Asymmetric keys used by the DBMS for encryption of sensitive data should use DoD PKI Certificates. Private keys used by the DBMS should be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15142	DG0166-SQLServer9	SV-19465r1_rule	IAKM-1 IAKM-2 IAKM-3	Medium

Description
Encryption is only effective if the encryption method is robust and the keys used to provide the encryption are not easily discovered. Without effective encryption, sensitive data is vulnerable to unauthorized access.

STIG	Date
Microsoft SQL Server 2005 Database Security Technical Implementation Guide	2015-04-03

Details

Check Text ( None )
None

Fix Text (F-18431r1_fix)
Use DOD code-signing certificates to create asymmetric keys stored in the database and used to encrypt sensitive data stored in the database. Assign the application object owner account as the owner of the asymmetric key. Create audit events for access to the key by other than the application owner account or approved application objects. Revoke any privileges assigned to the asymmetric key to other than the application object owner account and authorized users. Protect the private key by encrypting it with the database or service master key.

Fix Text (F-18431r1_fix)

Use DOD code-signing certificates to create asymmetric keys stored in the database and used to encrypt sensitive data stored in the database.

Assign the application object owner account as the owner of the asymmetric key.

Create audit events for access to the key by other than the application owner account or approved application objects.

Revoke any privileges assigned to the asymmetric key to other than the application object owner account and authorized users.

Protect the private key by encrypting it with the database or service master key.