UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3813 DG0068-SQLServer9 SV-24215r1_rule IAIA-1 IAIA-2 Medium
Description
Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if possible, by the application. If it cannot be disabled, users should be strictly instructed not to use this feature. Typically, the application will prompt for this information and accept it without echoing it on the users computer screen.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-04-03

Details

Check Text ( C-28572r1_chk )
Interview the DBA to determine if any applications that access the database (such as sqlcmd, etc.) allow for entry of the account name and password on the command line.

If any applications exist and are in use, ask the DBA if users have been instructed not to include passwords on the command line and if these applications are monitored for compliance.

If documentation of instruction and monitoring are not being performed, this is a Finding.
Fix Text (F-24465r1_fix)
Configure or modify applications to prohibit display of passwords in clear text on the command line if possible.

Implement policy and train users to prohibit entry of passwords on the command line for applications that cannot be modified or configured to deny this. Remove any applications that can access the database if they are not being used or cannot be monitored.