Updated CIS Checklist for MS SQL Server 2016 with bug fixes.
CIS Microsoft SQL Server 2016 Benchmark, v1.0.0
CIS Checklist for MS SQL Server 2016, site version 4
(The site version is provided for air-gap customers.)
Fixed and improved implementation of detect scripts for fixlets in Environmental task.
- Ensure Latest SQL Server Service Packs and Hotfixes are Installed - MSSQL 2016
- Ensure SQL Authentication is not used in contained databases - MSSQL 2016
- Ensure the SQL Server’s MSSQL Service Account is Not an Administrator – MSSQL 2016
- Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator - MSSQL 2016
- Ensure the SQL Server’s Full-Text Service Account is Not an Administrator - MSSQL 2016
- Ensure only the default permissions specified by Microsoft are granted to the public server role - MSSQL 2016
- Ensure Windows BUILTIN groups are not SQL Logins - MSSQL 2016
- Ensure Windows local groups are not SQL Logins - MSSQL 2016
- Ensure the public role in the msdb database is not granted access to SQL Agent proxies - MSSQL 2016
- Ensure ‘MUST_CHANGE’ Option is set to ‘ON’ for All SQL Authenticated Logins - MSSQL 2016
- Ensure ‘CHECK_POLICY’ Option is set to ‘ON’ for All SQL Authenticated Logins - MSSQL 2016
As part of this enhancement, scripts are changed to support the other instance of MS SQL other than default one. i.e. MSSQLSERVER
Actions to take:
To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using BigFix version 9.2 and later.
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://ibm.biz/Bd4LBt.
To know more about the BigFix Compliance SCM checklists, please see the following resources:
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team