################################################################################
DOCUMENT         : MS_SQL_Server_2016_Instance_STIG
VERSION          : 003.005.008
CHECKSUM         : 2698e9f51e5c284b4929a998e8a9e29a11449a0118360aca2ab7887bc60d540e
MANUAL QUESTIONS : 41

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 41
TITLE            : CAT I, V-213930, SV-213930r1043176, SRG-APP-000023-DB-000001
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21393001
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21393001
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21393004
RULE             : SQL Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
QUESTION_TEXT    : Enter the list of database user names authorized and documented to manage SQL Server
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 1 *******************************

QUESTION         : 2 of 41
TITLE            : CAT I, V-213932, SV-213932r960792, SRG-APP-000033-DB-000084
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:701
RULE             : SQL Server must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
QUESTION_TEXT    : Review the system documentation to determine the required levels of protection for DBMS server securables, by type of login.  
 
Review the permissions actually in place on the server.  
 
If the actual permissions do not match the documented requirements, this is a finding. 
 
Use the supplemental file "Instance permissions assignments to logins and roles.sql."

References:
SV-93831
V-79125
CCI-000213
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 41
TITLE            : CAT I, V-213952, SV-213952r960960, SRG-APP-000133-DB-000198
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21395201
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21395201
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21395202
RULE             : SQL Server software installation account must be restricted to authorized users.
QUESTION_TEXT    : From system documentation, enter the list of database user names authorized to install/update SQL Server
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 3 *******************************

QUESTION         : 4 of 41
TITLE            : CAT I, V-213972, SV-213972r961128, SRG-APP-000231-DB-000154
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21397201
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21397201
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21397204
RULE             : SQL Server must protect the confidentiality and integrity of all information at rest.
QUESTION_TEXT    : Enter the required database tranparent data encryption (TDE) requirements in the format of: db_name:encryption_state  (no space between fields, just a colon)
Valid 'encryption_state' options are:
NoDatabaseEncryptionKey
Unencrypted
Encrypted

NOTE:  This requirement returns results per database, which makes it abnormal compared to other Instance STIG requirements.  Note the format of the ENCRYPTION_STATE being 'database name':'encryption state option', no spaces, and the : between is required.

Example (single database):
SCOPE=INSTANCE
TARGET=ALL
ENCRYPTION_STATE=tempdb:NoDatabaseEncryptionKey

Example (multiple databases):
SCOPE=INSTANCE
TARGET=ALL
ENCRYPTION_STATE=testDB1:NoDatabaseEncryptionKey
ENCRYPTION_STATE=testDB2:NoDatabaseEncryptionKey

				
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 4 *******************************

QUESTION         : 5 of 41
TITLE            : CAT I, V-214046, SV-214046r961047, SRG-APP-000178-DB-000083
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:19901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:19901
RULE             : Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
QUESTION_TEXT    : Determine whether any applications that access the database allow for entry of the account name and password, or PIN.

If any do, determine whether these applications obfuscate authentication data; if they do not, this is a finding.

References:
SV-94063
V-79357
CCI-000206
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 41
TITLE            : CAT I, V-265870, SV-265870r999516, SRG-APP-000456-DB-000400
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:20101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:20101
RULE             : Microsoft SQL Server products must be a version supported by the vendor.
QUESTION_TEXT    : Review the system documentation and interview the database administrator.

Identify all database software components.

Review the version and release information.

Verify the SQL Server version via one of the following methods: 
Connect to the server by using Object Explorer in SQL Server Management Studio. After Object Explorer is connected, it will show the version information in parentheses, together with the user name that is used to connect to the specific instance of SQL Server.

Or, from SQL Server Management Studio:

SELECT @@VERSION;

More information for finding the version is available at the following link:
https://learn.microsoft.com/en-us/troubleshoot/sql/releases/find-my-sql-version

Access the vendor website or use other means to verify the version is still supported.
https://learn.microsoft.com/en-us/lifecycle/products/sql-server-2016

If the installed version or any of the software components are not supported by the vendor, this is a finding.

References:
CCI-003376
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 41
TITLE            : CAT II, V-213929, SV-213929r1018580, SRG-APP-000001-DB-000031
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:101
RULE             : SQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
QUESTION_TEXT    : Review the system documentation to determine whether any concurrent session limits have been defined. If it does not, assume a limit of 10 for database administrators and 2 for all other users. 
 
If a mechanism other than a logon trigger is used, verify its correct operation by the appropriate means. If it does not work correctly, this is a finding.

Due to excessive CPU consumption when utilizing a logon trigger, an alternative method of limiting concurrent sessions is setting the max connection limit within SQL Server to an appropriate value. This serves to block a distributed denial-of-service (DDOS) attack by limiting the attacker's connections while allowing a database administrator to still force a SQL connection.

In SQL Server Management Studio's Object Explorer tree:
Right-click on the Server Name >> Select Properties >> Select Connections Tab

OR

Run the query:
EXEC sys.sp_configure N'user connections'

If the max connection limit is set to 0 (unlimited) or does not match the documented value, this is a finding.
 
