Symmetric keys should use a master key, certificate, or asymmetric key to encrypt the key.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15168	DM6183-SQLServer9	SV-23862r2_rule	IAKM-1 IAKM-2 IAKM-3	Medium

Description
Symmetric keys are vulnerable if the symmetric key encryption is not protected from disclosure. Symmetric keys are well protected by use of either the database or the service master key. Where access by DBA's is not acceptable, use of the application code-signing certificate can be used to provide protection.

STIG	Date
Microsoft SQL Server 2005 Database Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13837r2_chk )
From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT s.name, k.crypt_type_desc FROM sys.symmetric_keys s, sys.key_encryptions k WHERE s.symmetric_key_id = k.key_id AND k.crypt_type IN ('KSKP', 'ESKS') AND s.principal_id <> 1 ORDER BY s.name, k.crypt_type_desc Review any symmetric keys that have been defined against the System Security Plan. If any keys are defined that are not documented in the System Security Plan, this is a Finding. Review the System Security Plan to review the encryption mechanism specified for each symmetric key. If the method does not indicate use of certificates, this is a Finding. If the certificate specified is not a DOD PKI certificate, this is a Finding.

Check Text ( C-13837r2_chk )

From the query prompt:

SELECT name
FROM [master].sys.databases
WHERE state = 0

Repeat for each database:

From the query prompt:

USE [database name]
SELECT s.name, k.crypt_type_desc
FROM sys.symmetric_keys s, sys.key_encryptions k
WHERE s.symmetric_key_id = k.key_id
AND k.crypt_type IN ('KSKP', 'ESKS')
AND s.principal_id <> 1
ORDER BY s.name, k.crypt_type_desc

Review any symmetric keys that have been defined against the System Security Plan.

If any keys are defined that are not documented in the System Security Plan, this is a Finding.

Review the System Security Plan to review the encryption mechanism specified for each symmetric key. If the method does not indicate use of certificates, this is a Finding.

If the certificate specified is not a DOD PKI certificate, this is a Finding.

Fix Text (F-14858r1_fix)
Configure or alter symmetric keys to encrypt keys with certificates or authorized asymmetric keys: From the query prompt: ALTER SYMMETRIC KEY [key name] ADD ENCRYPTION BY CERTIFICATE [certificate name] ALTER SYMMETRIC KEY [key name] DROP ENCRYPTION BY [password, symmetric key or asymmetric key] The symmetric key must specify a certificate or asymmetric key for encryption. The certificate may be the code-signing certificate used by the application.

Fix Text (F-14858r1_fix)

Configure or alter symmetric keys to encrypt keys with certificates or authorized asymmetric keys:

From the query prompt:

ALTER SYMMETRIC KEY [key name] ADD ENCRYPTION BY CERTIFICATE [certificate name]
ALTER SYMMETRIC KEY [key name] DROP ENCRYPTION BY [password, symmetric key or asymmetric key]

The symmetric key must specify a certificate or asymmetric key for encryption.

The certificate may be the code-signing certificate used by the application.