| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 7C5804625F69F918F66071C5D03C50EB7D91BF98 ~~~~~ The only account authorized to act as a db owner is 'dbo', but DISA still requires it be documented as authorized: role_name role_member_name type_desc --------- ---------------- --------- db_owner dbo SQL_USER Comments |
|||||
Check Text
Obtain the list of approved audit maintainers from the system documentation. Use the following query to review database roles and their membership, all of which enable the ability to create and maintain audit specifications. SELECT R.name AS role_name, RM.name AS role_member_name, RM.type_desc FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' AND R.name = 'db_owner' ORDER BY role_member_name If any role memberships are not documented and authorized, this is a finding. Review the database roles and individual users that have the following permissions, all of which enable the ability to create and maintain audit definitions. ALTER ANY DATABASE AUDIT CONTROL Use the following query to determine the roles and users that have the listed permissions: SELECT PERM.permission_name, DP.name AS principal_name, DP.type_desc AS principal_type, DBRM.role_member_name FROM sys.database_permissions PERM JOIN sys.database_principals DP ON PERM.grantee_principal_id = DP.principal_id LEFT OUTER JOIN ( SELECT R.principal_id AS role_principal_id, R.name AS role_name, RM.name AS role_member_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals RM ON DRM.member_principal_id = RM.principal_id WHERE R.type = 'R' ) DBRM ON DP.principal_id = DBRM.role_principal_id WHERE PERM.permission_name IN ('CONTROL','ALTER ANY DATABASE AUDIT') ORDER BY permission_name, principal_name, role_member_name If any of the roles or users returned have permissions that are not documented, or the documented audit maintainers do not have permissions, this is a finding.
Fix Text
Create a database role specifically for audit maintainers, and give it permission to maintain audits, without granting it unnecessary permissions (The role name used here is an example; other names may be used.): CREATE ROLE DATABASE_AUDIT_MAINTAINERS; GO GRANT ALTER ANY DATABASE AUDIT TO DATABASE_AUDIT_MAINTAINERS; GO Use REVOKE and/or DENY and/or ALTER ROLE ... DROP MEMBER ... statements to remove the ALTER ANY DATABASE AUDIT permission from all users. Then, for each authorized database user, run the statement: ALTER ROLE DATABASE_AUDIT_MAINTAINERS ADD MEMBER; GO Use REVOKE and/or DENY and/or ALTER SERVER ROLE ... DROP MEMBER ... statements to remove CONTROL DATABASE permission from logins that do not need it.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
Check Text
Obtain a listing of users and roles who are authorized to change stored procedures, functions, and triggers from the server documentation. In each user database, execute the following query: SELECT P.type_desc AS principal_type, P.name AS principal_name, O.type_desc, CASE class WHEN 0 THEN DB_NAME() WHEN 1 THEN OBJECT_SCHEMA_NAME(major_id) + '.' + OBJECT_NAME(major_id) WHEN 3 THEN SCHEMA_NAME(major_id) ELSE class_desc + '(' + CAST(major_id AS nvarchar) + ')' END AS securable_name, DP.state_desc, DP.permission_name FROM sys.database_permissions DP JOIN sys.database_principals P ON DP.grantee_principal_id = P.principal_id LEFT OUTER JOIN sys.all_objects O ON O.object_id = DP.major_id AND O.type IN ('TR','TA','P','X','RF','PC','IF','FN','TF','U') WHERE DP.type IN ('AL','ALTG') AND DP.class IN (0, 1, 53) SELECT R.name AS role_name, M.type_desc AS principal_type, M.name AS principal_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals M ON DRM.member_principal_id = M.principal_id WHERE R.name IN ('db_ddladmin','db_owner') AND M.name != 'dbo' If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. If any user or role membership is not authorized, this is a finding.
Fix Text
Revoke the ALTER permission from unauthorized users and roles. REVOKE ALTER ON [<Object Name>] TO [<Principal Name>]
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: A98892EF5388104C56E8D20C589B864AEFC2578F ~~~~~ No principals other than the standard MSSQL principals own database schemas. Comments |
|||||
Check Text
Obtain a listing of schema ownership from the server documentation. Execute the following query to obtain a current listing of schema ownership. SELECT s.name AS schema_name, p.name AS owning_principal FROM sys.schemas s JOIN sys.database_principals p ON s.principal_id = p.principal_id WHERE p.name != 'dbo' AND (s.name != p.name or p.name not in ( 'db_accessadmin' , 'db_backupoperator' , 'db_datareader' , 'db_datawriter' , 'db_ddladmin' , 'db_denydatareader' , 'db_denydatawriter' , 'db_owner' , 'db_securityadmin' , 'guest' , 'INFORMATION_SCHEMA' , 'sys' , 'TargetServersRole' , 'SQLAgentUserRole' , 'SQLAgentReaderRole' , 'SQLAgentOperatorRole' , 'DatabaseMailUserRole' , 'db_ssisadmin' , 'db_ssisltduser' , 'db_ssisoperator' , 'replmonitor' , '##MS_SSISServerCleanupJobLogin##' ) ) ORDER BY schema_name If any schema is owned by an unauthorized database principal, this is a finding.
Fix Text
Transfer ownership of database schemas to authorized database principals. ALTER AUTHORIZATION ON SCHEMA::[<Schema Name>] TO [<Principal Name>]
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments |
|||||
Check Text
Review system documentation to identify SQL Server accounts authorized to own database objects. If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. The following query can be of use in making this determination: ;with objects_cte as (SELECT o.name, o.type_desc, CASE WHEN o.principal_id is null then s.principal_id ELSE o.principal_id END as principal_id FROM sys.objects o INNER JOIN sys.schemas s ON o.schema_id = s.schema_id WHERE o.is_ms_shipped = 0 ) SELECT cte.name, cte.type_desc, dp.name as ObjectOwner FROM objects_cte cte INNER JOIN sys.database_principals dp ON cte.principal_id = dp.principal_id ORDER BY dp.name, cte.name If any of the listed owners is not authorized, this is a finding.
Fix Text
Add and/or update system documentation to include any accounts authorized for object ownership and remove any account not authorized. To change the schema owning a database object in SQL Server, use this code as an example: USE AdventureWorks2012; GO ALTER SCHEMA HumanResources TRANSFER Person.Address; GO Caution: This can break code. This Fix should be implemented in conjunction with corrections to such code. Test before deploying in production. Deploy during a scheduled maintenance window.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
Check Text
Obtain a listing of users and roles who are authorized to create, alter, or replace logic modules from the server documentation. Execute the following query: SELECT P.type_desc AS principal_type, P.name AS principal_name, O.type_desc, CASE class WHEN 0 THEN DB_NAME() WHEN 1 THEN OBJECT_SCHEMA_NAME(major_id) + '.' + OBJECT_NAME(major_id) WHEN 3 THEN SCHEMA_NAME(major_id) ELSE class_desc + '(' + CAST(major_id AS nvarchar) + ')' END AS securable_name, DP.state_desc, DP.permission_name FROM sys.database_permissions DP JOIN sys.database_principals P ON DP.grantee_principal_id = P.principal_id LEFT OUTER JOIN sys.all_objects O ON O.object_id = DP.major_id AND O.type IN ('TR','TA','P','X','RF','PC','IF','FN','TF','U') WHERE DP.type IN ('AL','ALTG') AND DP.class IN (0, 1, 53) SELECT R.name AS role_name, M.type_desc AS principal_type, M.name AS principal_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals M ON DRM.member_principal_id = M.principal_id WHERE R.name IN ('db_ddladmin','db_owner') AND M.name != 'dbo' If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. If any user or role membership is not authorized, this is a finding.