Otherwise, determine if a logon trigger exists:  
 
In SQL Server Management Studio's Object Explorer tree:  
Expand [SQL Server Instance] >> Server Objects >> Triggers  
 
OR 
 
Run the query:  
SELECT name FROM master.sys.server_triggers;  
 
If no triggers are listed, this is a finding.  
 
If triggers are listed, identify the trigger(s) limiting the number of concurrent sessions per user. If none are found, this is a finding. If they are present but disabled, this is a finding.  
 
Examine the trigger source code for logical correctness and for compliance with the documented limit(s). If errors or variances exist, this is a finding.
 
Verify that the system does execute the trigger(s) each time a user session is established. If it does not operate correctly for all types of user, this is a finding.

References:
SV-93825
V-79119
CCI-000054
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 41
TITLE            : CAT II, V-213931, SV-213931r1043176, SRG-APP-000023-DB-000001
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:501
RULE             : SQL Server must be configured to utilize the most-secure authentication method available.
QUESTION_TEXT    : If the SQL Server is not part of an Active Directory domain, this finding is Not Applicable. 

Obtain the fully qualified domain name of the SQL Server instance: 

Launch Windows Explorer. 

Right-click on "Computer" or "This PC" (Varies by OS level), click "Properties". 

Note the value shown for "Full computer name". 

*** Note: For a cluster, this value must be obtained from the Failover Cluster Manager. *** 

Obtain the TCP port that is supporting the SQL Server instance: 

Click Start >> Type "SQL Server 2016 Configuration Manager" >> From the search results, click "SQL Server 2016 Configuration Manager". 

From the tree on the left, expand "SQL Server Network Configuration". 

Click "Protocols for <Instance Name>" where <Instance Name> is the name of the instance (MSSQLSERVER is the default name). 

In the right pane, right-click on "TCP/IP" and choose "Properties". 

In the window that opens, click the "IP Addresses" tab. 

Note the TCP port configured for the instance. 

Obtain the service account that is running the SQL Server service: 

Click "Start".  
Type "SQL Server 2016 Configuration Manager".  
From the search results, click "SQL Server 2016 Configuration Manager". 

From the tree on the left, select "SQL Server Services". 

Note the account listed in the "Log On As" column for the SQL Server instance being reviewed. 

Launch a command-line or PowerShell window. 

Enter the following command where <Service Account> is the identity of the service account. 

setspn -L <Service Account> 

Example: setspn -L CONTOSO\sql2016svc 

Review the Registered Service Principal Names returned.  

If the listing does not contain the following supported service principal names (SPN) formats, this is a finding. 

Named instance
   MSSQLSvc/<FQDN>:[<port> | <instancename>], where:
   MSSQLSvc is the service that is being registered.
   <FQDN> is the fully qualified domain name of the server.
   <port> is the TCP port number.
   <instancename> is the name of the SQL Server instance.

Default instance
   MSSQLSvc/<FQDN>:<port> | MSSQLSvc/<FQDN>, where:
   MSSQLSvc is the service that is being registered.
   <FQDN> is the fully qualified domain name of the server.
   <port> is the TCP port number.

If the MSSQLSvc service is registered for any fully qualified domain names that do not match the current server, this may indicate the service account is shared across SQL Server instances. Review server documentation, if the sharing of service accounts across instances is not documented and authorized, this is a finding.

References:
SV-93829
V-79123
CCI-000015
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 41
TITLE            : CAT II, V-213936, SV-213936r960879, SRG-APP-000089-DB-000064
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21393601
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21393601
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21393604
RULE             : SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBMS/database components.
QUESTION_TEXT    : Enter the list of audit events (action_name) required by documentation
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 9 *******************************

QUESTION         : 10 of 41
TITLE            : CAT II, V-213937, SV-213937r960882, SRG-APP-000090-DB-000065
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1701
RULE             : SQL Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
QUESTION_TEXT    : Obtain the list of approved audit maintainers from the system documentation. 
 
Review the server roles and individual logins that have the following role memberships, all of which enable the ability to create and maintain audit definitions. 
 
sysadmin 
dbcreator 
 
Review the server roles and individual logins that have the following permissions, all of which enable the ability to create and maintain audit definitions. 
 
ALTER ANY SERVER AUDIT  
CONTROL SERVER  
ALTER ANY DATABASE  
CREATE ANY DATABASE 
 
Use the following query to determine the roles and logins that have the listed permissions: 
 
