SQL Server must be configured to use Windows Integrated Security.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-41036	SQL2-00-023600	SV-53411r3_rule		Medium

Description
SQL Server Authentication does not provide for many of the authentication requirements required in the DoD. In some cases workarounds are present, but the authentication is not as robust and does not provide needed functionality. Without that functionality SQL Server is vulnerable to authentication attacks. Consideration must be given to the placement of SQL server inside a forest to ensure evaluation of risk within the environment is considered. Risk includes introduction of risk to SQL Server from other applications or workstations as well as risk from introduction of SQL server itself into an established environment.

Description

SQL Server Authentication does not provide for many of the authentication requirements required in the DoD. In some cases workarounds are present, but the authentication is not as robust and does not provide needed functionality. Without that functionality SQL Server is vulnerable to authentication attacks. Consideration must be given to the placement of SQL server inside a forest to ensure evaluation of risk within the environment is considered. Risk includes introduction of risk to SQL Server from other applications or workstations as well as risk from introduction of SQL server itself into an established environment.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-47653r2_chk )
To determine the Server Authentication Mode, execute the following: EXEC XP_LOGINCONFIG 'login mode' If the config_value is set to 'Mixed', this is a finding.

Fix Text (F-46335r2_fix)
From the SQL Server Management Studio, right click the server, and then click Properties. Select the Security page, under Server authentication, select Windows Authentication Mode, and then click OK.