Over the past few years I have learned, through a lot of struggle and pain, the process of applying DISA STIGs to SQL Server both at the database and instance level.

This blog post series will aim to help the Jr DBA, accidental DBA or even the seasoned DBA that just needs help/clarification on how to apply DISA STIGs to their SQL Server environment.

But first things first:

What Does DISA STIG Stand For?

DISA, Defense Information Systems Agency, has created the STIG, Security Technical Implementation Guide, which is a guide of standards that secure your network. The STIG addresses methods to secure vulnerabilities on networking, firewall, OS, hardware, database servers, systems. You can read more about it here.

I created all STIG-related URLs in the below format:


If you have a specific SQL Server V# you want to search for, you can try and replace the bolded V# above and see if that link takes you to the specific V# you’re looking for.

If you have any additional questions that aren’t addressed in the blog, feel free to contact me. I’d be more than happy to help you out.


At first glance, the STIG checklist can be overwhelming due to the amount of information that exists per “finding.” I will do my best to minimize the “fluff” and focus on what you need to fix.

Each item on the checklist has the following:

Finding ID = i.e. V-40907
Severity = High, Medium, Low
Title = Title of actual finding
Description = A description of what the finding is
Details = Details on how to check for the finding. The details section also includes a “fix” section that sometimes provides a nice resolution or further confusion. :)

I will focus on the High severity levels first. Feel free to use the search bar for your specific Finding ID (i.e. V#).

Click here to get a list of STIGs posted on this blog.