Fix Text
Document and obtain approval for any nonadministrative users who require the ability to modify database structure and logic modules. REVOKE ALTER ON [<Object Name>] TO [<Principal Name>]
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 7B70FAB7C105E5A4859824ED0D47B00198F21A27 ~~~~~ DBA, Using the system documentation, confirm, the following recovery models.If the recovery model description does not match the documented recovery model, this is a finding.: name recovery_model_desc ---- ------------------- tempdb SIMPLE DBA, Review the jobs set up to implement the backup plan. If they are absent, this is a finding. No results were returned by the backup plan check query. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: E2C6BBDD4D4F15CF28045C75CBFABA554649BAF9 ~~~~~ DBA, Using the system documentation, confirm, the following recovery models.If the recovery model description does not match the documented recovery model, this is a finding.: name recovery_model_desc ---- ------------------- msdb SIMPLE DBA, Review the jobs set up to implement the backup plan. If they are absent, this is a finding. Jobs set up to implement the backup plan: database_name backup_type is_copy_only backup_start_date backup_finish_date ------------- ----------- ------------ ----------------- ------------------ msdb Full True 10/23/2025 12:38:24 AM 10/23/2025 12:39:14 AM msdb Full True 10/22/2025 12:39:20 AM 10/22/2025 12:40:10 AM msdb Full True 10/21/2025 12:38:45 AM 10/21/2025 12:39:34 AM msdb Full False 10/20/2025 12:45:42 AM 10/20/2025 12:46:38 AM msdb Full True 10/19/2025 12:46:11 PM 10/19/2025 12:46:59 PM msdb Full True 10/19/2025 12:44:57 PM 10/19/2025 12:45:50 PM msdb Full True 10/17/2025 1:04:24 AM 10/17/2025 1:05:09 AM msdb Full True 10/17/2025 1:03:20 AM 10/17/2025 1:04:04 AM msdb Full True 10/16/2025 1:00:27 AM 10/16/2025 1:01:14 AM msdb Full True 10/15/2025 12:58:57 AM 10/15/2025 12:59:46 AM msdb Full True 10/14/2025 12:40:16 AM 10/14/2025 12:41:04 AM msdb Full False 10/13/2025 4:36:21 AM 10/13/2025 4:37:13 AM msdb Full True 10/12/2025 12:04:08 AM 10/12/2025 12:04:57 AM msdb Full True 10/11/2025 12:46:34 AM 10/11/2025 12:47:25 AM msdb Full True 10/10/2025 12:48:52 AM 10/10/2025 12:49:42 AM msdb Full True 10/9/2025 12:51:50 AM 10/9/2025 12:52:40 AM msdb Full True 10/8/2025 12:53:24 AM 10/8/2025 12:54:14 AM msdb Full True 10/7/2025 12:54:51 AM 10/7/2025 12:55:40 AM msdb Full False 10/6/2025 4:06:38 AM 10/6/2025 4:07:33 AM msdb Full True 10/5/2025 1:06:01 AM 10/5/2025 1:06:54 AM msdb Full True 10/4/2025 12:53:15 AM 10/4/2025 12:54:05 AM msdb Full True 10/3/2025 12:49:55 AM 10/3/2025 12:50:45 AM msdb Full True 10/2/2025 12:50:57 AM 10/2/2025 12:51:47 AM msdb Full True 10/1/2025 12:45:44 AM 10/1/2025 12:46:33 AM msdb Full True 9/30/2025 12:45:19 AM 9/30/2025 12:46:09 AM msdb Full False 9/29/2025 4:10:22 AM 9/29/2025 4:11:17 AM msdb Full True 9/28/2025 12:56:54 AM 9/28/2025 12:57:49 AM msdb Full True 9/27/2025 12:47:37 AM 9/27/2025 12:48:26 AM msdb Full True 9/26/2025 12:50:32 AM 9/26/2025 12:51:21 AM msdb Full True 9/25/2025 12:32:50 PM 9/25/2025 12:33:39 PM msdb Full True 9/24/2025 1:05:20 PM 9/24/2025 1:06:09 PM msdb Full True 9/23/2025 8:35:30 PM 9/23/2025 8:36:19 PM Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: E39750E1E291B6450D7C13D7212B0D09EBBE2248 ~~~~~ DBA, Using the system documentation, confirm, the following recovery models.If the recovery model description does not match the documented recovery model, this is a finding.: name recovery_model_desc ---- ------------------- model FULL DBA, Review the jobs set up to implement the backup plan. If they are absent, this is a finding. Jobs set up to implement the backup plan: database_name backup_type is_copy_only backup_start_date backup_finish_date ------------- ----------- ------------ ----------------- ------------------ model Full True 10/23/2025 12:38:26 AM 10/23/2025 12:39:14 AM model Log False 10/22/2025 11:51:27 PM 10/22/2025 11:51:27 PM model Full True 10/22/2025 12:39:22 AM 10/22/2025 12:40:10 AM model Log False 10/21/2025 11:50:11 PM 10/21/2025 11:50:11 PM model Full True 10/21/2025 12:38:47 AM 10/21/2025 12:39:34 AM model Log False 10/20/2025 11:51:23 PM 10/20/2025 11:51:23 PM model Full False 10/20/2025 12:45:44 AM 10/20/2025 12:46:38 AM model Full True 10/19/2025 12:44:59 PM 10/19/2025 12:45:50 PM model Log False 10/19/2025 11:55:33 AM 10/19/2025 11:55:33 AM model Full True 10/17/2025 1:03:22 AM 10/17/2025 1:04:04 AM model Log False 10/17/2025 12:00:38 AM 10/17/2025 12:00:38 AM model Full True 10/16/2025 1:00:29 AM 10/16/2025 1:01:14 AM model Log False 10/16/2025 12:07:48 AM 10/16/2025 12:07:48 AM model Full True 10/15/2025 12:58:59 AM 10/15/2025 12:59:46 AM model Log False 10/15/2025 12:06:55 AM 10/15/2025 12:06:55 AM model Full True 10/14/2025 12:40:18 AM 10/14/2025 12:41:04 AM model Log False 10/13/2025 11:52:23 PM 10/13/2025 11:52:23 PM model Full False 10/13/2025 4:36:23 AM 10/13/2025 4:37:13 AM model Full True 10/12/2025 12:04:10 AM 10/12/2025 12:04:57 AM model Log False 10/11/2025 11:11:48 PM 10/11/2025 11:11:48 PM model Full True 10/11/2025 12:46:36 AM 10/11/2025 12:47:25 AM model Log False 10/10/2025 11:55:01 PM 10/10/2025 11:55:01 PM model Full True 10/10/2025 12:48:54 AM 10/10/2025 12:49:42 AM model Log False 10/9/2025 11:56:13 PM 10/9/2025 11:56:14 PM model Full True 10/9/2025 12:51:52 AM 10/9/2025 12:52:40 AM model Log False 10/8/2025 11:59:01 PM 10/8/2025 11:59:01 PM model Full True 10/8/2025 12:53:26 AM 10/8/2025 12:54:14 AM model Log False 10/8/2025 12:00:07 AM 10/8/2025 12:00:07 AM model Full True 10/7/2025 12:54:53 AM 10/7/2025 12:55:40 AM model Log False 10/7/2025 12:01:05 AM 10/7/2025 12:01:06 AM model Full False 10/6/2025 4:06:40 AM 10/6/2025 4:07:33 AM model Full True 10/5/2025 1:06:03 AM 10/5/2025 1:06:54 AM model Log False 10/5/2025 12:10:13 AM 10/5/2025 12:10:13 AM model Full True 10/4/2025 12:53:17 AM 10/4/2025 12:54:05 AM model Log False 10/3/2025 11:59:16 PM 10/3/2025 11:59:16 PM model Full True 10/3/2025 12:49:57 AM 10/3/2025 12:50:45 AM model Log False 10/2/2025 11:58:30 PM 10/2/2025 11:58:30 PM model Full True 10/2/2025 12:50:59 AM 10/2/2025 12:51:47 AM model Log False 10/1/2025 11:58:47 PM 10/1/2025 11:58:47 PM model Full True 10/1/2025 12:45:46 AM 10/1/2025 12:46:33 AM model Log False 9/30/2025 11:53:53 PM 9/30/2025 11:53:53 PM model Full True 9/30/2025 12:45:21 AM 9/30/2025 12:46:09 AM model Log False 9/29/2025 11:54:21 PM 9/29/2025 11:54:21 PM model Full False 9/29/2025 4:10:24 AM 9/29/2025 4:11:17 AM model Full True 9/28/2025 12:56:56 AM 9/28/2025 12:57:49 AM model Log False 9/27/2025 11:54:28 PM 9/27/2025 11:54:28 PM model