SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest, unless the data is otherwise protected by alternative physical measures.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-41420 | SQL2-00-021400 | SV-53949r1_rule | Medium |
| Description |
|---|
| This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. If the data is not encrypted or protected by other means, it is subject to compromise and unauthorized disclosure. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2012 Database Security Technical Implementation Guide | 2014-06-23 |
Details
| Check Text ( C-47955r2_chk ) |
|---|
| If physical protections are in place for the data, this is not a finding. Ensure the data is encrypted by executing: SELECT * FROM [master].sys.databases For each user database, ensure the Is_encrypted column is set to 1. If it is not set to 1, this is a finding. |
| Fix Text (F-46848r2_fix) |
|---|
| Use encryption to protect the data where physical measures are not being utilized. To enable database encryption, create a master key, create a database encryption key, and protect it by using mechanisms tied to the master key, and then set encryption on. |