Page Comparison

Local administrators group is restricted on the SQL Servers

Management of privileged access rights

A.9.2.3

Remote Desktop/server access to SQL Servers:

• Remote Desktop Users Users group is restricted
• Servers are not directly accessed via RDP or other remote connection software

Management of privileged access rights

A.9.2.3

Service Accounts

• SQL Server service accounts use low level domain users (non-admin accounts)

Management of privileged access rights

A.9.2.3

CIS 3.5-3.7

File shares and permissions

• Database files and backups are not accessible to normal user accounts via file shares
• Database server does not allow file share access to non-admin accounts

Management of privileged access rights

A.9.2.3

Synergetic data and backup files are protected

• Backup file locations documented
• Secured to authorised system administrators
• Access to and use of backups is controlled and data protection is maintained

Access Control -Access control policy

A.9.1.1

Database backups are performed

• Regular schedule
• Allowing for point in time recovery
• System RTO and RPO is documented
• Backup and DR schedules to meet the defined RTO/RPO

Database Version

• SQL Server is patched in line with hardware requirements
• Latest cumulative updates have been applied
• Windows Server patched (get-hotfix | sort InstalledOn -Desc)

CIS 1.1

Database Security

• The SQL Server (Windows Server) and instance is dedicated for Synergetic database use
• No third party applications are installed to the SQL Server (other than AV)

CIS 1.2

Database Security - use of 'sa' account

• 'sa' account is disabled

OR

• SA account password meets policy and is secured
• Password has been updated when admin staff change over
• Staff with access to the 'sa' password are known and authorised
• The 'sa' password not distributed or used by staff
• SA account is not used for daily server maintenance

**Renaming of 'sa' account is not supported by Synergetic, even if it is disabled it must still exist as 'sa'

Database Security - server level SQL logins limited to:

• Limited to 'sa' and administrators
• Synergetic*_*ServerLogin

Database Auditing and Logging

• Ensure 'Maximum number of error log files' is set to greater 
  than or equal to '12'

Database Logon auditing

• Ensure 'SQL Server Audit' is set to capture both 'failed' and 
  'successful logins' 

**Important note - this can be considered however note that it will increase the SQL event log size significantly. Please use with caution and monitor disk/log size.

CIS 5.4

Database Security 

• Users access database via Windows Authentication by Active Directory Group membership
• AD groups are used and not individual user accounts

Database Security - Orphaned users

• Ensure 'Orphaned Users' are Dropped From SQL Server 
  Databases

Database Security - Fixed SQL Database Roles

• Fixed database role membership use is restricted

Database Administration - Synergetic Fixed Database Roles

• Membership is restricted to Synergetic service accounts

Direct Database Permissions for users and third party service accounts

• Controlled via restricted dedicated SQL Server roles
• Only granted permissions when required (eg. normal Synergetic users don't need direct table access)
• Not granted to entire schema (eg. dbo, finance)
• Not granted to fixed server or database roles eg. SysAdmin, db_datareader, db_owner
• Permissions are only granted to the required objects

• Data SQL Transport encryption

  • Network traffic encryption (TLS)Data at rest (TDE)

  *TDE is standard SQL Server functionality and requires SQL 2016/2017 Enterprise or SQL 2019 Standard. It is currently un-tested with Synergetic. Approval for prod use is TBA.

^Ensure Unnecessary SQL Server Protocols are set to 'Disabled'

^Ensure 'Hide Instance' option is set to 'Yes' for Production 
SQL Server instances

For named instance Synergetic config does not allow supplying port number, so needs the browser service to recognise it.

^Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL 
Authenticated Logins Within the Sysadmin Role

**Note that Windows auth is preferred for users & third party vendors so this should not normally apply.

^Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL 
Authenticated Logins

**Note that Windows auth is preferred for users & third party vendors so this should not normally apply.Authenticated Logins