Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Uninstall excess tooling and/or remove unnecessary roles from the underlying operating system.

Surface

...

area reduction

SQL Server offers various configuration options, some of them can be controlled by the sp_configure stored procedure

...

There are a number of CIS recommendations that should not be implemented on Synergetic environments.  These are:

CISDescriptionReason
2.2Ensure 'CLR Enabled' Server Configuration Option is set to '0'Required for underlying logic
2.9Ensure 'Trustworthy' Database Property is set to 'Off' Required for CLR access
2.11Ensure SQL Server is configured to use non-standard ports

Not supported for default instances . May have issue with changing port on default instance as Synergetic config does not allow supplying of port number in the configuration file. However, this would works okay for named instances using the SQL Browser Service but then CIS 2.12 could not be performed to 'hide' the instance. 

2.14Ensure the 'sa' Login Account has been renamedSynergetic has dependencies on DB owner matching the user that created the CLRs, which is normally ‘sa’ and set the DB owner to dbo (which is linked to sa).
2.17Ensure no login exists with the name 'sa'As above, ‘sa’ user is required but can be disabled
3.1Ensure 'Server Authentication' Property is set to 'Windows 
Authentication Mode'
Synergetic requires mixed mode - normal staff and admin user accounts can all use Windows Auth but the application has internal SQL user accounts (zSynergetic_*) managed by the patch process and used for each application
3.4Ensure SQL Authentication is not used in contained databasesAs above, Synergetic uses contained users for the zSynergetic* application user accounts
6.2Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' 
for All CLR Assemblies

Current Synergetic CLR settings are defined as follows: 

System.Drawing UNSAFE_ACCESS 

SynStreamCrypt SAFE_ACCESS 

Synergetic.Database.CLR UNSAFE_ACCESS 

GroupConcat SAFE_ACCESS 

SqlRegEx SAFE_ACCESS 

Synergetic.Database.CLR.XmlSerializers EXTERNAL_ACCESS