| Name | Category | Description |
| Remove/Disable Administra tor User | OS |
The default Administrator is one of the biggest security risks that any server has. All hackers know that the system administrator will usually not remove this user. Therefore, they do not need to first hack the user list. They simply aim directly at this user to start with. This user is the 1 target for security breaches. It often uses the same password as many other servers for the simplicity of managing the domain. We highly recommend completely removing this user and using dedicated users for specific tasks. |
| Disable Disallowed Net worfis | OS | |
|
Audit Failed Connection Attempts |
OS |
We highly recommend auditing any failed login attempts to your operating system, as that will allow monitoring of repeated hack attempts. |
| Audit Login Attempts | OS |
We highly recommend auditing any login at tempts to your operating system. Monitoring all logins will allow a better history search for poten tial security breaches. |
| Too Many Administrator Users | OS |
The number of users with administrator privileges or the number of users that belong to the admin istrator’s group is very large. Having too many administrator users shows a bad design strategy. The more users that are defined as administra tors, the less control you have over your server. A hacker will have more users to choose from, and not all users choose powerful passwords, even when a password policy exists. |
| Disable Guest User | OS |
The user ‘Guest’ is one of the first users that any skilled hacker will attempt to utilize to infiltrate your server and then your network. The user Guest should always be disabled. |
| Disfi Is Not Formatted In NTFS | OS | A disk has been found to have a file system other than NTFS. When using the Windows operating system, using the NTFS file system has been proven to be the most secure file system. You can easily format your disk by rightclicking on the disk name in Windows Explorer, selecting “format,” and in the dialog, select “NTFS” as the file system format. Remember that all informa tion will be deleted from the selected disk, so make sure you backup any materials you might have before formatting your disk. |
| Development Tools Installed | OS | Microsoft Development tools have been found on the server. Having Office, books online, sample code or any other development software installed on a production environment is not rec ommended. |
| Restrict Anonymous Login | OS | The Restrict Anonymous SSA check determines whether the RestrictAnonymous registry setting is used to restrict anonymous connections on the scanned computer. The registry setting is at the following location: HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\LSA\Re strictAnonymous Anonymous users can list cer tain types of system information, including user names and details, account policies, and share names. The list of user names and share names could help potential attackers learn compromis ing information, such as who is an administrator, which computers have weak account protection, and which computers share information with the network. Users who want enhanced security can restrict this function so that anonymous users cannot access this information. The RestrictA nonymous registry setting controls the level of enumeration that is granted to an anonymous user. |
| Server More Than One Job | OS | For a server to be completely secured, it cannot function as both an SQL Server server and have other functions, such as being an application server, email server or domain controller. Having a single SQL Server machine serve more than one purpose opens the server for potential secu rity threats by running unknown processes, hav ing additional open ports and shares and adds many unknowns to the overall security that is required to protect your data from being hacked from the outside. |
| Other Networfis Options Enabled | OS | For every defined active network in your system, there are many activated items you may choose from. By default, Windows will enable multiple access methods and protocols upon configura tion of a new network. As each protocol enables another method of access, the more protocols you enable, the more breaches you will have in your server’s security. We recommend preserv ing the bare minimum, which is the TCP\IP proto col alone. To change the protocols, go to Control Panel and select “Network and Sharing Center”. Then select “Change adapter settings”. Choose the active network and rightclick “Properties.” There, under the “Networking” tab, you will see the list of enabled items for the selected network. |
| Disable Additional Remote Access Disable Additional Remote Access | OS | This policy setting determines which users or groups can access the login screen of a remote device through a Remote Desktop Services con nection. It is possible for a user to establish a Re mote Desktop Services connection to a particular server but not be able to log on to the console
of that same server. To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group. By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers. The following table lists the actual and effective de fault policy values. Default values are also listed on the policy’s property page. |
| Defined Default Shares | OS | The Windows operating system is installed with multiple default shares that have been proven to be easily breached. The most known default
shares are created for each disk right on the root. When choosing whether to remove a default share, please consult with your system admin istrator to make sure no programs are actively using it. |
| NTFS Directory MSSQL Ser vice Permissions | OS |
Test the NTFS directory permissions for the DATA and LOG directories defined on the MSSQL ser vice. We recommend that only the user that is defined to run the particular MSSQL Service will have full permissions on those directories. Any thing else is considered to be a security breach. |
|