SELECT-- DISTINCT 
    CASE 
        WHEN SP.class_desc IS NOT NULL THEN  
            CASE 
                WHEN SP.class_desc = 'SERVER' AND S.is_linked = 0 THEN 'SERVER' 
                WHEN SP.class_desc = 'SERVER' AND S.is_linked = 1 THEN 'SERVER (linked)' 
                ELSE SP.class_desc 
            END 
        WHEN E.name IS NOT NULL THEN 'ENDPOINT' 
        WHEN S.name IS NOT NULL AND S.is_linked = 0 THEN 'SERVER' 
        WHEN S.name IS NOT NULL AND S.is_linked = 1 THEN 'SERVER (linked)' 
        WHEN P.name IS NOT NULL THEN 'SERVER_PRINCIPAL' 
        ELSE '???'  
    END                    AS [Securable Class], 
    CASE 
        WHEN E.name IS NOT NULL THEN E.name 
        WHEN S.name IS NOT NULL THEN S.name  
        WHEN P.name IS NOT NULL THEN P.name 
        ELSE '???'  
    END                    AS [Securable], 
    P1.name                AS [Grantee], 
    P1.type_desc           AS [Grantee Type], 
    sp.permission_name     AS [Permission], 
    sp.state_desc          AS [State], 
    P2.name                AS [Grantor], 
    P2.type_desc           AS [Grantor Type], 
R.name    AS [Role Name] 
FROM 
    sys.server_permissions SP 
    INNER JOIN sys.server_principals P1 
        ON P1.principal_id = SP.grantee_principal_id 
    INNER JOIN sys.server_principals P2 
        ON P2.principal_id = SP.grantor_principal_id 
 
    FULL OUTER JOIN sys.servers S 
        ON  SP.class_desc = 'SERVER' 
        AND S.server_id = SP.major_id 
 
    FULL OUTER JOIN sys.endpoints E 
        ON  SP.class_desc = 'ENDPOINT' 
        AND E.endpoint_id = SP.major_id 
 
    FULL OUTER JOIN sys.server_principals P 
        ON  SP.class_desc = 'SERVER_PRINCIPAL'         
        AND P.principal_id = SP.major_id 
 
FULL OUTER JOIN sys.server_role_members SRM 
ON P.principal_id = SRM.member_principal_id 
 
LEFT OUTER JOIN sys.server_principals R 
ON SRM.role_principal_id = R.principal_id 
WHERE sp.permission_name IN ('ALTER ANY SERVER AUDIT','CONTROL SERVER','ALTER ANY DATABASE','CREATE ANY DATABASE') 
OR R.name IN ('sysadmin','dbcreator') 
 
If any of the logins, roles, or role memberships returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding.

References:
SV-93841
V-79135
CCI-000171
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 41
TITLE            : CAT II, V-213941, SV-213941r960909, SRG-APP-000101-DB-000044
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:2301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:2301
RULE             : SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
QUESTION_TEXT    : If a SQL Server Audit is not in use for audit purposes, this is a finding unless a third-party product is being used that can perform detailed auditing for SQL Server. 
 
Review system documentation to determine whether SQL Server is required to audit any events, and any fields, in addition to those in the standard audit.  
 
If there are none specified, this is not a finding.  
 
If SQL Server Audit is in use, compare the audit specification(s) with the documented requirements.  
 
If any such requirement is not satisfied by the audit specification(s) (or by supplemental, locally-deployed mechanisms), this is a finding.

References:
SV-93851
V-79145
CCI-000135
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 41
TITLE            : CAT II, V-213944, SV-213944r960930, SRG-APP-000118-DB-000059
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:2901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:2901
RULE             : The audit information produced by SQL Server must be protected from unauthorized access, modification, and deletion.
QUESTION_TEXT    : If the database is setup to write audit logs using APPLICATION or SECURITY event logs rather than writing to a file, this is N/A.

Obtain the SQL Server audit file location(s) by running the following SQL script:  

SELECT log_file_path AS "Audit Path"  
FROM sys.server_file_audits  

For each audit, the path column will give the location of the file.  

Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer.  

Right-click the file/folder and click "Properties". On the "Security" tab, verify that at most the following permissions are applied:  

Administrator (read)  
Users (none)  
Audit Administrator (Full Control)  
Auditors group (Read)  
SQL Server Service SID OR Service Account (Full Control)  
SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) 

If any less restrictive permissions are present (and not specifically justified and approved), this is a finding.

References:
SV-93857
V-79151
CCI-000162
CCI-000163
CCI-000164
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 41
TITLE            : CAT II, V-213948, SV-213948r960942, SRG-APP-000122-DB-000203
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21394801
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21394801
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21394804
RULE             : SQL Server must protect its audit configuration from authorized and unauthorized access and modification.
QUESTION_TEXT    : Enter the list of database user names who are approved in documentation to access SQL Server Audits
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 13 *******************************

QUESTION         : 14 of 41
TITLE            : CAT II, V-213950, SV-213950r960960, SRG-APP-000133-DB-000179
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:3301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:3301
RULE             : SQL Server must limit privileges to change software modules and links to software external to SQL Server.
QUESTION_TEXT    : Review Server documentation to determine the authorized owner and users or groups with modify rights for this SQL instance's binary files. Additionally check the owner and users or groups with modify rights for shared software library paths on disk.  
 
If any unauthorized users are granted modify rights or the owner is incorrect, this is a finding. 
 
To determine the location for these instance-specific binaries, Launch SQL Server Management Studio (SSMS) >> Connect to the instance to be reviewed >> Right-click server name in Object Explorer >> Click Facets >> Select the Server facet >> Record the value for the "RootDirectory" facet property. 
 
