLE <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
EXEC sp_help_job @job_name = @Job_titleGO/* end of code block */'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must encrypt information stored in the database.'PRINT 'STIG ID: SQL2-00-019300'
EXEC sp_MSforeachdb ' SELECT ''?'' AS ''database ?'', * FROM ?.sys.symmetric_keys ORDER BY name, algorithm_desc 'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.'PRINT 'STIG ID: SQL2-00-019500'
EXEC sp_MSforeachdb ' SELECT ''?'' AS ''database ?'', * FROM ?.sys.symmetric_keys ORDER BY name, algorithm_desc ' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest, unless the data is otherwise protected by alternative physical measures.'PRINT 'STIG ID: SQL2-00-021400'SELECT name AS 'Database Name', is_encrypted AS 'Encryption Status' FROM [master].sys.databasesPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.'
PRINT 'STIG ID: SQL2-00-022000'PRINT '*** CHANGES ARE BEING MADE TO YOUR SYSTEM ***'PRINT 'Use the below code to configure your system to required STIG settings'
PRINT '/* start code block */USE MASTER;EXEC sys.sp_configure N''show advanced options'', N''1'';RECONFIGURE WITH OVERRIDE;EXEC sys.sp_configure N''user connections'';EXEC sys.sp_configure N''show advanced options'', N''0'';RECONFIGURE WITH OVERRIDE;/* end code block */'
PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server default account public must be removed from each database.'PRINT 'STIG ID: SQL2-00-023400'EXEC sp_MSforeachdb '
IF NOT ''?'' IN (''master'', ''tempdb'', ''model'', ''msdb'') BEGIN USE ? SELECT ''?'' AS ''Database'', su.name AS ''db Account Name'', s.name AS ''SQL Server Account Name'' FROM sys.sysusers AS su LEFT JOIN sys.server_principals AS s ON su.sid = s.sid WHERE ( su.name like ''publ%'' OR s.name like ''publ%'') AND NOT su.sid = CONVERT(VARBINARY(85), 0x) END'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server job/batch queues must be reviewed regularly to detect unauthorized SQL Server job submissions.'PRINT 'STIG ID: SQL2-00-023500'
SELECT name FROM master.sys.procedures WHERE is_auto_executed = 1PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server default account guest must be removed from each database.'PRINT 'STIG ID: SQL2-00-023800'
EXEC sp_MSforeachdb 'IF NOT ''?'' IN (''master'', ''tempdb'', ''model'', ''msdb'')BEGIN USE ?
SELECT ''?'' AS ''Database'' , su.name AS ''db Account Name'' , sp.name AS ''SQL Server Account Name'' FROM sys.sysusers su LEFT JOIN sys.server_principals sp ON su.sid = sp.sid WHERE ( su.name like ''gues%'' OR sp.name like ''gues%'' ) AND NOT su.sid = CONVERT(VARBINARY(85), 0x00)END 'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: The Database Master Key encryption password must meet DoD password complexity requirements.'PRINT 'STIG ID: SQL2-00-024000'
EXEC sp_MSforeachdb 'USE ?SELECT COUNT(name)FROM sys.symmetric_keys s, sys.key_encryptions kWHERE s.name = ''##MS_DatabaseMasterKey##''AND s.symmetric_key_id = k.key_idAND k.crypt_type = ''ESKP'''PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: The Database Master Key must be encrypted by the Service Master Key where required.'PRINT 'STIG ID: SQL2-00-024100'SELECT nameFROM [master].sys.databasesWHERE is_master_key_encrypted_by_server = 1AND owner_sid <> 1AND state = 0PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: Database Master Key passwords must not be stored in credentials within the database.'PRINT 'STIG ID: SQL2-00-024200'SELECT COUNT(credential_id)FROM [master].sys.master_key_passwordsPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: Symmetric keys must use a DoD certificate to encrypt the key.'PRINT 'STIG ID: SQL2-00-024300 'EXEC sp_MSforeachdb 'USE ?SELECT s.name, k.crypt_type_descFROM sys.symmetric_keys s, sys.key_encryptions k
WHERE s.symmetric_key_id = k.key_idAND k.crypt_type IN (''KSKP'', ''ESKS'')AND s.principal_id <> 1ORDER BY s.name, k.crypt_type_desc'PRINT '---------------------------------------------------------------------------------------';PRINT 'Complete SQL Server 2012 DB V1R2 STIG Checks'PRINT '';PRINT '';
PRINT 'SQL Server 2012 Instance V1R2 STIG Checks'PRINT 'Rule Title: SQL Server must ensure that remote sessions that access an organization-defined list of security functions and security-relevant information are audited.'PRINT 'STIG ID: SQL2-00-001600'
DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE cDEALLOCATE c
PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must automatically audit account modification.'PRINT 'STIG ID: SQL2-00-001900'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE c
DEALLOCATE cPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce non-DAC policies over users and resources where the policy rule set for each policy specifies access control information (i.e., position, nationality, age, project, time of day).'PRINT 'STIG ID: SQL2-00-002200'DECLARE @admin_Account_name sysnameSET @admin_Account_name = 'NO admin ACCOUNT found'DECLARE @server_name sysnameSET @server_name = 'NO Server found'
SELECT @server_name = name FROM sys.servers WHERE server_id = 0SET @admin_Account_name = @server_name + '\Administrator'
SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END
SELECT @server_name = name FROM sys.servers WHERE server_id = 0SET @admin_Account_name = @server_name + '\Administrator'
SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type'
, pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 ENDPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict Alter server state permissions to only authorized roles.'PRINT 'STIG ID: SQL2-00-002300'
Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter Server State'
PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any event session permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-002400'
Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any event session' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any event notification permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-002500'Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any event notification' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any endpoint permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-002600'
Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any endpoint' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any database permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-002700'
Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any database' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any credential permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-002800'
Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any credential'
PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any connection permission to only authorized roles.'
PRINT 'STIG ID: SQL2-00-002900'Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any connection' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the View any definition permission.'PRINT 'STIG ID: SQL2-00-003000'Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'view any definition' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any server role permission.'PRINT 'STIG ID: SQL2-00-003100 'Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any server role'
PRINT '---------------------------------------------------------------------------------------';PRINT 'Rule Title: SQL Server must not grant users direct access control to the View server state permission.'PRINT 'STIG ID: SQL2-00-003200'
Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'view server state' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Create any database permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-003300'
Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Create any database' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Authenticate server permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-003400'Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Authenticate server' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter Settings permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-003500'Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter settings' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any server role permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-003600'
Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any server role' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Create server role permission.'PRINT 'STIG ID: SQL2-00-003700'
Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'create server role' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Control server permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-003800'
Select prin.name as 'Name' from sys.server_principals prin
inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Control server' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Unsafe assembly permission.'PRINT 'STIG ID: SQL2-00-003900'
Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Unsafe assembly' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Unsafe assembly permission.'PRINT 'STIG ID: SQL2-00-003900'Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Control Server' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter trace permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-004000'Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter trace' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the View server state permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-004100' Select prin.name as 'Name' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'View server state'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Shutdown permission.'PRINT 'STIG ID: SQL2-00-004200'
Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'shutdown'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any linked server permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-004300'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any linked server'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any login permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-004500'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any logon'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any availability group permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-004600'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any availability group'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any login permission.'PRINT 'STIG ID: SQL2-00-00470'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin
inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any login' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the External access assembly permission.'PRINT 'STIG ID: SQL2-00-004800'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'External access assembly' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter resources permission.'PRINT 'STIG ID: SQL2-00-004900'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter resources' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Create trace event notification permission.'PRINT 'STIG ID: SQL2-00-005000'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Create trace event notification' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter Settings permission.'PRINT 'STIG ID: SQL2-00-005100'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter Settings' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter trace permission.'PRINT 'STIG ID: SQL2-00-005200'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter trace' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any event session permission.'PRINT 'STIG ID: SQL2-00-005300'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any event session' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Connect SQL permission.'PRINT 'STIG ID: SQL2-00-005400'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Connect SQL' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any linked server permission.'PRINT 'STIG ID: SQL2-00-005500'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any linked server' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter resources permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-005600'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter resources'
PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Administer bulk operations permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-005700'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Administer bulk operations'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Control server permission.'PRINT 'STIG ID: SQL2-00-005800'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Control server' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Create any database permission.'PRINT 'STIG ID: SQL2-00-005900'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Create any database' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Create availability group permission.'PRINT 'STIG ID: SQL2-00-006000'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Create availability group' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Create DDL event notification permission.'
