SQL STIG 2014/2016

Configures all of the settings required by the SQL 2014 Draft STIG excluding the Logon Trigger requirement (I find this to essentially break everytime) and TDE.

Run both the Set-SQLInstanceStigItems and Set-SQLDatabaseStigItems to completely STIG the Instance. Requires some prior setup for SQL Agent Operators and Windows and/or Local Groups.

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name SqlStig

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name SqlStig

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More



(c) 2016 . All rights reserved.

Package Details


  • Michael Haken


SQL STIG Database DB Security


Set-SQLInstanceStigItems Set-SQLDatabaseStigItems Set-SQLInstanceForceEncryption Set-SQLInstanceDatabaseFilePermissions Set-SQLInstanceInstallationFilesPermissionsAndAuditing Set-SQLInstanceAuditFilePermissions Set-SQLInstanceAuditors Set-SQLInstanceAuditing Set-SQLDatabaseAuditing Set-SQLInstanceManagementRoles Get-SQLInstanceLogin Rename-SQLInstanceAccount Disable-SQLInstanceAccount Set-SQLInstanceXPCmdShell Set-SQLInstanceLoginPasswordPolicies Set-SQLInstanceProtocols Set-SQLInstanceDefaultTrace Add-SQLInstanceLogin Add-SQLInstanceServerRole New-SQLInstanceJobCategory New-SQLAgentJob New-SQLAgentJobStep New-SQLAgentJobSchedule Set-SQLDatabaseTrustworthy Get-SQLInstanceServerRoleMembership New-SQLDatabaseDDLTrigger Get-SQLInstanceErrorLogPath Get-SQLServer Get-SQLInstanceVersion Get-SQLInstanceDetails Get-SQLInstanceDataDirectories Enable-SQLInstanceDatabaseMail New-SQLInstanceDatabaseMailSmtpAccount New-SQLInstanceDatabaseMailProfile Set-SQLInstanceAgentMail Wait-SQLAgentService Get-SQLInstanceDefaultTraceFile Get-SQLInstanceAuditCommandText Get-SQLDatabaseDdlTriggerCommandText New-SQLInstanceDatabaseDirectoryAccessRuleSet New-SQLInstanceAuditLogAccessRuleSet New-SQLInstanceInstallationDirectoryAccessRuleSet New-SQLInstanceInstallationDirectoryAuditRuleSet Get-SQLAuditObjectTypes Import-SqlModule Test-SQLLoginIsSysAdmin


Release Notes*
Modified the query to find the SQL agent account.*
Removed a few functions that were not SQL specific to the HostUtilities module.

Did major code refactoring, but it does not impact the entry points to run the Instance STIG cmdlet and Database STIG cmdlet. The file permissions and auditing sections should produce much better results.

The Instance STIG cmdlet enables and sets up database mail. If an SMTP server is not provided, you'll need to update that afterwards. This just leaves creating Agent Operators before running the Datbase STIG cmdlet.


Version History

Version Downloads Last updated (current version) 1,181 3/4/2017 34 3/2/2017 220 5/13/2016 18 5/12/2016 20 5/11/2016