Navigate to the folder above, and review the "Binn" subdirectory.

References:
SV-93869
V-79163
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 41
TITLE            : CAT II, V-213951, SV-213951r960960, SRG-APP-000133-DB-000179
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:3501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:3501
RULE             : SQL Server must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to SQL Server.
QUESTION_TEXT    : Review server documentation to determine the process by which shared software libraries are monitored for change. Ensure the process alerts for changes in a file's ownership, modification dates, and hash value at a minimum.

If alerts do not at least hash their value, this is a finding.

To determine the location for these instance-specific binaries:

Launch SQL Server Management Studio (SSMS) >> Connect to the instance to be reviewed >> Right-click server name in Object Explorer >> Click Facets >> Select the Server facet >> Record the value for the "RootDirectory" facet property

TIP: Use the Get-FileHash cmdlet shipped with PowerShell 5.0 to get the SHA-2 hash of one or more files.

References:
V-79165
SV-93871
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 41
TITLE            : CAT II, V-213953, SV-213953r960960, SRG-APP-000133-DB-000199
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:3901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:3901
RULE             : Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
QUESTION_TEXT    : Determine the directory in which SQL Server has been installed:

Using SQL Server Management Studio's Object Explorer:
- Right-click [SQL Server Instance]
- Select "Facets"
- Record the value of RootDirectory

Determine the Operating System directory:
- Click "Start"
- Type "Run"
- Press "Enter"
- Type "%windir%"
- Click "Ok"
- Record the value in the address bar

Verify the SQL Server RootDirectory is not in the Operating System directory.

Compare the SQL RootDirectory and the Operating System directory. If the SQL RootDirectory is in the same directory as the Operating System, this is a finding.

Verify the SQL Server RootDirectory is not in another application's directory.

Navigate to the SQL RootDirectory using Windows Explorer.

Examine each directory for evidence another application is stored in it.

If evidence exists the SQL RootDirectory is in another application's directory, this is a finding.

If the SQL RootDirectory is not in the Operating System directory or another application's directory. This is not a finding.

Examples:
1) The Operating System directory is "C:\Windows". The SQL RootDirectory is "D:\Program Files\MSSQLSERVER\MSSQL". The MSSQLSERVER directory is not living in the Operating System directory or the directory of another application. This is not a finding.

2) The Operating System directory is "C:\Windows". The SQL RootDirectory is "C:\Windows\MSSQLSERVER\MSSQL". This is a finding.

3) The Operating System directory is "C:\Windows". The SQL RootDirectory is "D:\Program Files\Microsoft Office\MSSQLSERVER\MSSQL". The MSSQLSERVER directory is in the Microsoft Office directory, which indicates Microsoft Office is installed here. This is a finding.

References:
SV-93875
V-79169
CCI-001499
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 41
TITLE            : CAT II, V-213960, SV-213960r1018585, SRG-APP-000141-DB-000093
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21396001
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21396001
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21396004
RULE             : Access to linked servers must be disabled or restricted, unless specifically required and approved.
QUESTION_TEXT    : From system documentation, enter a list of authorized linked servers in the format of remote ServerName\InstanceName
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 17 *******************************

QUESTION         : 18 of 41
TITLE            : CAT II, V-213961, SV-213961r1043177, SRG-APP-000142-DB-000094
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:5501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:5501
RULE             : SQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the PPSM CAL and vulnerability assessments.
QUESTION_TEXT    : To determine the protocol(s) enabled for SQL Server, open SQL Server Configuration Manager. In the left-hand pane, expand SQL Server Network Configuration. Click on the entry for the SQL Server instance under review: "Protocols for ". The right-hand pane displays the protocols enabled for the instance.  
 
If Named Pipes is enabled and not specifically required and authorized, this is a finding. 
 
If any listed protocol is enabled but not authorized, this is a finding.

References:
SV-93891
V-79185
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 41
TITLE            : CAT II, V-213962, SV-213962r1043177, SRG-APP-000142-DB-000094
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:5701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:5701
RULE             : SQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the PPSM CAL and vulnerability assessments.
QUESTION_TEXT    : Review SQL Server Configuration for the ports used by SQL Server.  
 
To determine whether SQL Server is configured to use a fixed port or dynamic ports, in the right-hand pane double-click on the TCP/IP entry, to open the Properties dialog. (The default fixed port is 1433.)  
 
If these are in conflict with PPSM guidance, and not explained and approved in the system documentation, this is a finding.

References:
SV-93893
V-79187
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 41
TITLE            : CAT II, V-213970, SV-213970r961053, SRG-APP-000180-DB-000115
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21393301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21393301
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21393304
RULE             : SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
QUESTION_TEXT    : Note:  This check covers three duplicate requirements in the SQL 2016 Instance STIG:  
Rule ID: SV-213933
Rule ID: SV-213963
Rule ID: SV-213970
					   
Enter database user names documented and verified to be individual, unique, and not shared
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 20 *******************************

QUESTION         : 21 of 41
TITLE            : CAT II, V-213973, SV-213973r961128, SRG-APP-000231-DB-000154
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:7901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:7901
RULE             : The Service Master Key must be backed up and stored in a secure location that is not on the SQL Server.
QUESTION_TEXT    : Review procedures for and evidence of backup of the Server Service Master Key in the System Security Plan.  
 
