Passwords should be encrypted when transmitted across the network.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15636 | DG0129-SQLServer9 | SV-29118r1_rule | IAIA-1 IAIA-2 | High |
| Description |
|---|
| DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-29859r1_chk ) |
|---|
| SQL Server natively encrypts passwords in transit when using SQL Server connection protocols and products (i.e. SQL Server Client). Where other connection products and protocols are used, review configuration options for encrypting passwords during login events across the network. If passwords are not encrypted, this is a Finding. Where only SQL Server connection protocols and products are used and password encryption is not purposely disabled and enabled where applicable, this is Not a Finding. If determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a Finding. |
| Fix Text (F-26742r1_fix) |
|---|
| Utilize SQL Server connection protocols and products (i.e. SQL Server Client) where possible. Where other connection products and protocols are used, ensure configuration options for encrypting passwords during login events across the network are used. If the database does not provide encryption for login events natively, employ encryption at the OS or network level. Ensure passwords remain encrypted from source to destination. |