SQL Server must utilize approved cryptography when passing authentication data for remote access sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-41310	SQL2-00-001200	SV-53792r1_rule		Medium

Description
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms is private or secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information traversing the remote connection. Login/account information can be compromised if authentication data being passed over a public network is not secured via approved cryptography. This can result in unauthorized access to the database.

Description

Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms is private or secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information traversing the remote connection. Login/account information can be compromised if authentication data being passed over a public network is not secured via approved cryptography. This can result in unauthorized access to the database.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2014-06-23

Details

Check Text ( C-47879r2_chk )
From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is a DoD Certificate, this is not a finding. If Force Encryption is set to NO, determine via system documentation what type of database connections are used by applications that connect to the database. If applications only connect with OLE DB connections (tools such as SQL Server Management Studio and SQLCMD utilize OLE DB), this is not a finding. If any other types of connections are utilized, and visible proof of encryption of authentication data cannot be witnessed, this is a finding.

Check Text ( C-47879r2_chk )

From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab.
If it is a DoD Certificate, this is not a finding.

If Force Encryption is set to NO, determine via system documentation what type of database connections are used by applications that connect to the database. If applications only connect with OLE DB connections (tools such as SQL Server Management Studio and SQLCMD utilize OLE DB), this is not a finding.

If any other types of connections are utilized, and visible proof of encryption of authentication data cannot be witnessed, this is a finding.

Fix Text (F-46701r2_fix)
Configure SQL Server to encrypt authentication data for remote connections using organization-defined encryption. Deploy organization-approved encryption to the SQL Server Network Connections. From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, and provide a DOD certificate on the Certificate tab.

Fix Text (F-46701r2_fix)

Configure SQL Server to encrypt authentication data for remote connections using organization-defined encryption. Deploy organization-approved encryption to the SQL Server Network Connections.

From a Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, set Force Encryption to YES, and provide a DOD certificate on the Certificate tab.