If the procedures or evidence does not exist, this is a finding.
 
If the procedures do not indicate that a backup of the Service Master Key is stored in a secure location that is not on the SQL Server, this is a finding. 

If procedures do not indicate access restrictions to the Service Master Key backup, this is a finding.

References:
SV-93913
V-79207
CCI-001199
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 41
TITLE            : CAT II, V-213974, SV-213974r961128, SRG-APP-000231-DB-000154
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:8101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:8101
RULE             : The Master Key must be backed up and stored in a secure location that is not on the SQL Server.
QUESTION_TEXT    : If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding. 
 
Review procedures for and evidence of backup of the Master Key in the System Security Plan.  
 
If the procedures or evidence does not exist, this is a finding.  
 
If the procedures do not indicate that a backup of the Master Key is stored in a secure location that is not on the SQL Server, this is a finding.

If procedures do not indicate access restrictions to the Master Key backup, this is a finding.

References:
SV-93915
V-79209
CCI-001199
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 41
TITLE            : CAT II, V-213976, SV-213976r961149, SRG-APP-000243-DB-000373
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:8501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:8501
RULE             : SQL Server must prevent unauthorized and unintended information transfer via Instant File Initialization (IFI).
QUESTION_TEXT    : Review system configuration to determine whether IFI support has been enabled (by default in SQL Server 2016).

Start >> Control Panel >> System and Security >> Administrative Tools >> Local Security Policy >> Local Policies >> User Rights Assignment >> Perform volume maintenance tasks

The default SQL service account for a default instance is NT SERVICE\MSSQLSERVER or for a named instance is NT SERVICE\MSSQL$InstanceName.

If the SQL service account or SQL service SID has been granted "Perform volume maintenance tasks" Local Rights Assignment, this means that Instant File Initialization (IFI) is enabled.

Review the system documentation to determine if Instant File Initialization (IFI) is required.

If IFI is enabled but not documented as required, this is a finding.

If IFI is not enabled, this is not a finding.

References:
SV-93919
V-79213
CCI-001090
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 41
TITLE            : CAT II, V-213977, SV-213977r961149, SRG-APP-000243-DB-000374
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:8701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:8701
RULE             : Access to database files must be limited to relevant processes and to authorized, administrative users.
QUESTION_TEXT    : Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files. 

To obtain the location of SQL Server data, transaction log, and backup files, open and execute the supplemental file "Get SQL Data and Backup Directories.sql".

For each of the directories returned by the above script, verify whether the correct permissions have been applied.

1) Launch Windows Explorer.
2) Navigate to the folder.
3) Right-click the folder and click "Properties".
4) Navigate to the "Security" tab.
5) Review the listing of principals and permissions.

Account Type			Directory Type		Permission
-----------------------------------------------------------------------------------------------
Database Administrators      	ALL                   		Full Control
SQL Server Service SID       	Data; Log; Backup;    	Full Control
SQL Server Agent Service SID 	Backup                	Full Control
SYSTEM                       		ALL                   		Full Control
CREATOR OWNER                	ALL                   		Full Control

For information on how to determine a "Service SID", go to:
https://aka.ms/sql-service-sids

Additional permission requirements, including full directory permissions and operating system rights for SQL Server, are documented at:
https://aka.ms/sqlservicepermissions

If any additional permissions are granted but not documented as authorized, this is a finding.

References:
SV-93921
V-79215
CCI-001090
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 41
TITLE            : CAT II, V-213978, SV-213978r1067807, SRG-APP-000267-DB-000163
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:8901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:8901
RULE             : SQL Server must reveal detailed error messages only to documented and approved individuals or roles.
QUESTION_TEXT    : Error messages within applications, custom database code (stored procedures, triggers) must be enforced by guidelines and code reviews practices.  

SQL Server generates certain system events and user-defined events to the SQL Server error log. The SQL Server error log can be viewed using SQL Server Management Studio GUI. All users granted the security admin or sysadmin level of permission are able to view the logs. Review the users returned in the following script: 

USE master 
GO
SELECT Name 
FROM syslogins 
WHERE (sysadmin = 1 or securityadmin = 1) 
and hasaccess = 1; 

If any nonauthorized users have access to the SQL Server Error Log located at Program Files\Microsoft SQL Server\MSSQL.n\MSSQL\LOG, this is a finding. 

In addition, the SQL Server Error Log is also located at Program Files\Microsoft SQL Server\MSSQL.n\MSSQL\LOG\. Review the permissions on this folder to ensure that only authorized users are listed.  

If any nonauthorized users have access to the SQL Server Error Log in SQL Server Management Studio or if documentation does not exist stating that full error messages must be returned, this is a finding.

