SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission, unless the transmitted data is otherwise protected by alternative physical measures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-40907	SQL2-00-022600	SV-53261r3_rule		High

Description
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. Alternative physical protection measures include Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS. Information in transmission is particularly vulnerable to attack. If the DBMS does not employ cryptographic mechanisms preventing unauthorized disclosure of information during transit, the information may be compromised.

Description

Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. Alternative physical protection measures include Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS. Information in transmission is particularly vulnerable to attack. If the DBMS does not employ cryptographic mechanisms preventing unauthorized disclosure of information during transit, the information may be compromised.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-47562r5_chk )
If the DBMS exists in the unclassified environment, and data transmission does not cross the boundary between the NIPRNet and the wider Internet, and the application owner and authorizing official have determined that encryption is not required, this is not a finding. Check SQL Server settings to determine whether cryptographic mechanisms are used to prevent the unauthorized disclosure of information during transmission. Determine whether physical measures are being used instead of cryptographic mechanisms. If neither cryptographic nor physical measures are being utilized, this is a finding. Review system documentation to determine whether the system handles classified information. If the system does not handle classified information, the severity of this check should be downgraded to Category Code 2. From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If Force Encryption is set, a DoD Certificate is not utilized, and some type of physical encryption measure is utilized, examine the physical encryption devices to determine the following: 1. The plaintext connection to the database server is afforded the highest protections, allowing no access to unauthorized or non-cleared personnel. 2. The encryption device is configured to pass traffic to only the specific IP addresses as identified by the database documentation. 3. The encryption keys utilized are current and valid keys. 4. The keys utilized meet approved organizationally defined compliant algorithms. If any of the preceding requirements is not met, this is a finding. If Force Encryption is set to No, a DoD Certificate is not utilized, and some type of physical encryption measure is not utilized, this is a finding.

Check Text ( C-47562r5_chk )

If the DBMS exists in the unclassified environment, and data transmission does not cross the boundary between the NIPRNet and the wider Internet, and the application owner and authorizing official have determined that encryption is not required, this is not a finding.

Check SQL Server settings to determine whether cryptographic mechanisms are used to prevent the unauthorized disclosure of information during transmission. Determine whether physical measures are being used instead of cryptographic mechanisms. If neither cryptographic nor physical measures are being utilized, this is a finding.

Review system documentation to determine whether the system handles classified information. If the system does not handle classified information, the severity of this check should be downgraded to Category Code 2.

From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab.

If Force Encryption is set, a DoD Certificate is not utilized, and some type of physical encryption measure is utilized, examine the physical encryption devices to determine the following:

1. The plaintext connection to the database server is afforded the highest protections, allowing no access to unauthorized or non-cleared personnel.
2. The encryption device is configured to pass traffic to only the specific IP addresses as identified by the database documentation.
3. The encryption keys utilized are current and valid keys.
4. The keys utilized meet approved organizationally defined compliant algorithms.

If any of the preceding requirements is not met, this is a finding.

If Force Encryption is set to No, a DoD Certificate is not utilized, and some type of physical encryption measure is not utilized, this is a finding.

Fix Text (F-46189r2_fix)
Deploy organization approved encryption to the SQL Server Network Connections. From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. On the Flags tab, set Force Encryption to YES, provide a DoD certificate on the Certificate tab.

Fix Text (F-46189r2_fix)

Deploy organization approved encryption to the SQL Server Network Connections.

From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, set Force Encryption to YES, provide a DoD certificate on the Certificate tab.