Full True 9/27/2025 12:47:39 AM 9/27/2025 12:48:26 AM model Log False 9/26/2025 11:53:45 PM 9/26/2025 11:53:45 PM model Full True 9/26/2025 12:50:34 AM 9/26/2025 12:51:21 AM model Log False 9/25/2025 11:57:15 PM 9/25/2025 11:57:15 PM model Full True 9/25/2025 12:32:52 PM 9/25/2025 12:33:39 PM model Log False 9/25/2025 11:36:16 AM 9/25/2025 11:36:16 AM model Full True 9/24/2025 1:05:22 PM 9/24/2025 1:06:09 PM model Log False 9/24/2025 12:13:47 PM 9/24/2025 12:13:48 PM model Full True 9/23/2025 8:35:32 PM 9/23/2025 8:36:19 PM model Log False 9/23/2025 7:42:21 PM 9/23/2025 7:42:21 PM Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 395BA62BE0A7FE22F0EA10837F6B718600499974 ~~~~~ DBA, Using the system documentation, confirm, the following recovery models.If the recovery model description does not match the documented recovery model, this is a finding.: name recovery_model_desc ---- ------------------- master SIMPLE DBA, Review the jobs set up to implement the backup plan. If they are absent, this is a finding. Jobs set up to implement the backup plan: database_name backup_type is_copy_only backup_start_date backup_finish_date ------------- ----------- ------------ ----------------- ------------------ master Full True 10/23/2025 12:38:28 AM 10/23/2025 12:39:14 AM master Full True 10/22/2025 12:39:24 AM 10/22/2025 12:40:10 AM master Full True 10/21/2025 12:38:49 AM 10/21/2025 12:39:34 AM master Full False 10/20/2025 12:45:46 AM 10/20/2025 12:46:38 AM master Full True 10/19/2025 12:45:01 PM 10/19/2025 12:45:50 PM master Full True 10/17/2025 1:03:24 AM 10/17/2025 1:04:04 AM master Full True 10/16/2025 1:00:31 AM 10/16/2025 1:01:14 AM master Full True 10/15/2025 12:59:01 AM 10/15/2025 12:59:46 AM master Full True 10/14/2025 12:40:20 AM 10/14/2025 12:41:04 AM master Full False 10/13/2025 4:36:25 AM 10/13/2025 4:37:13 AM master Full True 10/12/2025 12:04:12 AM 10/12/2025 12:04:57 AM master Full True 10/11/2025 12:46:38 AM 10/11/2025 12:47:25 AM master Full True 10/10/2025 12:48:56 AM 10/10/2025 12:49:42 AM master Full True 10/9/2025 12:51:54 AM 10/9/2025 12:52:40 AM master Full True 10/8/2025 12:53:28 AM 10/8/2025 12:54:14 AM master Full True 10/7/2025 12:54:55 AM 10/7/2025 12:55:40 AM master Full False 10/6/2025 4:06:42 AM 10/6/2025 4:07:33 AM master Full True 10/5/2025 1:06:05 AM 10/5/2025 1:06:54 AM master Full True 10/4/2025 12:53:19 AM 10/4/2025 12:54:05 AM master Full True 10/3/2025 12:49:59 AM 10/3/2025 12:50:45 AM master Full True 10/2/2025 12:51:01 AM 10/2/2025 12:51:47 AM master Full True 10/1/2025 12:45:48 AM 10/1/2025 12:46:33 AM master Full True 9/30/2025 12:45:23 AM 9/30/2025 12:46:09 AM master Full False 9/29/2025 4:10:26 AM 9/29/2025 4:11:17 AM master Full True 9/28/2025 12:56:58 AM 9/28/2025 12:57:49 AM master Full True 9/27/2025 12:47:41 AM 9/27/2025 12:48:26 AM master Full True 9/26/2025 12:50:36 AM 9/26/2025 12:51:21 AM master Full True 9/25/2025 12:32:54 PM 9/25/2025 12:33:39 PM master Full True 9/24/2025 1:05:24 PM 9/24/2025 1:06:09 PM master Full True 9/23/2025 8:35:34 PM 9/23/2025 8:36:19 PM Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 8E9EDCB5731473AF6C0985483D9DA6823A8C71C2 ~~~~~ DBA, Using the system documentation, confirm, the following recovery models.If the recovery model description does not match the documented recovery model, this is a finding.: name recovery_model_desc ---- ------------------- BEDB SIMPLE DBA, Review the jobs set up to implement the backup plan. If they are absent, this is a finding. Jobs set up to implement the backup plan: database_name backup_type is_copy_only backup_start_date backup_finish_date ------------- ----------- ------------ ----------------- ------------------ BEDB Full True 10/23/2025 4:00:00 AM 10/23/2025 4:00:02 AM BEDB Full True 10/22/2025 11:50:20 PM 10/22/2025 11:51:06 PM BEDB Full True 10/22/2025 4:00:00 AM 10/22/2025 4:00:01 AM BEDB Full True 10/21/2025 11:49:04 PM 10/21/2025 11:49:50 PM BEDB Full True 10/21/2025 4:00:00 AM 10/21/2025 4:00:01 AM BEDB Full True 10/20/2025 11:50:18 PM 10/20/2025 11:51:03 PM BEDB Full True 10/20/2025 4:00:00 AM 10/20/2025 4:00:02 AM BEDB Full False 10/20/2025 12:45:48 AM 10/20/2025 12:46:38 AM BEDB Full True 10/19/2025 11:42:52 AM 10/19/2025 11:43:41 AM BEDB Full True 10/19/2025 4:00:02 AM 10/19/2025 4:00:03 AM BEDB Full True 10/18/2025 4:00:00 AM 10/18/2025 4:00:01 AM BEDB Full True 10/17/2025 4:00:00 AM 10/17/2025 4:00:01 AM BEDB Full True 10/16/2025 11:59:28 PM 10/17/2025 12:00:12 AM BEDB Full True 10/16/2025 4:00:00 AM 10/16/2025 4:00:02 AM BEDB Full True 10/16/2025 12:06:43 AM 10/16/2025 12:07:25 AM BEDB Full True 10/15/2025 4:00:01 AM 10/15/2025 4:00:03 AM BEDB Full True 10/15/2025 12:05:53 AM 10/15/2025 12:06:33 AM BEDB Full True 10/14/2025 4:00:00 AM 10/14/2025 4:00:01 AM BEDB Full True 10/13/2025 11:51:13 PM 10/13/2025 11:51:57 PM BEDB Full False 10/13/2025 4:36:27 AM 10/13/2025 4:37:13 AM BEDB Full True 10/13/2025 4:00:00 AM 10/13/2025 4:00:03 AM BEDB Full True 10/12/2025 4:00:00 AM 10/12/2025 4:00:00 AM BEDB Full True 10/11/2025 11:10:33 PM 10/11/2025 11:11:19 PM BEDB Full True 10/11/2025 4:00:00 AM 10/11/2025 4:00:01 AM BEDB Full True 10/10/2025 11:53:50 PM 10/10/2025 11:54:36 PM BEDB Full True 10/10/2025 4:00:00 AM 10/10/2025 4:00:01 AM BEDB Full True 10/9/2025 11:55:02 PM 10/9/2025 11:55:48 PM BEDB Full True 10/9/2025 4:00:00 AM 10/9/2025 4:00:01 AM BEDB Full True 10/8/2025 11:57:52 PM 10/8/2025 11:58:38 PM BEDB Full True 10/8/2025 4:00:00 AM 10/8/2025 4:00:01 AM BEDB Full True 10/7/2025 11:58:55 PM 10/7/2025 11:59:41 PM BEDB Full True 10/7/2025 4:00:00 AM 10/7/2025 4:00:02 AM BEDB Full True 10/6/2025 11:59:54 PM 10/7/2025 12:00:39 AM BEDB Full False 10/6/2025 4:06:44 AM 10/6/2025 4:07:33 AM BEDB Full True 10/6/2025 4:00:00 AM 10/6/2025 4:00:02 AM BEDB Full True 10/5/2025 4:00:01 AM 10/5/2025 4:00:02 AM BEDB Full True 10/5/2025 12:08:59 AM 10/5/2025 12:09:45 AM BEDB Full True 10/4/2025 4:00:00 AM 10/4/2025 4:00:01 AM BEDB Full True 10/3/2025 11:58:04 PM 10/3/2025 11:58:50 PM BEDB Full True 10/3/2025 4:00:00 AM 10/3/2025 4:00:01 AM BEDB Full True 10/2/2025 11:57:21 PM 10/2/2025 11:58:06 PM BEDB Full True 10/2/2025 4:00:00 AM 10/2/2025 4:00:01 AM BEDB Full True 10/1/2025 11:57:36 PM 10/1/2025 11:58:21 PM BEDB Full True 10/1/2025 4:00:00 AM 10/1/2025 4:00:01 AM BEDB Full True 9/30/2025 11:52:43 PM 9/30/2025 11:53:28 PM BEDB Full True 9/30/2025 4:00:01 AM 9/30/2025 4:00:02 AM BEDB Full True 9/29/2025 11:53:11 PM 9/29/2025 11:53:56 PM BEDB Full False 9/29/2025 4:10:28 AM 9/29/2025 4:11:17 AM BEDB Full True 9/29/2025 4:00:00 AM 9/29/2025 4:00:01 AM BEDB Full True 9/28/2025 4:00:00 AM 9/28/2025 4:00:02 AM BEDB Full True 9/27/2025 11:51:05 PM 9/27/2025 11:51:50 PM BEDB Full True 9/27/2025 4:00:00 AM 9/27/2025 4:00:02 AM BEDB Full True 9/26/2025 11:52:32 PM 9/26/2025 11:53:17 PM BEDB Full True 9/26/2025 4:00:00 AM 9/26/2025 4:00:02 AM BEDB Full True 9/25/2025 11:56:08 PM 9/25/2025 11:56:53 PM BEDB Full True 9/25/2025 11:34:56 AM 9/25/2025 11:35:42 AM BEDB Full True 9/25/2025 4:00:01 AM 9/25/2025 4:00:01 AM BEDB Full True 9/24/2025 12:12:36 PM 9/24/2025 12:13:21 PM BEDB Full True 9/24/2025 4:00:00 AM 9/24/2025 4:00:01 AM BEDB Full True 9/23/2025 7:41:09 PM 9/23/2025 7:41:54 PM Comments |