Otherwise, verify if trace flag 3625 is enabled to mask certain system-level error information returned to nonadministrative users. 
 
Launch SQL Server Configuration Manager: 
Select SQL Server Services >> SQL Server. Select the SQL Server, then right-click and select "Properties". Select "Startup Parameters" tab and verify -T3625 exists in the dialogue window.

OR

Run the query:
DBCC TRACESTATUS;

If TraceFlag 3625 does not return with Status = 1 and if documentation does not exist stating that full error messages must be returned, this is a finding.

References:
SV-93923
V-79217
CCI-001314
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 41
TITLE            : CAT II, V-213979, SV-213979r961353, SRG-APP-000340-DB-000304
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:9101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:9101
RULE             : SQL Server must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
QUESTION_TEXT    : Review server-level securables and built-in role membership to ensure only authorized users have privileged access and the ability to create server-level objects and grant permissions to themselves or others. 
 
Review the system documentation to determine the required levels of protection for DBMS server securables, by type of login. 
 
Review the permissions in place on the server. If the actual permissions do not match the documented requirements, this is a finding. 
 
Get all permission assignments to logins and roles: 
 
SELECT DISTINCT 
    CASE 
        WHEN SP.class_desc IS NOT NULL THEN 
            CASE 
                WHEN SP.class_desc = 'SERVER' AND S.is_linked = 0 THEN 'SERVER' 
                WHEN SP.class_desc = 'SERVER' AND S.is_linked = 1 THEN 'SERVER (linked)' 
                ELSE SP.class_desc 
            END 
        WHEN E.name IS NOT NULL THEN 'ENDPOINT' 
        WHEN S.name IS NOT NULL AND S.is_linked = 0 THEN 'SERVER' 
        WHEN S.name IS NOT NULL AND S.is_linked = 1 THEN 'SERVER (linked)' 
        WHEN P.name IS NOT NULL THEN 'SERVER_PRINCIPAL' 
        ELSE '???' 
    END                    AS [Securable Class], 
    CASE 
        WHEN E.name IS NOT NULL THEN E.name 
        WHEN S.name IS NOT NULL THEN S.name 
        WHEN P.name IS NOT NULL THEN P.name 
        ELSE '???' 
    END                    AS [Securable], 
    P1.name                AS [Grantee], 
    P1.type_desc           AS [Grantee Type], 
    sp.permission_name     AS [Permission], 
    sp.state_desc          AS [State], 
    P2.name                AS [Grantor], 
    P2.type_desc           AS [Grantor Type] 
FROM 
    sys.server_permissions SP 
    INNER JOIN sys.server_principals P1 
        ON P1.principal_id = SP.grantee_principal_id 
    INNER JOIN sys.server_principals P2 
        ON P2.principal_id = SP.grantor_principal_id 
 
    FULL OUTER JOIN sys.servers S 
        ON  SP.class_desc = 'SERVER' 
        AND S.server_id = SP.major_id 
 
    FULL OUTER JOIN sys.endpoints E 
        ON  SP.class_desc = 'ENDPOINT' 
        AND E.endpoint_id = SP.major_id 
 
    FULL OUTER JOIN sys.server_principals P 
        ON  SP.class_desc = 'SERVER_PRINCIPAL'        
        AND P.principal_id = SP.major_id 
 
Get all server role memberships: 
 
SELECT 
    R.name    AS [Role], 
    M.name    AS [Member] 
FROM 
    sys.server_role_members X 
    INNER JOIN sys.server_principals R ON R.principal_id = X.role_principal_id 
    INNER JOIN sys.server_principals M ON M.principal_id = X.member_principal_id 
 
The CONTROL SERVER permission is similar but not identical to the sysadmin fixed server role. Permissions do not imply role memberships and role memberships do not grant permissions. (e.g., CONTROL SERVER does not imply membership in the sysadmin fixed server role.) 
 
Ensure only the documented and approved logins have privileged functions in SQL Server.  
 
If the current configuration does not match the documented baseline, this is a finding.

References:
SV-93925
V-79219
CCI-002235
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 41
TITLE            : CAT II, V-213980, SV-213980r961359, SRG-APP-000342-DB-000302
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21398001
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21398001
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21398004
RULE             : Use of credentials and proxies must be restricted to necessary cases only.
QUESTION_TEXT    : Enter the list of database accounts (credential_identity) who are approved in documentation for executing external processes
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 27 *******************************

QUESTION         : 28 of 41
TITLE            : CAT II, V-213983, SV-213983r1018595, SRG-APP-000357-DB-000316
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:9501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:9501
RULE             : SQL Server must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
QUESTION_TEXT    : If the database is setup to write audit logs using APPLICATION or SECURITY event logs rather than writing to a file, this is Not Applicable.

Check the server documentation for the SQL Audit file size configurations. Locate the Audit file path and drive. 
 
SELECT max_file_size, max_rollover_files, log_file_path AS "Audit Path"  
FROM sys.server_file_audits 
 
Calculate the space needed as the maximum file size and number of files from the SQL Audit File properties. 
 
