A new feature added to Redgate Monitor Enterprise automatically. CIS compliance is something many enterprises think about as their auditors use this as a benchmark.
If you’ve never looked at the Center for Internet Security, you ought to glance at them, and check out the benchmarks they have for many systems.
This is part of a series of posts on Redgate Monitor. Click to see the other posts
The CIS SQL Server Benchmark
You might get asked by an auditor how you know your SQL Server estate is secure. There are lots of things you can do, but an easy one is being CIS compliant. There are benchmarks from CIS for many SQL Server versions. You can download the benchmark from CIS as a PDF, go through it, and then start to compare that to your SQL Server instances.
That’s not complex, but it is complicated. Lots of moving parts, where do you keep the benchmark data, how do you compare it to your instances, how do you ensure it’s up to date or get notified if it’s not?
This is a simple job, but labor intensive, boring, and tedious. There’s a better way.
Redgate Monitor Compliance
We’ve added a compliance section to Redgate Monitor, which I’ve written about in terms of looking for older versions. However, we also have added to this section with a CIS Benchmark template.
At the top of Redgate Monitor, there is a Security section and Compliance is under this.
When I get to the compliance screen, on the right side, I have a drop down for the templates. We’ve pre-loaded the CIS Benchmark in here. I can select that to see how compliant I am.
In this case, I’ve filtered to the SSC servers and when I do that, I see that I’m mostly compliant, but just barely. I say me, but this is our IT group that manages the config.
There is a disclaimed at the top, which you should note. It links here, where the docs note that this is a template that cannot be deleted or changed. It can be duplicated. Note, this is only for SQL Server 2022.
If I click a server, I see the details of where and where not I am compliant. In tis case, things like database mail ought to be disabled.
I can’t change things from here, but I can export this as a report and work on remediation. If I want to set a template that is like CIS, but I have a good reason for an exception, such as the Cost threshold for parallelism set to something different, I can duplicate this template and alter it.
Summary
Auditing and compliance are becoming more important at many organizations, especially in light of the main data breaches and other issues that many organizations have experienced. This might even be required by insurance companies who want to ensure that you have not left open configurations that might become attack vectors.
If you haven’t tried the compliance templates in Redgate Monitor, give it a try, or have a play at monitor.red-gate.com..
Redgate Monitor is a world class monitoring solution for your database estate. Download a trial today and see how it can help you manage your estate more efficiently.