SQL Server, when providing remote access capabilities, must utilize approved cryptography to protect the integrity of remote access sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-41308	SQL2-00-001400	SV-53790r1_rule		Medium

Description
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). The session data traversing the remote connection could be intercepted and compromised. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. If cryptography is not used, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized changes to the data traversing the remote access connection, thereby providing a degree of integrity. The encryption strength of the mechanism is selected based on the security categorization of the information that is traversing the remote connection. Databases that accept remote connections must use approved cryptography to protect data being passed via an unsecure network. If approved cryptography is not used, data can be intercepted and potentially modified.

Description

Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). The session data traversing the remote connection could be intercepted and compromised. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. If cryptography is not used, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized changes to the data traversing the remote access connection, thereby providing a degree of integrity. The encryption strength of the mechanism is selected based on the security categorization of the information that is traversing the remote connection. Databases that accept remote connections must use approved cryptography to protect data being passed via an unsecure network. If approved cryptography is not used, data can be intercepted and potentially modified.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2014-06-23

Details

Check Text ( C-47877r3_chk )
From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is a DoD certificate, this is not a finding. If Force Encryption set to NO and a DOD certificate is not utilized, this is a finding.

Check Text ( C-47877r3_chk )

From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab.
If it is a DoD certificate, this is not a finding.

If Force Encryption set to NO and a DOD certificate is not utilized, this is a finding.

Fix Text (F-46699r2_fix)
Configure SQL Server to encrypt data passing over remote connections. From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, and provide a DoD certificate on the Certificate tab.

Fix Text (F-46699r2_fix)

Configure SQL Server to encrypt data passing over remote connections.
From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, set Force Encryption to YES, and provide a DoD certificate on the Certificate tab.