Versions Compared

Old Version 6

changes.mady.by.user Steve Lynch

Saved on

compared with

New Version Current

changes.mady.by.user David Rogers

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Synergetic

...

Document Control

...

Initial version based on the 2019 review template and incorporating additional reference to standards.

...

Removed risk treatment column, apply feedback from SQL 2016/2017/2019 CIS benchmark plus link to IIS CIS benchmark (hardening guides).

Objectives

Synergetic databases and applications require adequate security configuration through multiple layers of the environment. They main objective of this exercise is to protect the database and system availability to ensure that confidential data is kept private and the system is secured and continually accessible to users who need access. This review focuses on helping to improve system security, however for improved business continuity practices it is recommended to also consider additional options that may provide improved performance, high availability and disaster recovery. The key focus points of this template are for hardening security configuration within a Synergetic environment across the following layers:layers:

  • Information Security Management
  • Network Security
  • Database Security
  • Web Server Security
  • Application SecurityDatabase
  • Supporting Services Security

Refer to Synergetic Data Privacy and Security Information Sheet - Synergetic User Hub - Synergetic Wiki for a top level overview.

...

SeqRecommended ControlsControl ReferenceR*Findings

Risk Rating

(Critical, High, Medium, Low)

1

Local administrators group is restricted on the SQL Servers

Management of privileged access rights

A.9.2.3

Y

2

Remote Desktop/server access to SQL Servers:

  • Remote Desktop Users Users group is restricted
  • Servers are not directly accessed via RDP or other remote connection software

Management of privileged access rights

A.9.2.3

P

3

Service Accounts

  • SQL Server service accounts use low level domain users (non-admin accounts)

Management of privileged access rights

A.9.2.3

CIS 3.5-3.7

P

4

File shares and permissions

  • Database files and backups are not accessible to normal user accounts via file shares
  • Database server does not allow file share access to non-admin accounts

Management of privileged access rights

A.9.2.3

P

5

Synergetic data and backup files are protected

  • Backup file locations documented
  • Secured to authorised system administrators
  • Access to and use of backups is controlled and data protection is maintained

Access Control -Access control policy

A.9.1.1




6

Database backups are performed

  • Regular schedule
  • Allowing for point in time recovery
  • System RTO and RPO is documented
  • Backup and DR schedules to meet the defined RTO/RPO
Backup A.12.3P

7

Database Version

  • SQL Server is patched in line with hardware requirements
  • Latest cumulative updates have been applied
  • Windows Server patched (get-hotfix | sort InstalledOn -Desc)

CIS 1.1

Y

8

Database Security

  • The SQL Server (Windows Server) and instance is dedicated for Synergetic database use
  • No third party applications are installed to the SQL Server (other than AV)

CIS 1.2

Y

9

Database Security - use of 'sa' account

  • 'sa' account is disabled

OR

  • SA account password meets policy and is secured
  • Password has been updated when admin staff change over
  • Staff with access to the 'sa' password are known and authorised
  • The 'sa' password not distributed or used by staff
  • SA account is not used for daily server maintenance

**Renaming of 'sa' account is not supported by Synergetic, even if it is disabled it must still exist as 'sa'

CIS 2.13P

10

Database Security - server level SQL logins limited to:

  • Limited to 'sa' and administrators
  • Synergetic*_*ServerLogin
Synergetic Security - Best PracticesY

11

Database Auditing and Logging

  • Ensure 'Maximum number of error log files' is set to greater 
    than or equal to '12'
CIS 5.1Y

12

Database Logon auditing

  • Ensure 'SQL Server Audit' is set to capture both 'failed' and 
    'successful logins' 

**Important note - this can be considered however note that it will increase the SQL event log size significantly. Please use with caution and monitor disk/log size.

CIS 5.4

Y

13

Database Security 

  • Users access database via Windows Authentication by Active Directory Group membership
  • AD groups are used and not individual user accounts
Synergetic Security - Best PracticesY

14

Database Security - Orphaned users

  • Ensure 'Orphaned Users' are Dropped From SQL Server 
    Databases
CIS 3.3


15

Database Security - Fixed SQL Server Roles

  • System Admins and other fixed role membership is restricted
  • Seperate admin accounts are used
  • Servers are managed by remote tools (SSMS installed to workstation and not run directly on the server)
Synergetic Security - Best PracticesP

16

Database Security - Fixed SQL Database Roles

  • Fixed database role membership use is restricted
Synergetic Security - Best PracticesY

17

Database Administration - Synergetic Fixed Database Roles

  • Membership is restricted to Synergetic service accounts
Synergetic Security - Best PracticesY

18

Direct Database Permissions for users and third party service accounts

  • Controlled via restricted dedicated SQL Server roles
  • Only granted permissions when required (eg. normal Synergetic users don't need direct table access)
  • Not granted to entire schema (eg. dbo, finance)
  • Not granted to fixed server or database roles eg. SysAdmin, db_datareader, db_owner
  • Permissions are only granted to the required objects
Synergetic Security - Best PracticesP

19

  • Data SQL Transport encryption

    • Network traffic encryption (TLS)Data at rest (TDE)
    *TDE is standard SQL Server functionality and requires SQL 2016/2017 Enterprise or SQL 2019 Standard. It is currently un-tested with Synergetic. Approval for prod use is TBA.
Cryptography A.10Y

20^Ensure 'Remote Access' Server Configuration Option is set to '0'
CIS 2.6Y

21

^Ensure Unnecessary SQL Server Protocols are set to 'Disabled'

CIS 2.10Y

22

^Ensure 'Hide Instance' option is set to 'Yes' for Production 
SQL Server instances

For named instance Synergetic config does not allow supplying port number, so needs the browser service to recognise it.

CIS 2.12Y

23

^Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL 
Authenticated Logins Within the Sysadmin Role

**Note that Windows auth is preferred for users & third party vendors so this should not normally apply.

CIS 4.2


24

^Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL 
Authenticated Logins

**Note that Windows auth is preferred for users & third party vendors so this should not normally apply.Authenticated Logins

CIS 4.3


...

*R= can be assessed remotely without input from stakeholders - y = YES P=Partially but additional info required from the stakeholders.

...

SUPPORTING SERVICES SECURITY

SeqRecommended ControlsControl ReferenceR*Findings

Risk Rating

(Critical, High, Medium, Low)

1

If DocMan Import Service is used:

  • DocMan UNC share paths are secured by user role

Synergetic Security - Best Practices

Y

2Services run under low level domain user accountSynergetic Security - Best PracticesY

...