If the calculated product of the "max_file_size" times the "max_rollover_files" exceeds the size of the storage location, this is a finding; 

OR if "max_file_size" is set to "0" (Unlimited), this is a finding;

OR if "max_rollover_files" are set to "0" (None) or "2147483647" (Unlimited), this is a finding.

References:
SV-93933
V-79227
CCI-001849
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 41
TITLE            : CAT II, V-213984, SV-213984r961398, SRG-APP-000359-DB-000319
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:9701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:9701
RULE             : SQL Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.
QUESTION_TEXT    : The operating system and SQL Server offer a number of methods for checking the drive or volume free space. Locate the destination drive where SQL Audits are stored and review system configuration.  
 
If no alert exist to notify support staff in the event the SQL Audit drive reaches 75%, this is a finding.

References:
SV-93935
V-79229
CCI-001855
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 41
TITLE            : CAT II, V-213985, SV-213985r961401, SRG-APP-000360-DB-000320
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:9901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:9901
RULE             : SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures.
QUESTION_TEXT    : Review SQL Server settings, OS, or third-party logging software settings to determine whether a real-time alert will be sent to the appropriate personnel when auditing fails for any reason.

If real-time alerts are not sent upon auditing failure, this is a finding.

References:
SV-93937
V-79231
CCI-001858
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 41
TITLE            : CAT II, V-213986, SV-213986r961443, SRG-APP-000374-DB-000322
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:10101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:10101
RULE             : SQL Server must record time stamps in audit records and application data that can be mapped to Coordinated Universal Time (UTC, formerly GMT).
QUESTION_TEXT    : SQL Server audits store the timestamp in UTC time.  
 
Determine if the computer is joined to a domain. 
 
SELECT DEFAULT_DOMAIN()[DomainName]  
 
If this is not NULL, this is not a finding. 
 
If the computer is not joined to a domain, determine what the time source is. (Run the following command in an elevated PowerShell session.) 
 
     w32tm /query /source 
 
If the results of the command return "Local CMOS Clock" and is not documented with justification and AO authorization, this is a finding.  
 
If the OS does not synchronize with a time server, review the procedure for maintaining accurate time on the system.  
 
If such a procedure does not exist, this is a finding.  
 
If the procedure exists, review evidence that the correct time is actually maintained.  
 
If the evidence indicates otherwise, this is a finding.

References:
SV-93939
V-79233
CCI-001890
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 41
TITLE            : CAT II, V-213987, SV-213987r961461, SRG-APP-000380-DB-000360
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21398701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21398701
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21398704
RULE             : SQL Server must enforce access restrictions associated with changes to the configuration of the instance.
QUESTION_TEXT    : Enter the list of database user names who are approved in documentation to have the permission of 'CONTROL SERVER' or be a member of 'sysadmin,'securityadmin','serveradmin' groups
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 32 *******************************

QUESTION         : 33 of 41
TITLE            : CAT II, V-213988, SV-213988r961461, SRG-APP-000380-DB-000360
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21398801
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21398801
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21398802
RULE             : Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.
QUESTION_TEXT    : Enter approved and documented list of datbase user names who have privileged access to the server via the local Administrators group.
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 33 *******************************

QUESTION         : 34 of 41
TITLE            : CAT II, V-213990, SV-213990r961470, SRG-APP-000383-DB-000364
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:10901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:10901
RULE             : SQL Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
QUESTION_TEXT    : SQL Server must only use approved network communication libraries, ports, and protocols. 
 
Obtain a list of all approved network libraries, communication ports, and protocols from the server documentation. 
 
Verify that the protocols are enabled for the instance. 
 
If any ports or protocols are used that are not specifically approved in the server documentation, this is a finding.

References:
SV-93947
V-79241
CCI-001762
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 41
TITLE            : CAT II, V-213992, SV-213992r961608, SRG-APP-000431-DB-000388
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:11301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:11301
RULE             : SQL Server services must be configured to run under unique dedicated user accounts.
QUESTION_TEXT    : Review the server documentation to obtain a listing of required service accounts. Review the accounts configured for all SQL Server services installed on the server. 
 
Click Start >> Type "SQL Server Configuration Manager" >> Launch the program >> Click SQL Server Services tree node. Review the "Log On As" column for each service. 
 
If any services are configured with the same service account or are configured with an account that is not documented and authorized, this is a finding.

References:
SV-93951
V-79245
CCI-002530
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 41
TITLE            : CAT II, V-213993, SV-213993r961677, SRG-APP-000454-DB-000389
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21395501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21395501
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21395502
RULE             : Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.
QUESTION_TEXT    : Note:  This check covers several duplicate requirements in the SQL 2016 Instance STIG:
Rule ID: SV-213955
Rule ID: SV-213956
Rule ID: SV-213993
					   
From system documentation, enter the list of required database components
Examples:Database Engine Services, SQL Server Replication, Full-Text and Semantic Extractions for Search, Analysis Services


HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 36 *******************************

QUESTION         : 37 of 41
TITLE            : CAT II, V-213994, SV-213994r1001008, SRG-APP-000456-DB-000390
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:11701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:11701
RULE             : Security-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
QUESTION_TEXT    : Obtain evidence that software patches are consistently applied to SQL Server within the time frame defined for each patch. To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerability. Review the Support dates at: https://learn.microsoft.com/en-us/troubleshoot/sql/releases/download-and-install-latest-updates
 
Check the SQL Server version by running the following script: Print @@version 
 
If the SQL Server version is not shown as supported, this is a finding. 
 
