Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15104	DG0167-SQLServer9	SV-25395r1_rule	ECCT-1 ECCT-2	High

Description
Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-23850r1_chk )
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. If encryption requirements are listed and specify configuration at the host system or network device level, review evidence that the configuration meets the specification with the DBA. It may be necessary to review network device configuration evidence or host communications configuration evidence with a Network and/or System Administrator. If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding. For SQL Server 2005: If encryption for sensitive data in transit is required by SQL Server configuration, then review the setting for the instance parameter ForceEncryption: From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Right-click on Protocols for [instance name] 3. Select Properties 4. Select the Flags tab 5. View the value for ForceEncryption OR From the Registry Editor: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ MSSQLServer \ SuperSocketNetLib \ ForceEncryption If the value of ForceEncryption does not equal yes or 1, this is a Finding.

Check Text ( C-23850r1_chk )

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding.

If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding.

If encryption requirements are listed and specify configuration at the host system or network device level, review evidence that the configuration meets the specification with the DBA. It may be necessary to review network device configuration evidence or host communications configuration evidence with a Network and/or System Administrator.

If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding.

For SQL Server 2005:

If encryption for sensitive data in transit is required by SQL Server configuration, then review the setting for the instance parameter ForceEncryption:

From the SQL Server Configuration Manager GUI:

1. Expand SQL Server 2005 Network Configuration
2. Right-click on Protocols for [instance name]
3. Select Properties
4. Select the Flags tab
5. View the value for ForceEncryption

OR

From the Registry Editor:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ MSSQLServer \ SuperSocketNetLib \ ForceEncryption

If the value of ForceEncryption does not equal yes or 1, this is a Finding.

Fix Text (F-20163r1_fix)
Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. For SQL Server 2005: Also, see Microsoft KB article for information on using SQL Server in FIPS 140-2 compliant mode: http://support.microsoft.com/kb/920995/ To configure encryption using SQL Server features: From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Right-click on Protocols for [instance name] 3. Select Properties 4. Select the Flags tab 5. Select Yes for ForceEncryption from the pull-down options

Fix Text (F-20163r1_fix)

Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan.

Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data.

For SQL Server 2005:

Also, see Microsoft KB article for information on using SQL Server in FIPS 140-2 compliant mode:

http://support.microsoft.com/kb/920995/

To configure encryption using SQL Server features:

From the SQL Server Configuration Manager GUI:

1. Expand SQL Server 2005 Network Configuration
2. Right-click on Protocols for [instance name]
3. Select Properties
4. Select the Flags tab
5. Select Yes for ForceEncryption from the pull-down options