UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Database Master Key encryption password must meet DoD password complexity requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-41413 SQL2-00-024000 SV-53942r1_rule Medium
Description
Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, then the confidentiality of all data encrypted using that key is at risk.
STIG Date
Microsoft SQL Server 2012 Database Security Technical Implementation Guide 2014-06-23

Details

Check Text ( C-47950r2_chk )
From the query prompt:

SELECT name
FROM [master].sys.databases
WHERE state = 0
Repeat for each database:
From the query prompt:
USE [database name]
SELECT COUNT(name)
FROM sys.symmetric_keys s, sys.key_encryptions k
WHERE s.name = '##MS_DatabaseMasterKey##'
AND s.symmetric_key_id = k.key_id
AND k.crypt_type = 'ESKP'

If the value returned is greater than 0, a Database Master Key exists and is encrypted with a password.

Review procedures and evidence of password requirements used to encrypt Database Master Keys. If the passwords are not required to meet DoD password standards, currently 15 characters, 2 uppercase characters, 2 lowercase characters, 2 special characters, 2 numeric
characters and no repeating characters, this is a finding.
Fix Text (F-46842r3_fix)
Assign an encryption password to the Database Master Key that is a minimum of 15 characters, contains at least 2 uppercase characters, 2 lowercase characters, 2 special characters, 2 numeric characters and has no repeating characters.
To change the Database Master Key encryption password:
USE [database name]
ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = '[new password]'
Note: The Database Master Key encryption method should not be changed until the effects are thoroughly reviewed. Changing the master key encryption causes all encryption using the Database Master Key to be decrypted and re-encrypted. This action should not be taken during a high-demand time. Please see the MS SQL Server documentation prior to re-encrypting the
Database Master Key for detailed information.