Title Description
SQL Server patches contain program updates that fix security and product
Latest SQL Server functionality issues found in the software. These patches can be installed
Service Packs and with a hotfix which is a single patch, a cumulative update which is a small
Hotfixes are not group of patches or a service pack which is a large collection of patches.
Installed The SQL Server version and patch levels should be the most recent
compatible with the organizations' operational needs.
If enabled, the default SQL Server instance will be assigned a default port
SQL Server is not of TCP:1433 for TCP/IP communication. Administrators can also configure
configured to use named instances to use TCP:1433 for communication. TCP:1433 is a
non-standard ports widely known SQL Server port and this port assignment should be
changed.
'Server
Authentication'
Property is not set Uses Windows Authentication to validate attempted connections.
to 'Windows
Authentication
Mode'
'CHECK_EXPIRATIO
N' Option is not set
to 'ON' for All SQL Applies the same password expiration policy used in Windows to
Authenticated passwords used inside SQL Server.
Logins Within the
Sysadmin Role
Impact Severity Affected
Devices
Using the most recent SQL Server software, along with
all applicable patches can help limit the possibilities for
vulnerabilities in the software. The installation version High 10.101.37.161
and/or patches applied during setup should be
established according to the needs of the organization.
Changing the default port will force the DAC (Dedicated
Administrator Connection) to listen on a random port.
Also, it might make benign applications, such as
application firewalls, require special configuration. In Medium
general, you should set a static port for consistent 10.101.37.161
usage by applications, including firewalls, instead of
using dynamic ports which will be chosen randomly at
each SQL Server start up.
Windows provides a more robust authentication
mechanism than SQL Server authentication.
Low 10.101.37.161
Changing the login mode configuration requires a
restart of the service.
Ensuring SQL logins comply with the secure password
policy applied by the Windows Server Benchmark will
ensure the passwords for SQL logins with sysadmin
privileges are changed on a frequent basis to help 10.101.37.161
prevent compromise via a brute force attack. CONTROL
SERVER is an equivalent permission to sysadmin and
logins with that permission should also be required to Low
have expiring passwords.
Recommendations DBA Comments
Identify the current version and patch level of your 10.101.37.161 has SQL Server 2019 CU17 whereas
SQL Server instances and ensure they contain the the latest available patch is CU21. Please provide
latest security fixes. Make sure to test these fixes in downtime and approval to perform patching via
your test environments before updating production CR.
instances.
Change the TCP Port field from 1433 to another Please check with the Application vendor if the
non-standard port or leave the TCP Port field empty application supports customized port for SQL
and set the TCP Dynamic Ports value to 0 to enable Server.
dynamic port assignment and then click OK.
Set the Server authentication setting to Windows
Authentication Mode.
Please check with the Application vendor if Window
Restart the SQL Server service for the change to
take effect.
For each <login_name> found by the Audit
Procedure, execute the following T-SQL statement:
All SQL Server authenticated logins with sysadmin p
ALTER LOGIN [<login_name>] WITH
CHECK_EXPIRATION = ON;
Epiroc Comments
yes HZL can go with updating to
latest 2019 package, that is not a
problem and approved from our side
