Details

By default, Microsoft SQL Server enables participation in the customer experience improvement program (CEIP). This program collects information about how its customers are using the product. Specifically, SQL Server collects information about the installation experience, feature usage, and performance. This information helps Microsoft improve the product to better meet customer needs. The Local Audit component of SQL Server Usage Feedback collection writes data collected by the service to a designated folder, representing the data (logs) that will be sent to Microsoft. The purpose of the Local Audit is to allow customers to see all data Microsoft collects with this feature, for compliance, regulatory or privacy validation reasons.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the instance to audit telemetry data. More information about auditing telemetry data can be found at https://msdn.microsoft.com/en-us/library/mt743085.aspx.

Create a folder to store the telemetry audit data in.

Grant the SQLTELEMETRY service the following permissions on the folder:

– List folder contents
– Read
– Write

Create and configure the following registry key:
Note: InstanceId refers to the type and instance of the feature. (e.g., MSSQL13.SqlInstance, MSAS13.SSASInstance, MSRS13.SSRSInstance)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftMicrosoft SQL Server[InstanceId]CPEUserRequestedLocalAuditDirectory [string]

Set the ‘UserRequestedLocalAuditDirectory’ key value to the path of the telemetry audit folder.

Set the telemetry service to start automatically. Restart the service.
– For Database Engine, use SQL Server CEIP service ().
– For Analysis Services, use SQL Server Analysis Services CEIP ().

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2016_Y22M01_STIG.ziphttps://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2016_Y22M01_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.

References

• 800-53|CM-6b.
• CAT|II
• CCI|CCI-000366
• CSCv6|9.1
• Rule-ID|SV-214027r754672_rule
• STIG-ID|SQL6-D0-016100
• STIG-Legacy|SV-94021
• STIG-Legacy|V-79315
• Vuln-ID|V-214027

Source

• Tenable.com/audits