SQL Server must enforce password encryption for transmission.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-40921 | SQL2-00-018700 | SV-53275r1_rule | Medium |
| Description |
|---|
| Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission. DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide | 2014-06-23 |
Details
| Check Text ( C-47576r2_chk ) |
|---|
| From a command prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is not a DoD certificate, this is a finding. |
| Fix Text (F-46203r2_fix) |
|---|
| Configure SQL Server to encrypt authentication data for remote connections using organization-defined encryption. Deploy encryption to the SQL Server Network Connections. From a command prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, and provide DoD certificate on the Certificate tab. |