Analysis Services Required Protection Levels should be set to 1.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15188	DM6101-SQLServer9	SV-25471r1_rule	ECCT-1 ECCT-2	High

Description
Sensitive data is vulnerable to unauthorized access when traversing untrusted network segments. Encryption of the data in transit helps protect the confidentiality of the data.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13798r1_chk )
Determine if SQL Server Analysis Services is installed. View the Windows Services Snap-In. If SQL Server Analysis Services ([instance name]) is not listed, Analysis Services is not installed on this host. If SQL Server Analysis Services is not installed on the DBMS host, this check is Not a Finding. If SQL Server Analysis Services in installed on the DBMS host (regardless of whether it is actively running or not), review the msmdsrv.ini file for the SQL Server Analysis service. The value for [install dir] can be found in the Windows Registry under the parameter: HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SqlProgramDir The msmdsrv.ini configuration file may be found in the directory: [install dir]\MSSQL.2\OLAP\Config View the contens of the msmdsrv.ini file. 1. Locate the RequiredProtectionLevel XML tag under the DataProtection tag. If the RequiredProtectionLevel tag is not listed, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. 2. Locate the RequiredProtectionLevel XML tag under the AdministrativeDataProtection tag. If the RequiredProtectionLevel tag is not listed, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. 3. Locate the RequiredWebProtectionLevel XML tag under the DataProtection tag. If the RequiredWebProtectionLevel tag is not listed, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. 4. Locate the RequiredWebProtectionLevel XML tag under the AdministrativeDataProtection tag. If the RequiredWebProtectionLevel tag is not listed, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding. If the RequiredWebProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding. If any parts of this check are a Finding, this check is a Finding. NOTE: Check DM6101 now combines checks from DM6101, DM6102, DM6106 and DM6107 into this single check. Checks DM6102, DM6106 and DM6107 have been inactivated.

Check Text ( C-13798r1_chk )

Determine if SQL Server Analysis Services is installed.

View the Windows Services Snap-In.

If SQL Server Analysis Services ([instance name]) is not listed, Analysis Services is not installed on this host.

If SQL Server Analysis Services is not installed on the DBMS host, this check is Not a Finding.

If SQL Server Analysis Services in installed on the DBMS host (regardless of whether it is actively running or not), review the msmdsrv.ini file for the SQL Server Analysis service.

The value for [install dir] can be found in the Windows Registry under the parameter:

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\Setup\SqlProgramDir

The msmdsrv.ini configuration file may be found in the directory:

[install dir]\MSSQL.2\OLAP\Config

View the contens of the msmdsrv.ini file.

1. Locate the RequiredProtectionLevel XML tag under the DataProtection tag.

If the RequiredProtectionLevel tag is not listed, this is a Finding.

If the RequiredProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding.

If the RequiredProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding.

2. Locate the RequiredProtectionLevel XML tag under the AdministrativeDataProtection tag.

If the RequiredProtectionLevel tag is not listed, this is a Finding.

If the RequiredProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding.

If the RequiredProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding.

3. Locate the RequiredWebProtectionLevel XML tag under the DataProtection tag.

If the RequiredWebProtectionLevel tag is not listed, this is a Finding.

If the RequiredWebProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding.

If the RequiredWebProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding.

4. Locate the RequiredWebProtectionLevel XML tag under the AdministrativeDataProtection tag.

If the RequiredWebProtectionLevel tag is not listed, this is a Finding.

If the RequiredWebProtectionLevel tag is listed and set to a value of 0 or 2, this is a Finding.

If the RequiredWebProtectionLevel tag is listed and set to a value of 1, this part of the check is Not a Finding.

If any parts of this check are a Finding, this check is a Finding.

NOTE: Check DM6101 now combines checks from DM6101, DM6102, DM6106 and DM6107 into this single check.

Checks DM6102, DM6106 and DM6107 have been inactivated.

Fix Text (F-14818r1_fix)
Modify the msmdsrv.ini to set Required Protection Levels to use encryption. Make a backup copy of the msmdsrv.ini file. Edit the msmdsrv.ini file Under the DataProtection tag, set the value for RequiredProtectionLevel to 1 OR under the DataProtection tag, create the tag RequiredProtectionLevel and set the value to 1. Under the DataProtection tag, set the value for RequiredWebProtectionLevel to 1 OR under the DataProtection tag, create the tag RequiredWebProtectionLevel and set the value to 1. Under the AdministrativeDataProtection tag, set the value for RequiredProtectionLevel to 1 OR under the AdministrativeDataProtection tag, create the tag RequiredProtectionLevel and set the value to 1. Under the AdministrativeDataProtection tag, set the value for RequiredWebProtectionLevel to 1 OR under the AdministrativeDataProtection tag, create the tag RequiredWebProtectionLevel and set the value to 1. Save and exit. Restart the SQL Server Analysis Services service for the changes to take effect. NOTE: Check DM6101 now combines fixes from DM6101, DM6102, DM6106 and DM6107 into this single fix. Checks DM6102, DM6106 and DM6107 have been inactivated.

Fix Text (F-14818r1_fix)

Modify the msmdsrv.ini to set Required Protection Levels to use encryption.

Make a backup copy of the msmdsrv.ini file.

Edit the msmdsrv.ini file

Under the DataProtection tag, set the value for RequiredProtectionLevel to 1 OR under the DataProtection tag, create the tag RequiredProtectionLevel and set the value to 1.

Under the DataProtection tag, set the value for RequiredWebProtectionLevel to 1 OR under the DataProtection tag, create the tag RequiredWebProtectionLevel and set the value to 1.

Under the AdministrativeDataProtection tag, set the value for RequiredProtectionLevel to 1 OR under the AdministrativeDataProtection tag, create the tag RequiredProtectionLevel and set the value to 1.

Under the AdministrativeDataProtection tag, set the value for RequiredWebProtectionLevel to 1 OR under the AdministrativeDataProtection tag, create the tag RequiredWebProtectionLevel and set the value to 1.

Save and exit.

Restart the SQL Server Analysis Services service for the changes to take effect.

NOTE: Check DM6101 now combines fixes from DM6101, DM6102, DM6106 and DM6107 into this single fix.

Checks DM6102, DM6106 and DM6107 have been inactivated.