Enable common criteria compliance configuration
Applies to: 
SQL Server
The common criteria compliance enabled configuration setting aligns with the following elements as required for the Common Criteria for Information Technology Security Evaluation.
| Criteria | Description |
|---|---|
| Residual Information Protection (RIP) | RIP requires a memory allocation to be overwritten with a known pattern of bits before memory is reallocated to a new resource. Meeting the RIP standard can contribute to improved security; however, overwriting the memory allocation can slow performance. After the common criteria compliance enabled option is enabled, the overwriting occurs. |
| The ability to view login statistics | Login auditing is enabled after the common criteria compliance option is enabled. Login times that are made available on a per-session basis each time a user successfully logs in to SQL Server: - Information about the last successful login time - The last unsuccessful login time - The number of attempts between the last successful login and the current login To view these login statistics, query sys.dm_exec_sessions. |
That column GRANT shouldn't override table DENY |
After the common criteria compliance enabled option is enabled, a table-level DENY takes precedence over a column-level GRANT. When the option isn't enabled, a column-level GRANT takes precedence over a table-level DENY. |
Common criteria compliance is only evaluated and certified for the Enterprise edition and Datacenter edition.
The common criteria compliance enabled setting is an advanced option. To view the setting, enable show advanced options.
For the latest status of Common Criteria certification, download and review the Common Criteria for SQL Server Datasheet. The datasheet links to the latest scripts to finish configuration. The scripts are required to comply with Common Criteria evaluation assurance level 2 (EAL2) and 4+ (EAL4+). The scripts create triggers. These triggers are required to configure a Common Criteria compliant instance. There are specific scripts for Windows and Linux. The datasheet also instructs how to verify the scripts before you run them.
To comply with Common Criteria evaluation assurance level EAL2 and EAL4+:
- Enable
show advanced options. - Enable compliance with
sp_configureas demonstrated in Examples. - Install common criteria triggers.
Examples
The following example enables common criteria compliance.
sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
sp_configure 'common criteria compliance enabled', 1;
GO
RECONFIGURE WITH OVERRIDE;
GO
Restart SQL Server.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for