What's a STIG?

STIGs 

STIG stands for Security Technical Implementation Guide, and there are many STIGs created by the Field Security Office (FSO) of the Information Assurance Support Environment (IASE) of the Defense Information Systems Agency (DISA) for the Department of Defense (DoD). Got that? Good, 'cause there will be a quiz later. Each STIG covers one general I.T. topic, such as the Database STIG.

Wait... The Defense Department? So are these STIGs highly classified Federal government secrets and if you see them, they'll make you disappear or erase your memory? Nah, they make the STIGs public information, and they're commonly used by many organizations that want the best security possible for their I.T.

Checklists
For each general STIG, there are one or more general or specific Security Checklists, such as the "Database Security Checklist for MS SQL Server 2005, Version 8, Release 1.2".

SRR Scripts
For each Security Checklist, there may be one or more Security Readiness Review (SRR) scripts, each of which is intended to help administrators determine if their systems comply with the appropriate STIG. For example, you can download an SRR for SQL Server named sql_server_script_v8r1-2_2009_06_26.zip. When you extract the zip file, you'll find an executable named SQLServer_20090701.exe, a readme file, release notes, and a set of .swp files (such as dbsrr-sql-i9.swp). There's a .swp file for each version of SQL Server. The executable brings up a graphic interface that walks you through targeting a SQL Server instance, then it reads the .swp files, runs some queries, and outputs reports which list checklist items that failed the checks. The reports also include some checklist items that must be checked manually.

Here's a tip for ya: The .swp files are T-SQL scripts, so you can load them and read them color-coded in SQL Server Management Studio (SSMS) or Query Analyzer (QA). If you've got .sql associated with SSMS or QA, just rename the .swp files to .sql and you can then double-click them to open them, examine the code that performs the checks, and compare the code against the Checklist and the STIG. You can run the checks all at once, or you can tweak the variables to run one check at a time.

If you fellow T-SQL geeks find any errors or weaknesses in an SRR script, contact me here and I'll pass it along to get fixed, but I'm gonna try to find them all before you do.

I've also got a few scripts I use to make changes to a default SQL Server configuration to make it compliant with the Database STIG, and I'll be posting those here from time to time.

Cheers,

John

REFERENCES

STIGs
https://iase.disa.mil/stigs/stig/index.html

Security Checklists
https://iase.disa.mil/stigs/checklist/index.html

Security Readiness Review scripts
https://iase.disa.mil/stigs/SRR/index.html

FSO Security Whitepapers
https://iase.disa.mil/stigs/whitepaper/index.html