|||||
Check Text
Review the system security plan (SSP) to determine whether the database is static, the recovery model to be used, the backup schedule, and the plan for testing database restoration. If the SSP does not state that the database is static, assume that it is not static. If any of the other information is absent, this is a finding. If the database is not static, and the documented recovery model is Bulk Logged, but the justification and authorization for this are not documented, this is a finding. Run the following to determine Recovery Model: USE [master] GO SELECT name, recovery_model_desc FROM sys.databases ORDER BY name If the recovery model description does not match the documented recovery model, this is a finding. Review the jobs set up to implement the backup plan. If they are absent, this is a finding. Check the history of the backups by running the following query. It checks the last 30 days of backups by database. USE [msdb] GO SELECT database_name, CASE type WHEN 'D' THEN 'Full' WHEN 'I' THEN 'Differential' WHEN 'L' THEN 'Log' ELSE type END AS backup_type, is_copy_only, backup_start_date, backup_finish_date FROM dbo.backupset WHERE backup_start_date >= dateadd(day, - 30, getdate()) ORDER BY database_name, backup_start_date DESC If the history indicates a pattern of job failures by missing or gaps in backups, this is a finding. Review evidence that database recovery is tested annually or more often, and that the most recent test was successful. If not, this is a finding.
Fix Text
Modify the system security plan, to include whether the database is static, the correct recovery model to be used, the backup schedule, and the plan for testing database restoration. In SQL Server Management Studio, Object Explorer, right-click on the name of the database; select Properties. Select the Options page. Set the Recovery Model field, near the top of the page, to the correct value. In Object Explorer, expand >> SQL Server Agent >> Jobs. Create, modify, and delete jobs to implement the backup schedule. (Alternatively, this may done using T-SQL code or Third-party Backup software.) Correct any issues that have been causing backups to fail. Test the restoration of the database at least once a year; correct any issues that cause it to fail. Maintain a record of these tests.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: DDA1FD1A0A4D393B25E5DA328D2584C79BFFCC60 ~~~~~ No database master keys exist. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: DDA1FD1A0A4D393B25E5DA328D2584C79BFFCC60 ~~~~~ No database master keys exist. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: DDA1FD1A0A4D393B25E5DA328D2584C79BFFCC60 ~~~~~ No database master keys exist. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: DDA1FD1A0A4D393B25E5DA328D2584C79BFFCC60 ~~~~~ No database master keys exist. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: DDA1FD1A0A4D393B25E5DA328D2584C79BFFCC60 ~~~~~ No database master keys exist. Comments |
|||||
Check Text
From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT COUNT(name) FROM sys.symmetric_keys s, sys.key_encryptions k WHERE s.name = '##MS_DatabaseMasterKey##' AND s.symmetric_key_id = k.key_id AND k.crypt_type in ('ESKP', 'ESP2', 'ESP3') If the value returned is zero, this is not applicable. If the value returned is greater than zero, a Database Master Key exists and is encrypted with a password. Review procedures and evidence of password requirements used to encrypt Database Master Keys. If the passwords are not required to meet DoD password standards, currently a minimum of 15 characters with at least 1 upper-case character, 1 lower-case character, 1 special character, and 1 numeric character, and at least 8 characters changed from the previous password, this is a finding.
Fix Text
Assign an encryption password to the Database Master Key that is a minimum of 15 characters with at least 1 upper-case character, 1 lower-case character, 1 special character, and 1 numeric character, and at least 8 characters changed from the previous password. To change the Database Master Key encryption password: USE [database name]; ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = '[new password]'; Note: The Database Master Key encryption method should not be changed until the effects are thoroughly reviewed. Changing the master key encryption causes all encryption using the Database Master Key to be decrypted and re-encrypted. This action should not be taken during a high-demand time. Please see the MS SQL Server documentation prior to re-encrypting the Database Master Key for detailed information.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: AD5580665A64A351514BDE4964A09A2B55DACAE4 ~~~~~ No results were returned by the check query. Comments |
|||||
Check Text
If no databases require encryption, this is not a finding. From the query prompt: SELECT name FROM [master].sys.databases WHERE is_master_key_encrypted_by_server = 1 AND owner_sid <> 1 AND state = 0; (Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.) If no databases are returned by the query, this is not a finding. For any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding. If approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring. If the additional requirements are not in place, this is a finding.
Fix Text
Where possible, encrypt the Database Master Key with a password known only to the application administrator. Where not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If the application owner and authorizing official have determined that encryption of data at rest is not required, this is not a finding. Review procedures for and evidence of backup of the Certificate used for encryption in the System Security Plan. If the procedures or evidence does not exist, this is a finding. If the procedures do not indicate that a backup of the Certificate used for encryption is stored in a secure location that is not on the SQL Server, this is a finding. If procedures do not indicate access restrictions to the Certificate backup, this is a finding.
