Database Installation Checklist

Cross-check the target version (e.g., SQL Server 2022 CU14, PostgreSQL 16.4, Oracle 19c) against the OS build, CPU architecture, and any application certification matrices. Installing on a near-EOL combination is a common reason patches stall later.

Compare projected workload against vendor-published sizing (vCPU, RAM, IOPS, log throughput). Right-size before VM provisioning — resizing a SQL VM after install often triggers Microsoft licensing true-up surprises.

Use separate LUNs or managed disks per workload type with the IOPS tier the vendor recommends. Co-locating tempdb and transaction log on the same spindle is a common performance gotcha that surfaces only under load.

Coordinate with the network team for east-west ACLs (Palo Alto, FortiGate, or Cisco Meraki). Document the ports — 1433/1434 SQL Server, 5432 Postgres, 1521 Oracle — plus any replication and Always On endpoints.

File the change request in ServiceNow or Jira Service Management with implementation, test, and rollback plans. Capture the approved CR number — it is the audit trail for SOX ITGC and SOC 2 change-management controls.

Pull the ISO or installer directly from Microsoft VLSC, Oracle Software Delivery Cloud, or the official Postgres mirror — never a third-party download site. Capture the build number and edition for the asset record.

Compute the hash and compare to the vendor's published value. A mismatch means re-download — never proceed with an installer that fails integrity verification, even on a trusted internal mirror.

Use the gMSA or named service account from the AD service-account inventory, not a personal admin or Domain Admin. Hardcoded personal credentials in service contexts are the most common rotation-day breakage.

Match the SKU to the entitlement on file — Enterprise vs. Standard, core-based vs. server-CAL. Selecting an unlicensed feature like Always On or Advanced Security will surface in the next vendor audit as a six-figure true-up.

Set max server memory, MAXDOP, cost threshold for parallelism, and tempdb file count per the vendor and Brent Ozar / pgTune baselines. Defaults are tuned for a laptop demo, not a production workload.

Map db_datareader, db_datawriter, and any custom roles to AD security groups managed in Entra ID — not to individual user logins. Direct user grants are the access-creep pattern that fails the next quarterly access review.

Configure Veeam, Commvault, or Ola Hallengren's maintenance solution per the agreed RPO. Confirm the backup target is separate from the database host and writes to immutable storage — a backup writable from the DB host is encryptable by ransomware.

Apply the 3-2-1 rule with at least one immutable or air-gapped copy (S3 Object Lock, Azure immutable blob, or LTO). Retention should align with the data classification policy, not the default vendor preset.

Rename sa, rotate the password into the password manager (Keeper, Bitwarden, or Hudu Vault), and disable the account if the application stack does not need it. Default-named superuser accounts are the first thing a password sprayer tries.

Lock the host firewall and upstream ACLs to the application tier and admin jump host VLANs only. Database listeners reachable from the user VLAN are a flat-network finding that PCI DSS scope reviews flag every time.

Enable Transparent Data Encryption or pgcrypto / Always Encrypted for columns containing PHI, PCI cardholder data, or other regulated data. Archive the certificate and key material in the HSM or Azure Key Vault — losing the TDE cert is unrecoverable.

If encryption at rest cannot be enabled (legacy app dependency, performance constraint), file a documented exception with the security officer including data classification, compensating controls, and review date. Undocumented exceptions are SOC 2 audit findings.

Configure SQL Server Audit, Postgres pgaudit, or Oracle Unified Auditing to ship to Splunk, Sentinel, or QRadar. Confirm the source shows up in the SIEM index — silent log gaps are a common finding during incident investigation.

Authenticated scan with the vuln-management service account against the new host. Capture the report and review CVSS-high and critical findings before sign-off — go-live with known criticals is an audit trail nobody wants on file.

Execute the standard smoke-test pack: SELECT @@VERSION (or equivalent), CREATE / DROP a test database, write to and read from a sample table, and confirm collation and time zone match the build sheet.

Authenticate end-to-end from the application tier using a test login mapped to the production role. Verifies firewall, listener, TLS, AD group membership, and role grants together — much faster than discovering a missing ACL on go-live morning.

Take the latest full backup and restore it to an isolated sandbox host. A backup that has never been restored is a hope, not a backup — the first restore attempt on incident day should never be the first restore attempt period.

Open a P1 case with the backup vendor (Veeam, Rubrik, Commvault) attaching the job log, restore log, and the failing artifact. Do not move to go-live until restore is proven — a passing nightly job is meaningless without a successful restore.

Generate a known auditable event (failed login, schema change) and confirm it surfaces in the SIEM within the expected window. Closes the loop on the hardening step that enabled forwarding.