Service Status Disable Rec ommendations |
OS | Some SQL Server services that don’t need to run shouldn’t be used and should be disabled. For example, if you are not using the job scheduler we recommend disabling the SQL Server Agent service. |
|
Too Many Shares |
OS |
Each share on a remote server opens the server to potential hacks. |
|
Too Many Local Users |
OS |
Having a very large user list on a production server may increase server vulnerability as not all users secure their passwords even when a prop er password policy exists. |
| Operating System Is Not Updated |
OS |
The operating system is not updated with the latest updates |
|
MSSQL Login Auditing |
SQL |
Auditing all server logins is a security best prac tice and allows the analysis of server hacks. |
| MSSQL C2 Audit Recom mendations | SQL | C2 audit mode can be configured through SQL Server Management Studio or with the c2 audit mode option insp_configure. Selecting this option will configure the server to record both failed
and successful attempts to access statements and objects. This information can help you profile system activity and track possible security policy violations. C2 audit mode saves a large amount of event information to the log file, which can grow quickly. If the data directory in which logs are being saved runs out of space, SQL Server will shut itself down. If auditing is set to start au tomatically, you must either restart the instance with the fflag (which bypasses auditing) or free up additional disk space for the audit log. C2 audit mode data is saved in a file in the default data directory of the instance. If the audit log file reaches its size limit of 200 megabytes (MB), SQL Server will create a new file, close the old file, and write all new audit records to the new file. This process will continue until the audit data directory fills up or auditing is turned off. To determine the status of a C2 trace, query the sys.traces catalog view. <p class=””>Note <p class=””>This feature will be removed in a future version of Microsoft SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use this fea ture. The C2 security standard has been super seded by Common Criteria Certification. |
| MSSQL Disable CLR | SQL | The common language runtime (CLR) integration feature is off by default. It must be enabled in order to use objects that are implemented using CLR integration. This is to protect the database system from running CLR code. |
|
Deadlocfi flag unused |
SQL |
The deadlock flag has been found to be disabled. We recommend tracking deadlocks using the deadlock flag. |
| MSSQL Encrypted Bacfiups (From 2014) | SQL | Having a backup strategy is a best practice for the survival of the information. However, having single backup files located on the local disk or in the network without the actual information being encrypted is no different than having your com puter without password protection. Your data
is the most important thing your organization has, and it is important to protect it in all forms, including in the backup file form. |
| MSSQL Enforce Password Policy | SQL | SQL Server can use Windows password policy mechanisms. The password policy applies to a login that uses SQL Server authentication and to a contained database user with a password. SQL Server can apply the same complexity and expiration policies used in Windows to pass words used inside SQL Server. This functionality depends on the NetValidatePasswordPolicy API. SQL Database enforces password complexity.
The password expiration and policy enforcement sections do not apply to SQL Database. |
|
MSSQL Sample Databases |
SQL |
In a production environment, we recommend having only active databases. |
| MSSQL Default Port | SQL | When attempting to retrieve information from your SQL Server databases, any hackers will usu ally attempt to enter the server via the defined default SQL Server ports. A security best prac tice will be to change the default ports. |
| MSSQL TCP\IP Only Protocol | All network protocols are installed by SQL Serv er Setup but may or may not be enabled. Use Shared memory and Named Pipes only if you have to. We recommend minimizing your usage only to TCP/IP to protect yourself from potential hacks. | |
|
MSSQL Password Columns |
SQL |
Keep the information marked as “password” en crypted. |
|
MSSQL Default SA |
SQL |
SA is the first of the SQL Server and, therefore, is the first entry point for a hacker to try to test. We recommend compartmentalization of your users to roles and not to use the SA user. |
|
MSSQL Single Instance |
SQL |
For a highly productive and stateoftheart se curity, only one instance of SQL Server should run on the machine at a time. |
|
MSSQL Encrypted Login |
SQL |
Using encrypted logins is more secure than using regular logins. |
|
MSSQL Too Many Users Have SA |
SQL |
Too many users have been granted System Administrator permissions. The more users with this full access permission, the less secure your server is. |
| MSSQL Unnecessary Users | SQL | Unless your system requires individual local user definitions, there is no need to have so many local users defined. It is better and smarter to use Server Roles and compartmentalize your permissions. |
|
MSSQL Updated Patches |
SQL |
Keep up to date with the latest SQL Server patches and updates. |
|
MSSQL Mixed Mode |
SQL |
Using a mixedmode authentication mode is less secure than having Windows only authentication mode. |
| MSSQL Disable Cmd Shell | SQL | xp_cmdshell Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. The xp_cmdshell op tion is a SQL Server server configuration option that enables system administrators to control whether the xp_cmdshell extended stored proce dure can be executed on a system. By default, the xp_cmdshell option is disabled on new instal lations. Before enabling this option, it is important to consider the potential security implications associated with the use of this option. Newlyde veloped code should not use this option as it should generally be left disabled. |