Fix Text
Document and implement procedures to safely back up and store the Certificate used for encryption in a secure location that is not on the SQL Server. Include in the procedures to establish evidence of backup and storage as well as careful, restricted access and restoration of the Certificate. BACKUP CERTIFICATE 'CertificateName' TO FILE = 'path_to_file' WITH PRIVATE KEY (FILE = 'path_to_pvk', ENCRYPTION BY PASSWORD = 'password'); As this requires a password, ensure it is not exposed to unauthorized persons or stored as plain text.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review the procedures for the refreshing of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose. Verify that copies of production data are not left in unprotected locations. If the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.
Fix Text
Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review DBMS code (stored procedures, functions, triggers), application code, settings, column and field definitions, and constraints to determine whether the database is protected against invalid input. If code exists that allows invalid data to be acted upon or input into the database, this is a finding. If column/field definitions are not reflective of the data, this is a finding. If columns/fields do not contain constraints and validity checking where required, this is a finding. Where a column/field is noted in the system documentation as necessarily free-form, even though its name and context suggest that it should be strongly typed and constrained, the absence of these protections is not a finding. Where a column/field is clearly identified by name, caption or context as Notes, Comments, Description, Text, etc., the absence of these protections is not a finding.
Fix Text
Use parameterized queries, constraints, foreign keys, etc. to validate data input. Modify SQL Server to properly use the correct column data types as required in the database.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review application behavior and custom database code (stored procedures, triggers), to determine whether error messages contain information beyond what is needed for explaining the issue to general users. If database error messages contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.
Fix Text
Adjust database code to remove any information not required for explaining the error to an end user. Consider enabling trace flag 3625 to mask certain system-level error information returned to non-administrative users. Launch SQL Server Configuration Manager >> Click SQL Services >> Open the instance properties >> Click the Service Parameters tab >> Enter "-T3625" >> Click Add >> Click OK >> Restart SQL instance.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: C713830C8E84EDA173245BE4E133CC773081ABA6 ~~~~~ This is the 'tempdb' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AEB16496DFD41E78595FE7F47C4E9143CDC122AD ~~~~~ This is the 'msdb' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 749808BA4F38BC428FC117B83333AA3707EE2CCA ~~~~~ This is the 'model' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: C778770EE78E28AE01A967688E2230BFD7CDA322 ~~~~~ This is the 'master' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If security labeling is not required, this is not a finding. If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in storage, this is a finding.
Fix Text
Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in storage. https://msdn.microsoft.com/en-us/library/dn765131.aspx
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: C713830C8E84EDA173245BE4E133CC773081ABA6 ~~~~~ This is the 'tempdb' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AEB16496DFD41E78595FE7F47C4E9143CDC122AD ~~~~~ This is the 'msdb' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 749808BA4F38BC428FC117B83333AA3707EE2CCA ~~~~~ This is the 'model' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: C778770EE78E28AE01A967688E2230BFD7CDA322 ~~~~~ This is the 'master' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If security labeling is not required, this is not a finding. If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information, this is a finding.
Fix Text
Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in process. https://msdn.microsoft.com/en-us/library/dn765131.aspx
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: C713830C8E84EDA173245BE4E133CC773081ABA6 ~~~~~ This is the 'tempdb' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: AEB16496DFD41E78595FE7F47C4E9143CDC122AD ~~~~~ This is the 'msdb' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 749808BA4F38BC428FC117B83333AA3707EE2CCA ~~~~~ This is the 'model' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: C778770EE78E28AE01A967688E2230BFD7CDA322 ~~~~~ This is the 'master' database so per STIG Support modifying the default databases not required nor recommended. For the default databases this check is an automatic 'Not A Finding' Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If security labeling is not required, this is not a finding. If security labeling requirements have been specified, but neither a third-party solution nor a SQL Server Row-Level security solution is implemented that reliably maintains labels on information in transmission, this is a finding.
Fix Text
Deploy SQL Server Row-Level Security (see link below) or a third-party software, or add custom data structures, data elements and application code, to provide reliable security labeling of information in transmission. https://msdn.microsoft.com/en-us/library/dn765131.aspx
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
Check Text
Review the system documentation to obtain a listing of stored procedures and functions that utilize impersonation. Execute the following query: SELECT S.name AS schema_name, O.name AS module_name, USER_NAME( CASE M.execute_as_principal_id WHEN -2 THEN COALESCE(O.principal_id, S.principal_id) ELSE M.execute_as_principal_id END ) AS execute_as FROM sys.sql_modules M JOIN sys.objects O ON M.object_id = O.object_id JOIN sys.schemas S ON O.schema_id = S.schema_id WHERE execute_as_principal_id IS NOT NULL and O.name not in ( 'fn_sysdac_get_username', 'fn_sysutility_ucp_get_instance_is_mi', 'sp_send_dbmail', 'sp_SendMailMessage', 'sp_syscollector_create_collection_set', 'sp_syscollector_delete_collection_set', 'sp_syscollector_disable_collector', 'sp_syscollector_enable_collector', 'sp_syscollector_get_collection_set_execution_status', 'sp_syscollector_run_collection_set', 'sp_syscollector_start_collection_set', 'sp_syscollector_update_collection_set', 'sp_syscollector_upload_collection_set', 'sp_syscollector_verify_collector_state', 'sp_syspolicy_add_policy', 'sp_syspolicy_add_policy_category_subscription', 'sp_syspolicy_delete_policy', 'sp_syspolicy_delete_policy_category_subscription', 'sp_syspolicy_update_policy', 'sp_sysutility_mi_add_ucp_registration', 'sp_sysutility_mi_disable_collection', 'sp_sysutility_mi_enroll', 'sp_sysutility_mi_initialize_collection', 'sp_sysutility_mi_remove', 'sp_sysutility_mi_remove_ucp_registration', 'sp_sysutility_mi_upload', 'sp_sysutility_mi_validate_enrollment_preconditions', 'sp_sysutility_ucp_add_mi', 'sp_sysutility_ucp_add_policy', 'sp_sysutility_ucp_calculate_aggregated_dac_health', 'sp_sysutility_ucp_calculate_aggregated_mi_health', 'sp_sysutility_ucp_calculate_computer_health', 'sp_sysutility_ucp_calculate_dac_file_space_health', 'sp_sysutility_ucp_calculate_dac_health', 'sp_sysutility_ucp_calculate_filegroups_with_policy_violations', 'sp_sysutility_ucp_calculate_health', 'sp_sysutility_ucp_calculate_mi_file_space_health', 'sp_sysutility_ucp_calculate_mi_health', 'sp_sysutility_ucp_configure_policies', 'sp_sysutility_ucp_create', 'sp_sysutility_ucp_delete_policy', 'sp_sysutility_ucp_delete_policy_history', 'sp_sysutility_ucp_get_policy_violations', 'sp_sysutility_ucp_initialize', 'sp_sysutility_ucp_initialize_mdw', 'sp_sysutility_ucp_remove_mi', 'sp_sysutility_ucp_update_policy', 'sp_sysutility_ucp_update_utility_configuration', 'sp_sysutility_ucp_validate_prerequisites', 'sp_validate_user', 'syscollector_collection_set_is_running_update_trigger', 'sysmail_help_status_sp' ) ORDER BY schema_name, module_name If any procedures or functions are returned that are not documented, this is a finding.
Fix Text
Alter stored procedures and functions to remove the "EXECUTE AS" statement.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
Check Text
If the SQL Server instance supports only software development, experimentation, and/or developer-level testing (i.e., excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding. Obtain a listing of users and roles who are authorized to create, alter, or replace logic modules from the server documentation. In each user database, execute the following query: SELECT P.type_desc AS principal_type, P.name AS principal_name, O.type_desc, CASE class WHEN 0 THEN DB_NAME() WHEN 1 THEN OBJECT_SCHEMA_NAME(major_id) + '.' + OBJECT_NAME(major_id) WHEN 3 THEN SCHEMA_NAME(major_id) ELSE class_desc + '(' + CAST(major_id AS nvarchar) + ')' END AS securable_name, DP.state_desc, DP.permission_name FROM sys.database_permissions DP JOIN sys.database_principals P ON DP.grantee_principal_id = P.principal_id LEFT OUTER JOIN sys.all_objects O ON O.object_id = DP.major_id AND O.type IN ('TR','TA','P','X','RF','PC','IF','FN','TF','U') WHERE DP.type IN ('AL','ALTG') AND DP.class IN (0, 1, 53) SELECT R.name AS role_name, M.type_desc AS principal_type, M.name AS principal_name FROM sys.database_principals R JOIN sys.database_role_members DRM ON R.principal_id = DRM.role_principal_id JOIN sys.database_principals M ON DRM.member_principal_id = M.principal_id WHERE R.name IN ('db_ddladmin','db_owner') AND M.name != 'dbo' If any users or role permissions returned are not authorized to modify the specified object or type, this is a finding. If any user or role membership is not authorized, this is a finding.
