Title Description

SQL Server patches contain program updates that fix security and product
Latest SQL Server functionality issues found in the software. These patches can be installed
Service Packs and with a hotfix which is a single patch, a cumulative update which is a small
Hotfixes are not group of patches or a service pack which is a large collection of patches.
Installed The SQL Server version and patch levels should be the most recent
compatible with the organizations' operational needs.

If enabled, the default SQL Server instance will be assigned a default port
SQL Server is not of TCP:1433 for TCP/IP communication. Administrators can also configure
configured to use named instances to use TCP:1433 for communication. TCP:1433 is a
non-standard ports widely known SQL Server port and this port assignment should be
changed.

'Server
Authentication'
Property is not set Uses Windows Authentication to validate attempted connections.
to 'Windows
Authentication
Mode'

'CHECK_EXPIRATIO
N' Option is not set
to 'ON' for All SQL Applies the same password expiration policy used in Windows to
Authenticated passwords used inside SQL Server.
Logins Within the
Sysadmin Role
Impact Severity Affected
Devices

Using the most recent SQL Server software, along with

all applicable patches can help limit the possibilities for
vulnerabilities in the software. The installation version High 10.101.37.161
and/or patches applied during setup should be
established according to the needs of the organization.

Changing the default port will force the DAC (Dedicated

Administrator Connection) to listen on a random port.
Also, it might make benign applications, such as
application firewalls, require special configuration. In Medium
general, you should set a static port for consistent 10.101.37.161
usage by applications, including firewalls, instead of
using dynamic ports which will be chosen randomly at
each SQL Server start up.

Windows provides a more robust authentication

mechanism than SQL Server authentication.
Low 10.101.37.161
Changing the login mode configuration requires a
restart of the service.
Ensuring SQL logins comply with the secure password
policy applied by the Windows Server Benchmark will
ensure the passwords for SQL logins with sysadmin
privileges are changed on a frequent basis to help 10.101.37.161
prevent compromise via a brute force attack. CONTROL
SERVER is an equivalent permission to sysadmin and
logins with that permission should also be required to Low
have expiring passwords.
Recommendations DBA Comments

Identify the current version and patch level of your
SQL Server instances and ensure they contain the
latest security fixes. Make sure to test these fixes in
your test environments before updating production
instances.
10.101.37.161 has SQL Server 2019 CU17 whereas
the latest available patch is CU21. Please provide
downtime and approval to perform patching via
CR.

Change the TCP Port field from 1433 to another Please check with the Application vendor if the
non-standard port or leave the TCP Port field empty application supports customized port for SQL
and set the TCP Dynamic Ports value to 0 to enable Server.
dynamic port assignment and then click OK.

Set the Server authentication setting to Windows

Authentication Mode.
Please check with the Application vendor if Window
Restart the SQL Server service for the change to
take effect.

For each <login_name> found by the Audit

Procedure, execute the following T-SQL statement:

All SQL Server authenticated logins with sysadmin p

ALTER LOGIN [<login_name>] WITH
CHECK_EXPIRATION = ON;
Epiroc Comments

yes HZL can go with updating to

latest 2019 package, that is not a
problem and approved from our side