Remote adminstrative connections to the database should be encrypted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3825	DG0093-SQLServer9	SV-24248r1_rule	ECCT-1 ECCT-2	Medium

Description
Communications between a client and database service across the network may contain sensitive information including passwords. Encryption of remote administrative connections to the database ensures confidentiality.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-23684r1_chk )
If no administration accounts are accessed remotely, this check is Not a Finding. Ask the DBA if access to the administration accounts is: 1. Made using remote access through a local host account 2. Made directly to the database from a remote database client If access is via a local host account, review procedures, policy, and/or evidence that remote administrative account access is performed only via an encrypted connection protocol such as SSH, Remote Desktop Connection (properly configured, of course), etc., to connect to the host. If it is not, this is a Finding. If access is via direct connection to the DBMS from a DBMS client, confirm that a dedicated database listener exists on the DBMS server and configured to encrypt communications for remote administrative connections. If it is not, this is a Finding. If there are any listeners on the DBMS host that are configured to accept unencrypted traffic, determine through review of policy and training evidence that DBAs know to use the encrypted listener for remote access to administrative accounts. If no such policy exists, the DBAs have not been instructed to use or do not use an encrypted connection, this is a Finding. Interview DBAs to confirm they use the encrypted listener for remote DBA access. If any DBAs do not, this is a Finding. Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.

Check Text ( C-23684r1_chk )

If no administration accounts are accessed remotely, this check is Not a Finding.

Ask the DBA if access to the administration accounts is:

1. Made using remote access through a local host account
2. Made directly to the database from a remote database client

If access is via a local host account, review procedures, policy, and/or evidence that remote administrative account access is performed only via an encrypted connection protocol such as SSH, Remote Desktop Connection (properly configured, of course), etc., to connect to the host.

If it is not, this is a Finding.

If access is via direct connection to the DBMS from a DBMS client, confirm that a dedicated database listener exists on the DBMS server and configured to encrypt communications for remote administrative connections.

If it is not, this is a Finding.

If there are any listeners on the DBMS host that are configured to accept unencrypted traffic, determine through review of policy and training evidence that DBAs know to use the encrypted listener for remote access to administrative accounts.

If no such policy exists, the DBAs have not been instructed to use or do not use an encrypted connection, this is a Finding.

Interview DBAs to confirm they use the encrypted listener for remote DBA access.

If any DBAs do not, this is a Finding.

Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.

Fix Text (F-26087r1_fix)
Do not administer DBMS systems remotely if possible. If this is not possible, ensure that all connections to the DBMS for administrative purposes utilize encryption at all possible levels [i.e. Network (VPN), Host (SSH/RDP), and Database (Client/ODBC/listener)]. Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.

Fix Text (F-26087r1_fix)

Do not administer DBMS systems remotely if possible.

If this is not possible, ensure that all connections to the DBMS for administrative purposes utilize encryption at all possible levels [i.e. Network (VPN), Host (SSH/RDP), and Database (Client/ODBC/listener)].

Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.