Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-41310 | SQL2-00-001200 | SV-53792r1_rule | Medium |
Description |
---|
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms is private or secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information traversing the remote connection. Login/account information can be compromised if authentication data being passed over a public network is not secured via approved cryptography. This can result in unauthorized access to the database. |
STIG | Date |
---|---|
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide | 2014-01-17 |
Check Text ( C-47879r2_chk ) |
---|
From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is a DoD Certificate, this is not a finding. If Force Encryption is set to NO, determine via system documentation what type of database connections are used by applications that connect to the database. If applications only connect with OLE DB connections (tools such as SQL Server Management Studio and SQLCMD utilize OLE DB), this is not a finding. If any other types of connections are utilized, and visible proof of encryption of authentication data cannot be witnessed, this is a finding. |
Fix Text (F-46701r2_fix) |
---|
Configure SQL Server to encrypt authentication data for remote connections using organization-defined encryption. Deploy organization-approved encryption to the SQL Server Network Connections. From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, and provide a DOD certificate on the Certificate tab. |