VA1017 |
Execute permissions on xp_cmdshell from all users (except dbo) should be revoked |
Title and description change |
VA1021 |
Global temporary stored procedures should be removed |
Removed rule |
VA1024 |
C2 Audit Mode should be enabled |
Removed rule |
VA1042 |
Database ownership chaining should be disabled for all databases except for master , msdb , and tempdb |
Description change |
VA1044 |
Remote Admin Connections should be disabled unless specifically required |
Title and description change |
VA1047 |
Password expiration check should be enabled for all SQL logins |
Title and description change |
VA1051 |
AUTO_CLOSE should be disabled on all databases |
Description change |
VA1053 |
Account with default name 'sa' should be renamed or disabled |
Description change |
VA1067 |
Database Mail XPs should be disabled when it is not in use |
Title and description change |
VA1068 |
Server permissions shouldn't be granted directly to principals |
Logic change |
VA1069 |
Permissions to select from system tables and views should be revoked from non-sysadmins |
Removed rule |
VA1090 |
Ensure all Government Off The Shelf (GOTS) and Custom Stored Procedures are encrypted |
Removed rule |
VA1091 |
Auditing of both successful and failed login attempts (default trace) should be enabled when 'Login auditing' is set up to track logins |
Description change |
VA1098 |
Any Existing SSB or Mirroring endpoint should require AES connection |
Logic change |
VA1103 |
Use only CLR with SAFE_ACCESS permission |
Removed rule |
VA1219 |
Transparent data encryption should be enabled |
Description change |
VA1229 |
Filestream setting in registry and in SQL Server configuration should match |
Removed rule |
VA1230 |
Filestream should be disabled |
Description change |
VA1231 |
Filestream should be disabled (SQL) |
Removed rule |
VA1234 |
Common Criteria setting should be enabled |
Removed rule |
VA1235 |
Replication XPs should be disabled |
Title, description, and Logic change |
VA1252 |
List of events being audited and centrally managed via server audit specifications. |
Removed rule |
VA1253 |
List of DB-scoped events being audited and centrally managed via server audit specifications. |
Removed rule |
VA1263 |
List all the active audits in the system |
Removed rule |
VA1264 |
Auditing of both successful and failed login attempts should be enabled |
Description change |
VA1266 |
The 'MUST_CHANGE' option should be set on all SQL logins |
Removed rule |
VA1276 |
Agent XPs feature should be disabled |
Removed rule |
VA1281 |
All memberships for user-defined roles should be intended |
Logic change |
VA1282 |
Orphan roles should be removed |
Logic change |
VA1286 |
Database permissions shouldn't be granted directly to principals (OBJECT or COLUMN) |
Removed rule |
VA1288 |
Sensitive data columns should be classified |
Description change |
VA2030 |
Minimal set of principals should be granted database-scoped SELECT or EXECUTE permissions |
Removed rule |
VA2033 |
Minimal set of principals should be granted database-scoped EXECUTE permission on objects or columns |
Description change |
VA2062 |
Database-level firewall rules should not grant excessive access |
Description change |
VA2063 |
Server-level firewall rules should not grant excessive access |
Description change |
VA2100 |
Minimal set of principals should be granted high impact server-scoped permissions |
Removed rule |
VA2101 |
Minimal set of principals should be granted medium impact server-scoped permissions |
Removed rule |
VA2102 |
Minimal set of principals should be granted low impact server-scoped permissions |
Removed rule |
VA2103 |
Unnecessary execute permissions on extended stored procedures should be revoked |
Logic change |
VA2104 |
Execute permissions on extended stored procedures should be revoked from PUBLIC |
Removed rule |
VA2105 |
Login password should not be easily guessed |
Removed rule |
VA2108 |
Minimal set of principals should be members of fixed high impact database roles |
Logic change |
VA2111 |
Sample databases should be removed |
Logic change |
VA2112 |
Permissions from PUBLIC for Data Transformation Services (DTS) should be revoked |
Removed rule |
VA2113 |
Data Transformation Services (DTS) permissions should only be granted to SSIS roles |
Description and logic change |
VA2114 |
Minimal set of principals should be members of high impact fixed server roles |
Logic change |
VA2115 |
Minimal set of principals should be members of medium impact fixed server roles |
Removed rule |
VA2120 |
Features that may affect security should be disabled |
Logic change |
VA2121 |
'OLE Automation Procedures' feature should be disabled |
Title and description change |
VA2123 |
'Remote Access' feature should be disabled |
Removed rule |
VA2126 |
Features that may affect security should be disabled |
Title, description, and logic change |
VA2127 |
'External Scripts' feature should be disabled |
Removed rule |
VA2129 |
Changes to signed modules should be authorized |
Platform update |
VA2130 |
Track all users with access to the database |
Description and logic change |