CIS Microsoft SQL Server 2022 Benchmark
Published 28 October 2024
Template contents
This template does not reflect the entirety of the Centre for Internet Security benchmark for SQL Server 2022 but does include all of the server level configuration options (see Microsoft's documentation) under the benchmark's reducing attack space section. It also includes some Windows registry configuration (which is listed in the Non-trivial configuration section below).
This template has a default configuration which makes some assumptions about how the SQL Servers should be set-up. These assumptions are listed in the Assumptions section below, if you find that they do not match the requirements of your estate, we recommend using the duplicate action to create a version of the template that does. We would not recommend altering the configuration outside of those options referred to under Assumptions.
Non-trivial configuration
While the majority of the template represents SQL Server Configuration Options, there are a few aspects which represent more involved configuration. These are:
- Ensuring unnecessary SQL Server Protocols are disabled
- Ensuring the SQL Server Browser Service is disabled
- Ensuring the instance is hidden from the network
- Ensures that the encryption used by the instance meets the FIPS standard
Assumptions
This template makes some assumptions about how certain sections of the benchmark are fulfilled. These assumptions may not match your estate and so are listed here in order to simplify the process of creating a duplicate template that better represents your requirements.
- The benchmark recommends disabling unnecessary SQL Server protocols. This template assumes TCP/IP is used to connect to the SQL Server instance, and as such checks that shared memory and named pipes are both disabled.
- The benchmark recommends only logging failed login attempts via the SQL Server Errorlog. This template assumes that logging successful attempts would create excessive noise, and will check that the audit level is set to "Failed logins".
- The benchmark recommends configuring and enabling network encryption. This template assumes that network encryption has has been configured, and all communications between SQL Server and clients are being encrypted; as detailed in Microsoft's documentation on configuring SQL server encryption.