UCF STIG Viewer Logo

DBMS network communications should comply with PPS usage restrictions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15148 DG0152-SQLServer9 SV-25376r1_rule DCPP-1 Medium
Description
Non-standard network ports, protocol or services configuration or usage could lead to bypass of network perimeter security controls and protections.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-20476r1_chk )
From the SQL Server Configuration Manager GUI:

1. Expand SQL Server 2005 Network Configuration
2. Select Protocols for [instance name]
3. Right-click on TCP/IP
4. Select Properties
5. Select IP Addresses tab

View all TCP Dynamic Ports and TCP Port values for all IP addresses.

OR

View the registry values:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ Tcp\IP[#] \ TCPDynamicPorts

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ Tcp\IP[#] \ TcpPort

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ IPAll \ TCPDynamicPorts

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ IPAll \ TcpPort

If any value (including 0) is entered for TCP Dynamic Ports, this is a Finding.

A blank value indicates dynamic ports are not enabled and is Not a Finding.

For SQL Server 2005 default instance, if the TCP Port value is set to 1433, this is Not a Finding.

NOTE: For SQL Server 2005 named instance (via SQL Server Browser service), UDP Port 1434 is used.

If any TCP Port value is set to a different port number, verify network traffic for the DBMS does not cross network or enclave boundaries as defined in the PPS CAL or registered with the PPS:

http://iase.disa.mil/ports/index.html

If any do and are not registered or allowed per the PPS, this is a Finding.
Fix Text (F-18426r1_fix)
From the SQL Server Configuration Manager GUI:

1. Expand SQL Server 2005 Network Configuration
2. Select Protocols for [instance name]
3. Right-click on TCP/IP
4. Select Properties
5. Select IP Addresses tab
6. Clear any value listed in TCP Dynamic Ports for all IP addresses
7. Set all TCP Port values for ports accessed across a network boundary to TCP Port 1433

Ensure port is registered in the PPS CAL for use outside the enclave:

http://iase.disa.mil/ports/index.html