This post is to provide a little enlightenment to folks who have never STIG'd a database system before and assume that the process is a one-time configuration. It's not. It's not even close.
STIG compliance requires:
So, you can't STIG anything by yourself. It's a team effort, and it's a permanent, on-going process.
The general process for a DBA STIGing a new system is:
Note that many findings listed by the SRR script are Manual Review (MR) findings. This means its something that T-SQL can't evaluate, such as determining whether or not a written System Security Plan exists. The SRR spits out the comprehensive list of MR findings, but in some cases multiple findings can be corrected with a single action, such as creating a written System Security Plan.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.