How to STIG SQL Server

by Anthony Borelli

This is your first SQL Server STIG, and a sense of dread and foreboding has begun to set in. The manual process is slow, sometimes confusing, and often frustrating. You begin to wonder…

Am I doomed to forever perform these SQL STIGs manually?
Let’s start by asking, “Why am I performing SQL Server STIGs manually, when other STIG checklists have SCAP tools to automate STIG vulnerability checks?”

The answer is that DISA’s latest SQL Server checklists—for SQL Server 2014 and SQL Server 2016—are still produced in the legacy xccdf 1.1 format. This format is not compatible with SCAP (Security Content Automation Protocol) and authoritative SCAP results cannot be produced for STIGs without SCAP baselines.

The authority in this area—NIST (National Institute of Standards and Technology)—currently only accredits STIG vulnerability scanners producing SCAP output. This is why you are still performing SQL Server STIGs manually. Most security software developers are naturally focusing more resources on accreditable products.

So… does that mean automation must wait until DISA produces a SQL Server STIG checklist in a SCAP compatible format?

Absolutely not, and here’s why.

When no sources exist that can provide authoritative results, DISA allows you write your own scripts and/or utilize supplemental automation tools to generate STIG check results.

View DISA guidance and suggestions at: Supplemental Automation Content

While you and your Information Assurance Officer will be responsible for evaluating the scripts and tools you implement for accuracy, the benefits you will reap in reliability and speed can be substantial.

So What Are Your Options to STIG SQL Server?

Really, you only have three options.

Option 1: Continue to Manually Run STIG Checks

This may not be the answer you were looking for but performing these checks manually does have its benefits—at least for the first year or two—if you are new to the SQL STIG process.

Reading, and re-reading each vulnerability discussion, manually performing each step or running each prescribed script, and then evaluating the results from each database server individually is the only way to achieve a deeper understanding of your current security posture and DISA’s goals for improving it.

Consider getting as familiar as you can with the nitty gritty details of the SQL STIG before you ever contemplate scripting solutions yourself or evaluating an existing STIG utility.

Option 2: Cobble Together Scripts on Your Own

Once you are confident in your grasp of the subject matter and can be sure you won’t sacrifice accuracy for speed, it’s time to start making your job a little easier. Efficiency matters to your command as well since you are likely paid by the hour.

You have probably already compiled a list of all the DISA provided SQL scripts to run at once, and maybe even added some SQL logic of your own to pass/fail some of those checks quickly, but you are going to need more than just SQL programming skills to go any further.

The biggest obstacle to a real automation solution may be your inability to update your DISA checklist directly. Cutting and pasting results is tedious and error prone. If you are not already familiar with XML, do yourself a BIG favor and take a class. Extensible Markup Language is the foundation of your SQL STIG checklist, and you will need to know the basics in order to interact directly with it.

You will also need some non-SQL programming skills. Many of the most tedious “manual” checks target objects and settings outside of SQL Server. PowerShell is a great choice for tackling these tasks, since most SQL Servers are running in a Microsoft Windows environment, but almost any other language will do, especially if you are already familiar with it and it can execute in your target environment.

If you are coming to SQL Server from a background in systems administration, this will be helpful too. Much of the information you will need to gather and evaluate exists in operating and file systems, Active Directory objects, DNS records, security policies, the Windows Management Instrumentation panel, access control lists, and registry and certificate hives.

Option 3: Use a Supplemental Automation Utility

If you do not have the time or expertise necessary to script all these checks yourself, this does not mean you have to give up on automation. The DoD provides guidelines for the kinds of desktop software utilities that are acceptable.

The guidelines read, in part:

The Desktop Application STIG version 3, release 1, notes in particular that three [sic] cases for software are acceptable:
  1. A utility that has publicly available source code is acceptable.
  2. A commercial product that incorporates open source software is acceptable because the commercial vendor provides a warranty.
  3. Vendor supported open source software is acceptable.
  4. A utility that comes compiled and has no warranty is not acceptable.
Thus, a program must come with either source code or a warranty; if it has neither, then special dispensation is required, since it is difficult to review, repair, or extend the program either directly or via someone else.

Do not confuse this as a license to download and rely upon any utility you like without accountability. You and your Information Assurance Officer will still be ultimately responsible for verifying STIG results, so you should carefully test and evaluate any product to insure it returns results that match your manual checks.

We recommend our own utility, ASSET (Automated SQL Security Evaluation Tool), and we believe it is the most comprehensive and accurate supplemental automation tool available for scanning SQL Server. It comes either as a compiled product, with a warranty, or as a vendor supported open-source product (contract required).

How Does ASSET Work?

ASSET is a vulnerability scanning tool for SQL servers capable of performing nearly all vulnerability checks for DISA’s SQL Server 2014 and 2016 STIG checklists. ASSET compiles and evaluates data from the Operating and File Systems, SQL Server, Active Directory and DNS, Security Policy, the Windows Management Instrumentation Panel, Access Control Lists, and Registry and Certificate Hives.

In just minutes, ASSET collects and evaluates this data before outputting the results and findings directly to a DISA STIG checklist based on the XCCDF (Extensible Configuration Checklist Description Format). We’ve included a video demonstration here for you to show you just how simple and comprehensive ASSET is.

Are You Ready to Automate SQL STIGs with ASSET?

If you’re ready to move to an automated SQL STIG program, there are three ways to purchase ASSET. We offer a 1-Month Single-Seat License, a 6-Month Single-Seat License, and a 1-Year Per Domain License.

If it’s easier to test a trial version than get approval you can download our 10% Evaluation Version free. This evaluation version is programmed to return a random 10 percent of the actual results. The intent is to show you the capabilities and ease of use.

If you still have questions or special requirements, please feel free to contact us. We are very responsive to special requests that fit our model.

 

Leave a comment

Please note, comments must be approved before they are published

Back to SQL Server 2016 STIGs