If such evidence cannot be obtained, or the evidence that is obtained indicates a pattern of noncompliance, this is a finding.

References:
SV-93955
V-79249
CCI-002605
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

QUESTION         : 38 of 41
TITLE            : CAT II, V-214021, SV-214021r961839, SRG-APP-000508-DB-000358
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:14901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:14901
RULE             : SQL Server must generate audit records for all direct access to the database(s).
QUESTION_TEXT    : Determine whether any Server Audits are configured to filter records. From SQL Server Management Studio execute the following query: 
 
SELECT name AS AuditName, predicate AS AuditFilter  
FROM sys.server_audits  
WHERE predicate IS NOT NULL 
 
If any audits are returned, review the associated filters to determine whether administrative activities are being excluded.  
 
If any audits are configured to exclude administrative activities, this is a finding.

References:
SV-94009
V-79303
CCI-000172
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 38 *******************************

QUESTION         : 39 of 41
TITLE            : CAT II, V-214025, SV-214025r961860, SRG-APP-000515-DB-000318
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:15701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:15701
RULE             : The system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
QUESTION_TEXT    : Review the system documentation for a description of how audit records are off-loaded. 
 
If the system has a continuous network connection to the centralized log management system, but the DBMS audit records are not written directly to the centralized log management system or transferred in near-real-time, this is a finding. 
 
If the system does not have a continuous network connection to the centralized log management system, and the DBMS audit records are not transferred to the centralized log management system weekly or more often, this is a finding.

References:
SV-94017
V-79311
CCI-001851
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 39 *******************************

QUESTION         : 40 of 41
TITLE            : CAT II, V-214027, SV-214027r961863, SRG-APP-000516-DB-000363
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:16101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:16101
RULE             : SQL Server must configure SQL Server Usage and Error Reporting Auditing.
QUESTION_TEXT    : Review the server documentation to determine if auditing of the telemetry data is required. If auditing of telemetry data is not required, this is not a finding. 
 
If auditing of telemetry data is required, determine the telemetry service user name by executing the following query: 
 
SELECT name 
FROM sys.server_principals 
WHERE name LIKE '%SQLTELEMETRY%' 
 
Review the values of the following registry key: 
Note: InstanceId refers to the type and instance of the feature. (e.g., MSSQL13.SqlInstance, MSAS13.SSASInstance, MSRS13.SSRSInstance) 
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\[InstanceId]\CPE\UserRequestedLocalAuditDirectory 
 
If the registry key do not exist or the value is blank, this is a finding. 
 
Navigate the path defined in the "UserRequestedLocalAuditDirectory" registry key in file explorer. 
 
Right-click on the folder and choose "Properties". 
Open the "Security" tab.
 
Verify the SQLTELEMETRY account has the following permissions: 
 
- List folder contents 
- Read 
- Write 
 
If the permissions are not set properly on the folder, this is a finding. 
 
Open services.msc and find the telemetry service. 
- For Database Engine, use SQL Server CEIP service (<INSTANCENAME>). 
- For Analysis Services, use SQL Server Analysis Services CEIP (<INSTANCENAME>). 
 
Right-click on the service and choose "Properties". Verify the "Startup type" is "Automatic."  
 
If the service is not configured to automatically start, this is a finding. 
 
Review the processes and procedures for reviewing the telemetry data. If there is evidence that the telemetry data is periodically reviewed in accordance with the processes and procedures, this is not a finding. 
 
If no processes and procedures exist for reviewing telemetry data, this is a finding.

References:
SV-94021
V-79315
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 40 *******************************

QUESTION         : 41 of 41
TITLE            : CAT II, V-214030, SV-214030r961359, SRG-APP-000342-DB-000302
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:testaction:21403001
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.ms.sql.server.inst.hybrid:question:21403001
VARIABLE_ID      : oval:navy.navwar.niwcatlantic.scc.ms.sql.server.inst:var:21403004
RULE             : Execution of startup stored procedures must be restricted to necessary cases only.
QUESTION_TEXT    : Enter approved and documented list of stored procedures
HYBRID QUESTION  :Enter Scope, Target, Authorization (SSP doc, ISSM etc...), and authorized value(s) in the XML below. Refer to SCC User Manual Section 6 for more information and detailed examples

<hybrid_variables>
	<hybrid_variable>
		<scope>INSTANCE</scope>
		<target>ALL</target>
		<authorization></authorization>
		<authorized_values>
			<authorized_value></authorized_value>
		</authorized_values>
		<notes></notes>
	</hybrid_variable>
</hybrid_variables>
******************************* end of question 41 *******************************

