service account permissions
Issue: The SQL Server Service is using a service account with elevated permissions.
Problem: If an attacker compromises the SQL Server instance, they can gain full control over SQL Server, including execution of OS-level commands.
Learn More...sa login renamed
Issue: The sa login has been renamed.
Problem: Renaming the sa login does not prevent it from being discovered, as by default any login in the public role can determine what it has been renamed to. Additionally, if you are renaming the sa login, be sure to let other administrators know to avoid confusion. Renaming the account can also cause issues with SQL Agent jobs in certain circumstances. Mostly, be aware that obscurity is not a primary form of security.
Learn More...Contained database
Issue: You have at least one contained database, which although isolated from other databases has a different set of security benefits and challenges.
Problem: Contained databases have authentication at the database level instead of the instance level. This means that typical instance level auditing will not be logged for contained database activities.
Learn More...Remote access
Issue: The "remote access" configuration is enabled.
Problem: Although enabled by default, this feature is deprecated and may be removed from a future release. It is typically used for allowing distributed queries via linked servers, although it is also required for the log shipping status report in SQL Server Management Studio (SSMS) to work.
Learn More...Force encryption
Issue: The "force encryption" feature in SQL Server enforces the use of SSL/TLS encryption for all connections between SQL Server and clients to ensure that data in transit is encrypted,
Problem: This isn't a problem, but enabling "force encryption" requires that SQL Server must have access to a valid SSL/TLS certificate.
Learn More...Extended protection
Issue: The extended protection configuration enables a set of security enhancements designed to help protect SQL Server from man-in-the-middle (MitM) attacks, especially those that exploit authentication relay or spoofing vulnerabilities.
Problem: Channel binding tokens (CBTs) are required during authentication when "extended protection" is enabled, which may cause authentication failure with older clients that do not support CBTs.
Learn More...Hide instance
Issue: The "Hide Instance" feature controls whether the SQL Server instance is visible to clients when they try to browse for available SQL Servers on the network using tools like SQL Server Management Studio (SSMS) or the sqlcmd utility.
Problem: This feature is enabled to reduce the attack surface, as all connections will be required to specify the instance name and port number.
Learn More...Common criteria compliance
Issue: When enabled, Common Criteria Compliance implements security features and configurations that align with the Common Criteria for Information Technology Security Evaluation.
Problem: There are performance implications with this enabled, most notably high schema modification lock waits.
Learn More...C2 audit mode
Issue: C2 audit mode in SQL Server is a legacy security feature that enables auditing of system-level activities in compliance with the U.S. Department of Defense "C2" security standard.
Problem: C2 audit mode is deprecated, and is no longer considered a best practice for auditing activity. Not only can it negatively impact performance, but also it can result in the SQL Server instance shutting down automatically if the audit files run out of storage space.
Learn More...Trace flag 1118
Issue: Trace flag 1118 is not enabled globally. This trace flag is recommended for SQL Server 2014 and earlier.
Problem: Enabling trace flag 1118 tells SQL Server to avoid mixed extents by allocating each 64 KB extent to a single object. Doing this results in slightly more data pages, but reduces the possibility of contention.
Learn More...About sp_checks
This page contains a list of SQL Server configuration checks performed by Straight Path's suite of sp_check tools. For more details about our free tools, select one from the following list: