Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SeqRecommended ControlsControl ReferenceR*Findings

Risk Rating

(Critical, High, Medium, Low)

1

Local administrators group is restricted on the SQL Servers

Management of privileged access rights

A.9.2.3

Y

2

Remote Desktop/server access to SQL Servers:

  • Remote Desktop Users Users group is restricted
  • Servers are not directly accessed via RDP or other remote connection software

Management of privileged access rights

A.9.2.3

P

3

Service Accounts

  • SQL Server service accounts use low level domain users (non-admin accounts)

Management of privileged access rights

A.9.2.3

CIS 3.5-3.7

P

4

File shares and permissions

  • Database files and backups are not accessible to normal user accounts via file shares
  • Database server does not allow file share access to non-admin accounts

Management of privileged access rights

A.9.2.3

P

5

Synergetic data and backup files are protected

  • Backup file locations documented
  • Secured to authorised system administrators
  • Access to and use of backups is controlled and data protection is maintained

Access Control -Access control policy

A.9.1.1




6

Database backups are performed

  • Regular schedule
  • Allowing for point in time recovery
  • System RTO and RPO is documented
  • Backup and DR schedules to meet the defined RTO/RPO
Backup A.12.3P

7

Database Version

  • SQL Server is patched in line with hardware requirements
  • Latest cumulative updates have been applied
  • Windows Server patched (get-hotfix | sort InstalledOn -Desc)

CIS 1.1

Y

8

Database Security

  • The SQL Server (Windows Server) and instance is dedicated for Synergetic database use
  • No third party applications are installed to the SQL Server (other than AV)

CIS 1.2

Y

9

Database Security - use of 'sa' account

  • 'sa' account is disabled

OR

  • SA account password meets policy and is secured
  • Password has been updated when admin staff change over
  • Staff with access to the 'sa' password are known and authorised
  • The 'sa' password not distributed or used by staff
  • SA account is not used for daily server maintenance

**Renaming of 'sa' account is not supported by Synergetic, even if it is disabled it must still exist as 'sa'

CIS 2.13P

10

Database Security - server level SQL logins limited to:

  • Limited to 'sa' and administrators
  • Synergetic*_*ServerLogin
Synergetic Security - Best PracticesY

11

Database Auditing and Logging

  • Ensure 'Maximum number of error log files' is set to greater 
    than or equal to '12'
CIS 5.1Y

12

Database Logon auditing

  • Ensure 'SQL Server Audit' is set to capture both 'failed' and 
    'successful logins' 

**Important note - this can be considered however note that it will increase the SQL event log size significantly. Please use with caution and monitor disk/log size.

CIS 5.4

Y

13

Database Security 

  • Users access database via Windows Authentication by Active Directory Group membership
  • AD groups are used and not individual user accounts
Synergetic Security - Best PracticesY

14

Database Security - Orphaned users

  • Ensure 'Orphaned Users' are Dropped From SQL Server 
    Databases
CIS 3.3


15

Database Security - Fixed SQL Server Roles

  • System Admins and other fixed role membership is restricted
  • Seperate admin accounts are used
  • Servers are managed by remote tools (SSMS installed to workstation and not run directly on the server)
Synergetic Security - Best PracticesP

16

Database Security - Fixed SQL Database Roles

  • Fixed database role membership use is restricted
Synergetic Security - Best PracticesY

17

Database Administration - Synergetic Fixed Database Roles

  • Membership is restricted to Synergetic service accounts
Synergetic Security - Best PracticesY

18

Direct Database Permissions for users and third party service accounts

  • Controlled via restricted dedicated SQL Server roles
  • Only granted permissions when required (eg. normal Synergetic users don't need direct table access)
  • Not granted to entire schema (eg. dbo, finance)
  • Not granted to fixed server or database roles eg. SysAdmin, db_datareader, db_owner
  • Permissions are only granted to the required objects
Synergetic Security - Best PracticesP

19
  • Data SQL Transport encryption

    • Network traffic encryption (TLS)Data at rest (TDE)
    *TDE is standard SQL Server functionality and requires SQL 2016/2017 Enterprise or SQL 2019 Standard. It is currently un-tested with Synergetic. Approval for prod use is TBA.
Cryptography A.10Y

20^Ensure 'Remote Access' Server Configuration Option is set to '0'
CIS 2.6Y

21

^Ensure Unnecessary SQL Server Protocols are set to 'Disabled'

CIS 2.10Y

22

^Ensure 'Hide Instance' option is set to 'Yes' for Production 
SQL Server instances

For named instance Synergetic config does not allow supplying port number, so needs the browser service to recognise it.

CIS 2.12Y

23

^Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL 
Authenticated Logins Within the Sysadmin Role

**Note that Windows auth is preferred for users & third party vendors so this should not normally apply.

CIS 4.2


24

^Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL 
Authenticated Logins

**Note that Windows auth is preferred for users & third party vendors so this should not normally apply.Authenticated Logins

CIS 4.3


...