Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15104 | DG0167-SQLServer9 | SV-25395r1_rule | ECCT-1 ECCT-2 | High |
Description |
---|
Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review. |
STIG | Date |
---|---|
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Check Text ( C-23850r1_chk ) |
---|
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. If encryption requirements are listed and specify configuration at the host system or network device level, review evidence that the configuration meets the specification with the DBA. It may be necessary to review network device configuration evidence or host communications configuration evidence with a Network and/or System Administrator. If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding. For SQL Server 2005: If encryption for sensitive data in transit is required by SQL Server configuration, then review the setting for the instance parameter ForceEncryption: From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Right-click on Protocols for [instance name] 3. Select Properties 4. Select the Flags tab 5. View the value for ForceEncryption OR From the Registry Editor: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL Server \ MSSQL.1 \ MSSQLServer \ SuperSocketNetLib \ ForceEncryption If the value of ForceEncryption does not equal yes or 1, this is a Finding. |
Fix Text (F-20163r1_fix) |
---|
Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. For SQL Server 2005: Also, see Microsoft KB article for information on using SQL Server in FIPS 140-2 compliant mode: http://support.microsoft.com/kb/920995/ To configure encryption using SQL Server features: From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Right-click on Protocols for [instance name] 3. Select Properties 4. Select the Flags tab 5. Select Yes for ForceEncryption from the pull-down options |