Edit

SQL vulnerability assessment rules changelog

  • Article

This article details the changes made to the SQL vulnerability assessment service rules. Rules that are updated, removed, or added will be outlined below. For an updated list of SQL vulnerability assessment rules, see SQL vulnerability assessment rules.

September 2023

Rule ID Rule Title Change details
VA1018 Latest updates should be installed Logic change

July 2023

Rule ID Rule Title Change details
VA2129 Changes to signed modules should be authorized Logic change

June 2022

Rule ID Rule Title Change details
VA2129 Changes to signed modules should be authorized Logic change
VA1219 Transparent data encryption should be enabled Logic change
VA1047 Password expiration check should be enabled for all SQL logins Logic change

January 2022

Rule ID Rule Title Change details
VA1288 Sensitive data columns should be classified Removed rule
VA1054 Minimal set of principals should be members of fixed high impact database roles Logic change
VA1220 Database communication using TDS should be protected through TLS Logic change
VA2120 Features that may affect security should be disabled Logic change
VA2129 Changes to signed modules should be authorized Logic change

June 2021

Rule ID Rule Title Change details
VA1220 Database communication using TDS should be protected through TLS Logic change
VA2108 Minimal set of principals should be members of fixed high impact database roles Logic change

December 2020

Rule ID Rule Title Change details
VA1017 Execute permissions on xp_cmdshell from all users (except dbo) should be revoked Title and description change
VA1021 Global temporary stored procedures should be removed Removed rule
VA1024 C2 Audit Mode should be enabled Removed rule
VA1042 Database ownership chaining should be disabled for all databases except for master, msdb, and tempdb Description change
VA1044 Remote Admin Connections should be disabled unless specifically required Title and description change
VA1047 Password expiration check should be enabled for all SQL logins Title and description change
VA1051 AUTO_CLOSE should be disabled on all databases Description change
VA1053 Account with default name 'sa' should be renamed or disabled Description change
VA1067 Database Mail XPs should be disabled when it is not in use Title and description change
VA1068 Server permissions shouldn't be granted directly to principals Logic change
VA1069 Permissions to select from system tables and views should be revoked from non-sysadmins Removed rule
VA1090 Ensure all Government Off The Shelf (GOTS) and Custom Stored Procedures are encrypted Removed rule
VA1091 Auditing of both successful and failed login attempts (default trace) should be enabled when 'Login auditing' is set up to track logins Description change
VA1098 Any Existing SSB or Mirroring endpoint should require AES connection Logic change
VA1103 Use only CLR with SAFE_ACCESS permission Removed rule
VA1219 Transparent data encryption should be enabled Description change
VA1229 Filestream setting in registry and in SQL Server configuration should match Removed rule
VA1230 Filestream should be disabled Description change
VA1231 Filestream should be disabled (SQL) Removed rule
VA1234 Common Criteria setting should be enabled Removed rule
VA1235 Replication XPs should be disabled Title, description, and Logic change
VA1252 List of events being audited and centrally managed via server audit specifications. Removed rule
VA1253 List of DB-scoped events being audited and centrally managed via server audit specifications. Removed rule
VA1263 List all the active audits in the system Removed rule
VA1264 Auditing of both successful and failed login attempts should be enabled Description change
VA1266 The 'MUST_CHANGE' option should be set on all SQL logins Removed rule
VA1276 Agent XPs feature should be disabled Removed rule
VA1281 All memberships for user-defined roles should be intended Logic change
VA1282 Orphan roles should be removed Logic change
VA1286 Database permissions shouldn't be granted directly to principals (OBJECT or COLUMN) Removed rule
VA1288 Sensitive data columns should be classified Description change
VA2030 Minimal set of principals should be granted database-scoped SELECT or EXECUTE permissions Removed rule
VA2033 Minimal set of principals should be granted database-scoped EXECUTE permission on objects or columns Description change
VA2062 Database-level firewall rules should not grant excessive access Description change
VA2063 Server-level firewall rules should not grant excessive access Description change
VA2100 Minimal set of principals should be granted high impact server-scoped permissions Removed rule
VA2101 Minimal set of principals should be granted medium impact server-scoped permissions Removed rule
VA2102 Minimal set of principals should be granted low impact server-scoped permissions Removed rule
VA2103 Unnecessary execute permissions on extended stored procedures should be revoked Logic change
VA2104 Execute permissions on extended stored procedures should be revoked from PUBLIC Removed rule
VA2105 Login password should not be easily guessed Removed rule
VA2108 Minimal set of principals should be members of fixed high impact database roles Logic change
VA2111 Sample databases should be removed Logic change
VA2112 Permissions from PUBLIC for Data Transformation Services (DTS) should be revoked Removed rule
VA2113 Data Transformation Services (DTS) permissions should only be granted to SSIS roles Description and logic change
VA2114 Minimal set of principals should be members of high impact fixed server roles Logic change
VA2115 Minimal set of principals should be members of medium impact fixed server roles Removed rule
VA2120 Features that may affect security should be disabled Logic change
VA2121 'OLE Automation Procedures' feature should be disabled Title and description change
VA2123 'Remote Access' feature should be disabled Removed rule
VA2126 Features that may affect security should be disabled Title, description, and logic change
VA2127 'External Scripts' feature should be disabled Removed rule
VA2129 Changes to signed modules should be authorized Platform update
VA2130 Track all users with access to the database Description and logic change

Next steps