Fix Text
Document and obtain approval for any nonadministrative users who require the ability to create, alter, or replace logic modules. Revoke the ALTER permission from unauthorized users and roles: REVOKE ALTER ON [<Object Name>] TO [<Principal Name>]
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 1ECA956516DA093168EADA17AB3EA5E1C5ED41C1 ~~~~~ No results were returned by the check queries. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: F3ECBD3C11F8BAF819620F5F091A10379266B2E4 ~~~~~ DBA, Remove unauthorized users from roles database_name owner_name is_fixed_role_member ------------- ---------- -------------------- BEDB sa 1 Comments |
|||||
Check Text
Execute the following query to obtain a listing of user databases whose owner is a member of a fixed server role: SELECT D.name AS database_name, SUSER_SNAME(D.owner_sid) AS owner_name, FRM.is_fixed_role_member FROM sys.databases D OUTER APPLY ( SELECT MAX(fixed_role_member) AS is_fixed_role_member FROM ( SELECT IS_SRVROLEMEMBER(R.name, SUSER_SNAME(D.owner_sid)) AS fixed_role_member FROM sys.server_principals R WHERE is_fixed_role = 1 ) A ) FRM WHERE D.database_id > 4 AND (FRM.is_fixed_role_member = 1 OR FRM.is_fixed_role_member IS NULL) ORDER BY database_name If no databases are returned, this is not a finding. For each database/login returned, review the Server Role memberships 1. In SQL Server Management Studio, Expand “Logins” 2. Double-click the name of the Login 3. Click the “Server Roles” tab If any server roles are selected, but not documented and authorized, this is a finding.
Fix Text
Remove unauthorized users from roles: ALTER ROLE DROP MEMBER user; https://msdn.microsoft.com/en-us/library/ms189775.aspx Set the owner of the database to an authorized login: ALTER AUTHORIZATION ON database::DatabaseName TO login; https://msdn.microsoft.com/en-us/library/ms187359.aspx
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A678C60E1EAF17D7C51ED8282DC985211C33F443 ~~~~~ Archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys Comments |
|||||
Check Text
Review the router configuration to determine if it automatically audits account creation. The configuration should look similar to the example below: archive log config logging enable Note: Configuration changes can be viewed using the show archive log config all command. If account creation is not automatically audited, this is a finding.
Fix Text
Configure the router to log account creation using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#logging size 1000 R4(config-archive-log-cfg)#notify syslog contenttype plaintext R4(config-archive-log-cfg)#hidekeys R4(config-archive-log-cfg)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A678C60E1EAF17D7C51ED8282DC985211C33F443 ~~~~~ Archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys Comments |
|||||
Check Text
Review the router configuration to determine if it automatically audits account modification. The configuration should look similar to the example below: archive log config logging enable Note: Configuration changes can be viewed using the show archive log config all command. If account modification is not automatically audited, this is a finding.
Fix Text
Configure the router to log account modification using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#logging size 1000 R4(config-archive-log-cfg)#notify syslog contenttype plaintext R4(config-archive-log-cfg)#hidekeys R4(config-archive-log-cfg)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A678C60E1EAF17D7C51ED8282DC985211C33F443 ~~~~~ Archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys Comments |
|||||
Check Text
Review the router configuration to determine if it automatically audits account disabling. The configuration should look similar to the example below: archive log config logging enable Note: Configuration changes can be viewed using the show archive log config all command. If account disabling is not automatically audited, this is a finding.
Fix Text
Configure the router to log account disabling using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#logging size 1000 R4(config-archive-log-cfg)#notify syslog contenttype plaintext R4(config-archive-log-cfg)#hidekeys R4(config-archive-log-cfg)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A678C60E1EAF17D7C51ED8282DC985211C33F443 ~~~~~ Archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys Comments |
|||||
Check Text
Review the router configuration to determine if it automatically audits account removal. The configuration should look similar to the example below: archive log config logging enable Note: Configuration changes can be viewed using the show archive log config all command. If account removal is not automatically audited, this is a finding.
Fix Text
Configure the router to log account removal using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#logging size 1000 R4(config-archive-log-cfg)#notify syslog contenttype plaintext R4(config-archive-log-cfg)#hidekeys R4(config-archive-log-cfg)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 7C34C4946A66BAD21BCD23A9B909B63F3502B98E ~~~~~ line vty 0 4 session-timeout 10 access-class vty_access in session-limit 3 logging synchronous transport preferred ssh transport input ssh transport output ssh ! ip access-list extended vty_access 10 remark Allow access from other ships, NOCs or Afloat Support 10 permit tcp 164.231.0.0 0.0.255.255 any eq 22 log 20 deny ip any any log ! ! ! ! ! ! ! Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement. Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below. line vty 0 1 access-class MANAGEMENT_NET in transport input ssh Step 2: Verify that the ACL permits only hosts from the management network to access the router. ip access-list extended MANAGEMENT_NET permit ip x.x.x.0 0.0.0.255 any deny ip any any log-input If the Cisco router is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.
Fix Text
Configure the Cisco router to restrict management access to specific IP addresses via SSH as shown in the example below. SW2(config)#ip access-list standard MANAGEMENT_NET SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255 SW2(config-std-nacl)#exit SW2(config)#line vty 0 1 SW2(config-line)#transport input ssh SW2(config-line)#access-class MANAGEMENT_NET in SW2(config-line)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: ABBAB8CC78DE7347B6202BF8F03B33B9A6291A0E ~~~~~ login block-for 900 attempts 3 within 120 Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below. login block-for 900 attempts 3 within 120 Note: The configuration example above will block any login attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period. If the Cisco router is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.
Fix Text
Configure the Cisco router to enforce the limit of three consecutive invalid logon attempts as shown in the example below. R2(config)#login block-for 900 attempts 3 within 120
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8FFBED927D401C4C59BC347DFFD3868F3306C61D ~~~~~ hostname MONTPOINTGTWYRTR logging userinfo archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. hostname R1 ! logging userinfo ! … … … archive log config logging enable ! Note: The logging userinfo global configuration command will generate a log when a user increases his or her privilege level. If logging of administrator activity is not configured, this is a finding.
Fix Text
Configure the router to log administrator activity as shown in the example below. R1(config)#logging userinfo R1(config)#archive R1(config-archive)#log config R1(config-archive-log-cfg)#logging enable R1(config-archive-log-cfg)#logging size 1000 R1(config-archive-log-cfg)#notify syslog contenttype plaintext R1(config-archive-log-cfg)#hidekeys R1(config-archive-log-cfg)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DE0D02323230142232357AF55AE5B85E1C6CF819 ~~~~~ service timestamps log datetime msec localtime show-timezone year Comments |
|||||
Check Text
Verify that the router is configured to include the date and time on all log records as shown in the configuration example below. service timestamps log datetime localtime If time stamps are not configured, this is a finding.
Fix Text
Configure the router to include the date and time on all log records as shown in the example below. R1(config)#service timestamps log datetime localtime
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 949FD62A829175C2132E70DF0486F90EB24C9A8A ~~~~~ All 'deny' statements are configured to log. Comments |
|||||
Check Text
Review the deny statements in all interface ACLs to determine if the log-input parameter has been configured as shown in the example below. Note: log-input can only apply to interface bound ACLs. ip access-list extended BLOCK_INBOUND deny icmp any any log-input If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.