PRINT 'STIG ID: SQL2-00-006100'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Create DDL event notification'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Create endpoint permission.'PRINT 'STIG ID: SQL2-00-006200'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Create endpoint' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Administer bulk operations permission.'PRINT 'STIG ID: SQL2-00-006300'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Administer bulk operations' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Authenticate server permission.'PRINT 'STIG ID: SQL2-00-006400 'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Authenticate server' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the View any definition permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-006500'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'View any definition'
PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Alter any server audit permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-006600 'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Alter any server audit'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Create availability group permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-006700'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Create availability group'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Create DDL event notification permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-006800'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Create DDL event notification'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Create endpoint permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-006900'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Create endpoint'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Create server role permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-007000'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Create server role'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Create trace event notification permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-007100'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Create trace event notification'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the External access assembly permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-007200'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'External access assembly'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Shutdown permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-007300'Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Shutdown'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any server audit permission.'PRINT 'STIG ID: SQL2-00-007400'
Select prin.name as 'Name', perm.permission_name from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any server audit' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the View any database permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-007500'Select prin.name as 'Name', perm.permission_name as 'Permission', perm.state_desc as 'State' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'View any database'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any event notification permission.'PRINT 'STIG ID: SQL2-00-007600'Select prin.name as 'Name', perm.permission_name, perm.state_desc as 'State'from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any event notification' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Connect SQL permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-007700'Select prin.name as 'Name', perm.permission_name as 'Permission', perm.state_desc as 'State' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Connect SQL'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter server state permission.'PRINT 'STIG ID: SQL2-00-007800'Select prin.name as 'Name', perm.permission_name, perm.state_desc as 'State'from sys.server_principals prin
inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter server state' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any availability group permission.'PRINT 'STIG ID: SQL2-00-007900'Select prin.name as 'Name', perm.permission_name, perm.state_desc as 'State'from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any availability group' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any connection permission.'PRINT 'STIG ID: SQL2-00-008000'Select prin.name as 'Name', perm.permission_name, perm.state_desc as 'State'from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any connection' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any credential permission.'PRINT 'STIG ID: SQL2-00-008100'Select prin.name as 'Name', perm.permission_name, perm.state_desc as 'State'from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any credential' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any database permission.'PRINT 'STIG ID: SQL2-00-008200 'Select prin.name as 'Name', perm.permission_name, perm.state_desc as 'State'from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any database'
PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must not grant users direct access control to the Alter any endpoint permission.'PRINT 'STIG ID: SQL2-00-008300'Select prin.name as 'Name', perm.permission_name, perm.state_desc as 'State'from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where perm.permission_name = 'Alter any endpoint' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce access control policies to restrict the Unsafe assembly permission to only authorized roles.'PRINT 'STIG ID: SQL2-00-008400'Select prin.name as 'Name', perm.permission_name as 'Permission', perm.state_desc as 'State' from sys.server_principals prin inner join sys.server_permissions perm on prin.principal_id = perm.grantee_principal_id where prin.type = 'R' AND perm.permission_name = 'Unsafe assembly'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce DAC policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both; limiting propagation of access rights; and including or excluding access to the granularity of a single user.'PRINT 'STIG ID: SQL2-00-008500'PRINT 'Check 1 Users'SELECT @server_name = name FROM sys.servers WHERE server_id = 0SET @admin_Account_name = @server_name + '\Administrator'
SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us
ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END
PRINT 'Check 2 Roles'SELECT @server_name = name FROM sys.servers WHERE server_id = 0SET @admin_Account_name = @server_name + '\Administrator'
SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 ENDPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must enforce separation of duties through assigned information access authorizations.'PRINT 'STIG ID: SQL2-00-008800'PRINT 'Check 1 Users'SELECT @server_name = name FROM sys.servers WHERE server_id = 0SET @admin_Account_name = @server_name + '\Administrator'
SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END
PRINT 'Check 2 Roles'SELECT @server_name = name FROM sys.servers WHERE server_id = 0SET @admin_Account_name = @server_name + '\Administrator'
SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id
WHERE pr.type IN ('R') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 ENDPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must restrict access to sensitive information to authorized user roles.'PRINT 'STIG ID: SQL2-00-009000'
SELECT @server_name = name FROM sys.servers WHERE server_id = 0SET @admin_Account_name = @server_name + '\Administrator'
SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4
ENDPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information within SQL Server.'PRINT 'STIG ID: SQL2-00-009600'SELECT SP1.[name] AS 'Login', 'Role: ' + SP2.[name] COLLATE DATABASE_DEFAULT AS 'ServerPermission'FROM sys.server_principals SP1 JOIN sys.server_role_members SRM ON SP1.principal_id = SRM.member_principal_id JOIN sys.server_principals SP2 ON SRM.role_principal_id = SP2.principal_idUNION ALLSELECT SP.[name] AS 'Login' , SPerm.state_desc + ' ' + SPerm.permission_name COLLATE DATABASE_DEFAULT AS 'ServerPermission' FROM sys.server_principals SP JOIN sys.server_permissions SPerm ON SP.principal_id = SPerm.grantee_principal_idORDER BY [Login], [ServerPermission]PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server auditing configuration maximum file size must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.'PRINT 'STIG ID: SQL2-00-010400'Select SUM(max_size) from sys.tracesPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server auditing configuration maximum number of files must be configured to reduce the likelihood of storage capacity being exceeded, while meeting organization-defined auditing requirements.'PRINT 'STIG ID: SQL2-00-010500'Select SUM(max_size * max_files) from sys.tracesPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.'PRINT 'STIG ID: SQL2-00-011000'Select * from sys.server_permissions where state_desc != 'GRANT'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.'PRINT 'STIG ID: SQL2-00-011100' PRINT 'Check 1 Users'SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('K', 'S', 'U') AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pr.type WHEN 'K' THEN 1 WHEN 'S' THEN 2 WHEN 'U' THEN 3 ELSE 4 END
PRINT 'Check 2 Roles'SELECT @server_name = name FROM sys.servers WHERE server_id = 0SET @admin_Account_name = @server_name + '\Administrator'
SELECT pe.grantee_principal_id , pr.type AS 'Grantee_Type' , pr.name AS 'Grantee_Name' , pe.type , pe.permission_name , pe.state , pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals ps ON pe.grantor_principal_id = ps.principal_id LEFT JOIN sys.server_principals us ON us.principal_id = pe.major_id WHERE pr.type IN ('R')
AND pe.grantee_principal_id > 10 AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') AND NOT pr.name = @admin_Account_name ORDER BY CASE pe.state WHEN 'D' THEN 1 WHEN 'W' THEN 2 WHEN 'G' THEN 3 ELSE 4 ENDPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must generate audit records for the DoD-selected list of auditable events.'PRINT 'STIG ID: SQL2-00-011400'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE cDEALLOCATE cPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must produce audit records containing sufficient information to establish what type of events occurred.'PRINT 'STIG ID: SQL2-00-011800'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
END
CLOSE cDEALLOCATE cPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred.'PRINT 'STIG ID: SQL2-00-011900'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE cDEALLOCATE cPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must produce audit records containing sufficient information to establish where the events occurred.'PRINT 'STIG ID: SQL2-00-012000'SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must produce audit records containing sufficient information to establish the sources (origins) of the events.'PRINT 'STIG ID: SQL2-00-012100'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE cDEALLOCATE c
PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.'PRINT 'STIG ID: SQL2-00-012200'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE cDEALLOCATE cPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event.'PRINT 'STIG ID: SQL2-00-012300'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE cDEALLOCATE cPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.'PRINT 'STIG ID: SQL2-00-012400'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE cDEALLOCATE cPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists.'PRINT 'STIG ID: SQL2-00-012800'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE cDEALLOCATE cPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must audit attempts to bypass access controls.'PRINT 'STIG ID: SQL2-00-013400'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
END
CLOSE cDEALLOCATE cPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must protect audit information from any type of unauthorized access.'PRINT 'STIG ID: SQL2-00-013600'select path from sys.tracesPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must protect audit information from unauthorized modification.'PRINT 'STIG ID: SQL2-00-013700'select path from sys.tracesPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must protect audit information from unauthorized deletion.'PRINT 'STIG ID: SQL2-00-013800'select path from sys.tracesPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must have the publicly available NorthWind sample database removed.'PRINT 'STIG ID: SQL2-00-016200'SELECT name from sysdatabases where name like 'Northwind%'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must have the publicly available AdventureWorks sample database removed.'PRINT 'STIG ID: SQL2-00-016300'SELECT name from sysdatabases where name like 'AdventureWorks%'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server default account sa must be disabled.'PRINT 'STIG ID: SQL2-00-017100'-- since account was renamed, query will look for account status of sid 0x01 the default sid for saSelect name, is_disabled as 'Disabled' from sys.sql_logins where sid=0x01PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: Access to xp_cmdshell must be disabled.'PRINT 'STIG ID: SQL2-00-017200'
Print 'Run the following query to configure your server for this requirement'PRINT '/* start code block */EXEC SP_CONFIGURE ''show advanced option'', ''1'';RECONFIGURE WITH OVERRIDE;EXEC SP_CONFIGURE ''xp_cmdshell'';/* end code block */'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must specifically prohibit or restrict the use of unauthorized functions and services in each instance.'PRINT 'STIG ID: SQL2-00-017300'EXEC sp_MSforeachdb 'DECLARE @nCount integer
SELECT @nCount = Count(*) FROM ?.sys.objects WHERE type in (''FN'', ''P'') AND is_ms_shipped <> 1
IF @nCount > 0SELECT ''?'' AS ''Database Name'', * FROM ?.sys.objects WHERE type in (''FN'', ''P'') AND is_ms_shipped <> 1 'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must recover to a known state that is verifiable.'PRINT 'STIG ID: SQL2-00-017500'EXEC sp_MSforeachdb 'SELECT ''?'' AS ''database name'' , name AS ''log file name'' , physical_name AS ''log file location and name'' , state_desc , size , max_size , growth , is_percent_growth FROM ?.sys.database_files WHERE type_desc = ''LOG'' AND state = 0 ' PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must have transaction logging enabled.'
PRINT 'STIG ID: SQL2-00-017600'Select * FROM sys.database_files WHERE type_desc = 'LOG'
AND state_desc = 'online'PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).'PRINT 'STIG ID: SQL2-00-018400'SELECT name AS 'Account Name' , CASE is_disabled WHEN 1 THEN 'Yes' ELSE '' END AS 'Is Disabled' , create_date AS 'Account Create Date' , LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Password Last Set on' FROM sys.server_principals WHERE NOT TYPE IN ('C', 'R', 'U') -- ('C', 'G', 'K', 'R', 'S', 'U') AND NOT name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##') AND sid <> CONVERT(VARBINARY(85), 0x01) -- no 'sa' account ORDER BY namePRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.'PRINT 'STIG ID: SQL2-00-018500'Select uid, name, roles from sys.sysuserswhere uid > 16000and name not in ('db_owner', 'db_accessadmin','db_securityadmin', 'db_ddladmin','db_backupoperator', 'db_datareader','db_datawriter', 'db_denydatareader','db_denydatawriter')PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server default account sa must have its password changed.'PRINT 'STIG ID: SQL2-00-018800'SELECT name AS 'Account' , LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Time of Last Password Change' FROM sys.sql_logins WHERE sid = 0x01PRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must protect data at rest and ensure confidentiality and integrity of data.'PRINT 'STIG ID: SQL2-00-021300'
SELECT name as 'Database Name', is_encrypted as 'Encrypted' FROM [master].sys.databasesPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must notify appropriate individuals when accounts are modified.'PRINT 'STIG ID: SQL2-00-023300'DECLARE c CURSOR READ_ONLY FAST_FORWARD FOR
SELECT DISTINCT traceid FROM ::FN_TRACE_GETINFO('0')
OPEN cFETCH NEXT FROM c INTO @idWHILE @@FETCH_STATUS = 0BEGIN
PRINT N'Showing results for Trace ID: ' + CAST(@id as nvarchar(3));SELECT DISTINCT(eventid) FROM ::FN_TRACE_GETEVENTINFO(@id)FETCH NEXT FROM c INTO @id
ENDCLOSE cDEALLOCATE cPRINT '---------------------------------------------------------------------------------------';
PRINT 'Rule Title: SQL Server must protect against an individual using a group account from falsely denying having performed a particular action.'PRINT 'STIG ID: SQL2-00-023700'Select name, principal_id, type_desc from sys.server_principalsPRINT '---------------------------------------------------------------------------------------';