SQL 2008 STIGs and SharePoint 2010


  • I am looking for information on any resources or links on making SQL 2008 R2 STIG compliant when used with SharePoint 2010.

    I am designing an new SharePoint 2010 farm for a government agency. Part of the requirements is that SQL and the underlying Windows 2008 R2 be STIG compliant.

    My main issue is that from my understanding and others that one of the STIG requirements for SQL is that it not provide any other services or have IIS running. My experience with the previous SharePoint in a farm is to first install and then run the configuration wizard on the SQL server first to establish the Configuration database for the farm and the Central Administration site.

    How can I set up a new farm and not have the SQL sever host the Admin site or be required to run IIS. I am thinking of setting up the new farm and then moving the features to the web front end server or the application server but if there is a better way please let me know.

    The farm we will be setting up will include 1 web front end server, 1 SQL server (STIG compliant), and 1 application server running search and other shared services. Also We are Installing Project server 2010 to run on the other application server.

    I am not sure this is the right forum but since the SQL STIG requirements are essential I am posting here. Is there a Forum for SharePoint and Project 2010 or one for government compliance?

    Also is there some good documentation for setting up a SharePoint farm and manually configuring it. From my searches I understand that it is best not to run the farm configuration wizard from Central Administration once you have installed and run the basic configuration wizard for SharePoint. If that is the case where can I find some information on manually configuring the farm? Also in a SharePoint farm what has to be on the SQL server and are there any STIG compliant issues?

    Any information is appreciated. Since there is not a STIG for SharePoint my main focus is making the SQL server in the farm STIG compliant.

    Thank You

    Thursday, September 30, 2010 11:27 PM


All replies

  • The database server does not require IIS. The SP Central Administration site is installed on the web server not the database server. The db server hosts the databases (not the sites). E.g. SharePoint_AdminContent_guid, SharePoint_Config and the site content databases.

    For your 3-tier configuration see:

    For manual steps see the following:

    Monday, October 04, 2010 3:10 AM
  • As Stephen said, you do not need IIS on the SQL server.

    There is now a SharePoint 2010 STIG that should be used for compliance.

    I do have related questions.  To apply STIGs on a SharePoint 2 tier farm (1 web front end - WFE, 1 sql backend - SQL) using SharePoint 2010 and SQL 2008 you need to cover the following

    - OS STIG (WFE, SQL)

    - IIS STIGs server and site (WFE)

    - SQL 2008 STIGs (SQL) -> does not exist, use SQL 2005?

    For SQL 2008, since does not exists 2005 version is the next (applicable) one. However based on we may not even be able to check compliance (basic Select statements) without possibly causing the installation to be unsupported. Is there any better guidance on SQL 2008 STIGs on SharePoint 2010?

    For IIS, is there a Microsoft guidance on what IIS settings should/should not be configured or a range/limit of settings allowed? Looks like community recommends do not touch but is there a KB similar to the one for databases above?

    Thank you!

    • Proposed as answer by TDW-Mark Wednesday, March 19, 2014 1:36 PM
    Thursday, November 08, 2012 11:07 PM