Fix Text
Configure the log-input parameter after any deny statements to provide the location as to where packets have been dropped via an ACL. R1(config)#ip access-list extended BLOCK_INBOUND R1(config-ext-nacl)#deny icmp any any log-input
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A678C60E1EAF17D7C51ED8282DC985211C33F443 ~~~~~ Archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement. The configuration example below will log all configuration changes. archive log config logging enable Note: Configuration changes can be viewed using the show archive log config all command. If the Cisco router is not configured to generate audit records of configuration changes, this is a finding.
Fix Text
Configure the Cisco router to log all configuration changes as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#logging size 1000 R4(config-archive-log-cfg)#notify syslog contenttype plaintext R4(config-archive-log-cfg)#hidekeys R4(config-archive-log-cfg)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: BE9D336E6083AAD077B0C802971ECCA37B641B51 ~~~~~ Logging persistent not found, this requirement is not applicable Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement. Step 1: If persistent logging is enabled as shown in the example below, go to step 2. Otherwise, this requirement is not applicable. logging persistent url disk0:/logfile size 134217728 filesize 16384 Step 2: Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below. file privilege 10 Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration. If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.
Fix Text
If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: BE9D336E6083AAD077B0C802971ECCA37B641B51 ~~~~~ Logging persistent not found, this requirement is not applicable Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement. Step 1: If persistent logging is enabled as shown in the example below, go to step 2. Otherwise, this requirement is not applicable. logging persistent url disk0:/logfile size 134217728 filesize 16384 Step 2: Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below. file privilege 10 Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration. If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.
Fix Text
If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 27E2CCFBEAF21F0CF88252AA3BD21746F050EEB7 ~~~~~ File privilege configuration was not found File privilege 15 configuration is assumed Please verify settings on router Comments |
|||||
Check Text
Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below. file privilege 10 Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration. If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.
Fix Text
Configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. R4(config)#file privilege 15
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C4104C43FF3450C0073B61738529B67004F83A5B ~~~~~ aaa common-criteria policy PASSWORD_POLICY min-length 15 Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. aaa new-model ! ! aaa common-criteria policy PASSWORD_POLICY min-length 15 If the Cisco router is not configured to enforce a minimum 15-character password length, this is a finding.
Fix Text
Configure the Cisco router to enforce a minimum 15-character password length as shown in the example below. R1(config)#aaa common-criteria policy PASSWORD_POLICY R1(config-cc-policy)#min-length 15 R1(config-cc-policy)#exit
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6553FABD4B56D1A387B5DB3F6CF16C838667FAFF ~~~~~ aaa common-criteria policy PASSWORD_POLICY upper-case 1 Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. aaa new-model ! ! aaa common-criteria policy PASSWORD_POLICY upper-case 1 If the Cisco router is not configured to enforce password complexity by requiring that at least one uppercase character be used, this is a finding.
Fix Text
Configure the Cisco router to enforce password complexity by requiring that at least one uppercase character be used as shown in the example below. R1(config)#aaa common-criteria policy PASSWORD_POLICY R1(config-cc-policy)#upper-case 1 R1(config-cc-policy)#exit
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6C8C9A04EE0049FF30F16D96F6497AEF4B48F61F ~~~~~ aaa common-criteria policy PASSWORD_POLICY lower-case 1 Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. aaa new-model ! ! aaa common-criteria policy PASSWORD_POLICY lower-case 1 If the Cisco router is not configured to enforce password complexity by requiring that at least one lowercase character be used, this is a finding.
Fix Text
Configure the Cisco router to enforce password complexity by requiring that at least one lowercase character be used as shown in the example below. R1(config)#aaa common-criteria policy PASSWORD_POLICY R1(config-cc-policy)#lower-case 1 R1(config-cc-policy)#exit
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B33379AD6F2ED0966DBD92772AE64D65D2E60892 ~~~~~ aaa common-criteria policy PASSWORD_POLICY numeric-count 1 Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. aaa new-model ! ! aaa common-criteria policy PASSWORD_POLICY numeric-count 1 If the Cisco router is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.
Fix Text
Configure the Cisco router to enforce password complexity by requiring that at least one numeric character be used as shown in the example below. R1(config)#aaa common-criteria policy PASSWORD_POLICY R1(config-cc-policy)#numeric-count 1 R1(config-cc-policy)#exit
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3716573D24AFF025B7A4466C19199D89373DCDC6 ~~~~~ aaa common-criteria policy PASSWORD_POLICY special-case 1 Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. aaa new-model ! ! aaa common-criteria policy PASSWORD_POLICY special-case 1 If the Cisco router is not configured to enforce password complexity by requiring that at least one special character be used, this is a finding.
Fix Text
Configure the Cisco router to enforce password complexity by requiring that at least one special character be used as shown in the example below. R1(config)#aaa common-criteria policy PASSWORD_POLICY R1(config-cc-policy)#special-case 1 R1(config-cc-policy)#exit
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B24372278E11DB93CB56DA5D58F2C691579D30F4 ~~~~~ aaa common-criteria policy PASSWORD_POLICY char-changes 8 Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. aaa new-model ! ! aaa common-criteria policy PASSWORD_POLICY char-changes 8 If the Cisco router is not configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password, this is a finding.
Fix Text
Configure the Cisco router to enforce password complexity by requiring that when a password is changed, the characters are changed in at least eight of the positions within the password as shown in the example below. R1(config)#aaa common-criteria policy PASSWORD_POLICY R1(config-cc-policy)#char-changes 8 R1(config-cc-policy)#exit
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A678C60E1EAF17D7C51ED8282DC985211C33F443 ~~~~~ Archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys Comments |
|||||
Check Text
Review the router configuration to determine if it automatically audits account enabling. The configuration should look similar to the example below: archive log config logging enable Note: Configuration changes can be viewed using the show archive log config all command. If account enabling is not automatically audited, this is a finding.
Fix Text
Configure the router to log account enabling using the following commands: R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#logging size 1000 R4(config-archive-log-cfg)#notify syslog contenttype plaintext R4(config-archive-log-cfg)#hidekeys R4(config-archive-log-cfg)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AC8D3D82BA9C34A72D08AFC9E465F551B1580A74 ~~~~~ Trap logging: level informational, 815 message lines logged Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. logging trap critical Note: The parameter "critical" can replaced with a lesser severity level (i.e. error, warning, notice, informational). Informational is the default severity level; hence, if the severity level is configured to informational, the logging trap command will not be shown in the configuration. If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.
Fix Text
Configure the Cisco router to send critical to emergency log messages to the syslog server as shown in the example below. R4(config)#logging trap critical Note: The parameter "critical" can replaced with a lesser severity level (i.e., error, warning, notice, informational).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5CB0787E1E482D4AD90CB4D79FFA8280B5A635AC ~~~~~ ntp server 164.231.98.1 key 20 ntp server 164.231.69.13 key 80 prefer Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the configuration example below. ntp server x.x.x.x ntp server y.y.y.y If the Cisco router is not configured to synchronize its clock with redundant authoritative time sources, this is a finding.
Fix Text
Configure the Cisco router to synchronize its clock with redundant authoritative time sources as shown in the example below. R2(config)#ntp server x.x.x.x R2(config)#ntp server y.y.y.y
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 1DB45E772E2D5C909D9677E4B1376C0A674A7D4B ~~~~~ Requires information not provided by show tech or show running configuration file Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. snmp-server group V3GROUP v3 auth read V3READ write V3WRITE snmp-server host x.x.x.x version 3 auth V3USER Authentication used by the SNMP users can be viewed via the show snmp user command as shown in the example below: R4#show snmp user User name: V3USER Engine ID: 800000090300C2042B540000 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: None Group-name: V3GROUP If the Cisco router is not configured to authenticate SNMP messages using a FIPS-validated HMAC, this is a finding.
