DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15654	DG0165-SQLServer9	SV-21488r2_rule	IAKM-1 IAKM-2 IAKM-3	Medium

Description
Symmetric keys used for encryption protect data from unauthorized access. However, if not protected in accordance with acceptable standards, the keys themselves may be compromised and used for unauthorized data access.

STIG	Date
Microsoft SQL Server 2005 Database Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-23695r2_chk )
From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT USER_NAME(grantee_principal_id) FROM sys.database_permissions WHERE class = 0 AND state IN ('G', 'W') AND type = 'CL' ORDER BY USER_NAME(grantee_principal_id) If no records are returned, this is Not a Finding. If any records are returned, verify they are authorized to have access to manage the Database Master Key. If any do not, this is a Finding.

Check Text ( C-23695r2_chk )

From the query prompt:

SELECT name
FROM [master].sys.databases
WHERE state = 0

Repeat for each database:

From the query prompt:

USE [database name]
SELECT USER_NAME(grantee_principal_id)
FROM sys.database_permissions
WHERE class = 0
AND state IN ('G', 'W')
AND type = 'CL'
ORDER BY USER_NAME(grantee_principal_id)

If no records are returned, this is Not a Finding.

If any records are returned, verify they are authorized to have access to manage the Database Master Key. If any do not, this is a Finding.

Fix Text (F-20181r1_fix)
Document all users authorized to access the database master key in the System Security Plan. Restrict authorized users to the application, database owner and SYSADMINs. For each unauthorized user: From the query prompt: REVOKE CONTROL FROM [user name]