The DBMS must allow all remote access to be routed through managed access control points.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32186	SRG-APP-000017-DB-000037	SV-42503r1_rule		Medium

Description
This requirement relates to the use of applications providing remote access services. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN). Please note, utilization of a virtual private network when adequately provisioned with appropriate security controls, is considered an internal network and is not considered remote access. Without centralized control of inbound connections, management of these access points is difficult at best. It is critical that applications providing or offering remote access capabilities also have the capability to route the access through managed access control points. One example is the use of software applications, such as PCAnywhere or Terminal Services. Rather than having PCAnywhere installed on multiple systems, remote access software must have the capability to be centrally managed and controlled, so there are not multiple disparate access points into the environment.

Description

This requirement relates to the use of applications providing remote access services. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN). Please note, utilization of a virtual private network when adequately provisioned with appropriate security controls, is considered an internal network and is not considered remote access. Without centralized control of inbound connections, management of these access points is difficult at best. It is critical that applications providing or offering remote access capabilities also have the capability to route the access through managed access control points. One example is the use of software applications, such as PCAnywhere or Terminal Services. Rather than having PCAnywhere installed on multiple systems, remote access software must have the capability to be centrally managed and controlled, so there are not multiple disparate access points into the environment.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40691r3_chk )
Review database settings to determine if the database is configured to accept remote connections. If the database is not configured to accept remote connections, this is NA. Review DBMS vendor documentation and verify the DBMS does not preclude remote access from coming from a managed access control point. If the DBMS does not allow remote connections to come from a centrally managed access point, this is a finding.

Check Text ( C-40691r3_chk )

Review database settings to determine if the database is configured to accept remote connections. If the database is not configured to accept remote connections, this is NA.

Review DBMS vendor documentation and verify the DBMS does not preclude remote access from coming from a managed access control point. If the DBMS does not allow remote connections to come from a centrally managed access point, this is a finding.

Fix Text (F-36110r1_fix)
Utilize a DBMS product that will accept remote connections passed through a centrally managed access point.