Fix Text
Configure the Cisco router to authenticate SNMP messages as shown in the example below: R4(config)#snmp-server group V3GROUP v3 auth read V3READ write V3WRITE R4(config)#snmp-server user V3USER V3GROUP v3 auth sha xxxxxxx R4(config)#snmp-server host x.x.x.x version 3 auth V3USER
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 1DB45E772E2D5C909D9677E4B1376C0A674A7D4B ~~~~~ Requires information not provided by show tech or show running configuration file Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. snmp-server group V3GROUP v3 priv read V3READ write V3WRITE snmp-server view V3READ iso included snmp-server view V3WRITE iso included snmp-server host x.x.x.x version 3 auth V3USER Encryption used by the SNMP users can be viewed via the show snmp user command as shown in the example below. R4#show snmp user User name: V3USER Engine ID: 800000090300C2042B540000 storage-type: nonvolatile active Authentication Protocol: SHA Privacy Protocol: AES256 Group-name: V3GROUP If the Cisco router is not configured to encrypt SNMP messages using a FIPS 140-2 approved algorithm, this is a finding.
Fix Text
Configure the Cisco router to encrypt SNMP messages using a FIPS 140-2 approved algorithm as shown in the example below. R4(config)#snmp-server group V3GROUP v3 priv read V3READ write V3WRITE R4(config)#snmp-server user V3USER V3GROUP v3 auth sha xxxxxx priv aes 256 xxxxxx
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 746684BF0C80384E74956B54D242941B88392F07 ~~~~~ ntp allow mode control 0 ntp authentication-key 80 md5 0021450F24771D4F387C521D5936042A32 7 ntp authentication-key 20 md5 10401D090E120B051814212E3D 7 ntp trusted-key 20 ntp trusted-key 80 ntp source BDI400 ntp server 164.231.98.1 key 20 ntp server 164.231.69.13 key 80 prefer Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the configuration example below. ntp authentication-key 1 hmac-sha2-256 xxxxxx ntp authenticate ntp trusted-key 1 ntp server x.x.x.x key 1 ntp server y.y.y.y key 1 If the Cisco router is not configured to authenticate NTP sources using authentication that is cryptographically based, this is a finding.
Fix Text
Configure the Cisco router to authenticate NTP sources using authentication that is cryptographically based as shown in the example below. R2(config)#ntp authenticate R2(config)#ntp authentication-key 1 hmac-sha2-256 xxxxxxx R2(config)#ntp trusted-key 1 R2(config)#ntp server x.x.x.x key 1 R2(config)#ntp server y.y.y.y key 1
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A678C60E1EAF17D7C51ED8282DC985211C33F443 ~~~~~ Archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. archive log config logging enable If the Cisco router is not configured to generate log records when administrator privileges are deleted, this is a finding.
Fix Text
Configure the Cisco router to generate log records when administrator privileges are deleted as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#logging size 1000 R4(config-archive-log-cfg)#notify syslog contenttype plaintext R4(config-archive-log-cfg)#hidekeys R4(config-archive-log-cfg)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A19CCFDDF163501A636769305EE4AE7BC1A36158 ~~~~~ login on-failure log login on-success log Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the examples below. login on-failure log login on-success log If the Cisco router is not configured to generate audit records when successful/unsuccessful logon attempts occur, this is a finding.
Fix Text
Configure the Cisco router to generate audit records when successful/unsuccessful logon attempts occur as shown in the example below. R5(config)#login on-failure log R5(config)#login on-success log
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A678C60E1EAF17D7C51ED8282DC985211C33F443 ~~~~~ Archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example configurations below. archive log config logging enable If the Cisco router is not configured to generate log records for privileged activities, this is a finding.
Fix Text
Configure the Cisco router to generate log records for privileged activities as shown in the example below. R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable R4(config-archive-log-cfg)#logging size 1000 R4(config-archive-log-cfg)#notify syslog contenttype plaintext R4(config-archive-log-cfg)#hidekeys R4(config-archive-log-cfg)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT APPLICABLE on 10/23/2025 Site: Default Web Site ResultHash: 2DD143332C0C53AB5EB35B604B56FEEE445E829C ~~~~~ ASP.NET is not installed so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Exchange Back End ResultHash: 4DAFD73A73E142C404EAA5FA34EAB3F3718A717C ~~~~~ Mode is set to 'InProc' Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Default Web Site ResultHash: 4DAFD73A73E142C404EAA5FA34EAB3F3718A717C ~~~~~ Mode is set to 'InProc' Comments |
|||||
Check Text
Note: If ASP.NET is not installed, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Under the "ASP.NET" section, select "Session State". Under "Session State Mode Settings", verify the "In Process" mode is selected. If the "Session State Mode Settings" is set to "In Process", this is not a finding. Alternative method: Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "mode" reflects "InProc". If the "mode" is not set to "InProc", this is a finding. If the system being reviewed is part of a Web Farm, interview the System Administrator to ensure Session State Tracking is enabled via a SQL server, or other means. If Session State Tracking is enabled on the Web Farm, this is not a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Under the "ASP.NET" section, select "Session State". Under "Session State Mode Settings", verify the "In Process" mode is selected. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT APPLICABLE on 10/23/2025 Site: Default Web Site ResultHash: 2DD143332C0C53AB5EB35B604B56FEEE445E829C ~~~~~ ASP.NET is not installed so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Exchange Back End ResultHash: 453FAD461534700007B4F585B0D2FD1A4236A4FD ~~~~~ Cookie Settings is set to 'UseCookies' Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Default Web Site ResultHash: 453FAD461534700007B4F585B0D2FD1A4236A4FD ~~~~~ Cookie Settings is set to 'UseCookies' Comments |
|||||
Check Text
Note: If ASP.NET is not installed, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list. If the "Use Cookies" mode is selected, this is not a finding. Alternative method: Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "cookieless" is set to "UseCookies". If the "cookieless" is not set to "UseCookies", this is a finding. Note: If IIS 10.0 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Under the ASP.NET section, select "Session State". Under "Cookie Settings", select the "Use Cookies" from the "Mode:" drop-down list. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsIf the website is not behind a load balancer or proxy server, this is Not Applicable. Comments |
|||||
Check Text
Interview the System Administrator to review the configuration of the IIS 10.0 architecture and determine if inbound web traffic is passed through a proxy. If the IIS 10.0 is receiving inbound web traffic through a proxy, the audit logs must be reviewed to determine if correct source information is being passed through by the proxy server. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Click the "Logging" icon. Click "View log file". When log file is displayed, review source IP information in log entries and verify entries do not reflect the IP address of the proxy server. If the website is not behind a load balancer or proxy server, this is Not Applicable. If the log entries in the log file(s) reflect the IP address of the proxy server as the source, this is a finding. If provisions have been made to log the client IP via another field (i.e., utilizing X-Forwarded-For), this is not a finding.
Fix Text
Access the proxy server through which inbound web traffic is passed and configure settings to pass web traffic to the IIS 10.0 web server transparently.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT APPLICABLE on 10/23/2025 Site: Default Web Site ResultHash: 2DD143332C0C53AB5EB35B604B56FEEE445E829C ~~~~~ ASP.NET is not installed so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Exchange Back End ResultHash: 4DAFD73A73E142C404EAA5FA34EAB3F3718A717C ~~~~~ Mode is set to 'InProc' Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Default Web Site ResultHash: 4DAFD73A73E142C404EAA5FA34EAB3F3718A717C ~~~~~ Mode is set to 'InProc' Comments |
|||||
Check Text
Note: If ASP.NET is not installed, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Under the "ASP.NET" section, select "Session State". Under "Session State" Mode Settings, verify the "In Process" mode is selected. If the "In Process" mode is selected, this is not a finding. Alternative method: Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "mode" reflects "InProc". If the "mode" is not set to "InProc", this is a finding. If the system being reviewed is part of a Web Farm, interview the System Administrator to ensure Session State Tracking is enabled via a SQL server, or other means. If Session State Tracking is enabled on the Web Farm, this is not a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Under the ASP.NET section, select "Session State". Under "Session State" Mode Settings, select the "In Process" mode.