DBMS network communications should comply with PPS usage restrictions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15148	DG0152-SQLServer9	SV-25376r1_rule	DCPP-1	Medium

Description
Non-standard network ports, protocol or services configuration or usage could lead to bypass of network perimeter security controls and protections.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-20476r1_chk )
From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Select Protocols for [instance name] 3. Right-click on TCP/IP 4. Select Properties 5. Select IP Addresses tab View all TCP Dynamic Ports and TCP Port values for all IP addresses. OR View the registry values: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ Tcp\IP[#] \ TCPDynamicPorts HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ Tcp\IP[#] \ TcpPort HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ IPAll \ TCPDynamicPorts HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ IPAll \ TcpPort If any value (including 0) is entered for TCP Dynamic Ports, this is a Finding. A blank value indicates dynamic ports are not enabled and is Not a Finding. For SQL Server 2005 default instance, if the TCP Port value is set to 1433, this is Not a Finding. NOTE: For SQL Server 2005 named instance (via SQL Server Browser service), UDP Port 1434 is used. If any TCP Port value is set to a different port number, verify network traffic for the DBMS does not cross network or enclave boundaries as defined in the PPS CAL or registered with the PPS: http://iase.disa.mil/ports/index.html If any do and are not registered or allowed per the PPS, this is a Finding.

Check Text ( C-20476r1_chk )

From the SQL Server Configuration Manager GUI:

1. Expand SQL Server 2005 Network Configuration
2. Select Protocols for [instance name]
3. Right-click on TCP/IP
4. Select Properties
5. Select IP Addresses tab

View all TCP Dynamic Ports and TCP Port values for all IP addresses.

OR

View the registry values:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ Tcp\IP[#] \ TCPDynamicPorts

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ Tcp\IP[#] \ TcpPort

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ IPAll \ TCPDynamicPorts

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Microsoft SQL Server \ MSSQL.[#] \ MSSQLServer \ SuperSocketNetLib \ IPAll \ TcpPort

If any value (including 0) is entered for TCP Dynamic Ports, this is a Finding.

A blank value indicates dynamic ports are not enabled and is Not a Finding.

For SQL Server 2005 default instance, if the TCP Port value is set to 1433, this is Not a Finding.

NOTE: For SQL Server 2005 named instance (via SQL Server Browser service), UDP Port 1434 is used.

If any TCP Port value is set to a different port number, verify network traffic for the DBMS does not cross network or enclave boundaries as defined in the PPS CAL or registered with the PPS:

http://iase.disa.mil/ports/index.html

If any do and are not registered or allowed per the PPS, this is a Finding.

Fix Text (F-18426r1_fix)
From the SQL Server Configuration Manager GUI: 1. Expand SQL Server 2005 Network Configuration 2. Select Protocols for [instance name] 3. Right-click on TCP/IP 4. Select Properties 5. Select IP Addresses tab 6. Clear any value listed in TCP Dynamic Ports for all IP addresses 7. Set all TCP Port values for ports accessed across a network boundary to TCP Port 1433 Ensure port is registered in the PPS CAL for use outside the enclave: http://iase.disa.mil/ports/index.html

Fix Text (F-18426r1_fix)

From the SQL Server Configuration Manager GUI:

1. Expand SQL Server 2005 Network Configuration
2. Select Protocols for [instance name]
3. Right-click on TCP/IP
4. Select Properties
5. Select IP Addresses tab
6. Clear any value listed in TCP Dynamic Ports for all IP addresses
7. Set all TCP Port values for ports accessed across a network boundary to TCP Port 1433

Ensure port is registered in the PPS CAL for use outside the enclave:

http://iase.disa.mil/ports/index.html