DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3813 | DG0068-SQLServer9 | SV-24215r1_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if possible, by the application. If it cannot be disabled, users should be strictly instructed not to use this feature. Typically, the application will prompt for this information and accept it without echoing it on the users computer screen. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-28572r1_chk ) |
|---|
| Interview the DBA to determine if any applications that access the database (such as sqlcmd, etc.) allow for entry of the account name and password on the command line. If any applications exist and are in use, ask the DBA if users have been instructed not to include passwords on the command line and if these applications are monitored for compliance. If documentation of instruction and monitoring are not being performed, this is a Finding. |
| Fix Text (F-24465r1_fix) |
|---|
| Configure or modify applications to prohibit display of passwords in clear text on the command line if possible. Implement policy and train users to prohibit entry of passwords on the command line for applications that cannot be modified or configured to deny this. Remove any applications that can access the database if they are not being used or cannot be monitored. |