UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SQL Server must enforce password encryption for transmission.


Overview

Finding ID Version Rule ID IA Controls Severity
V-40921 SQL2-00-018700 SV-53275r2_rule Medium
Description
Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission. DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.
STIG Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide 2015-06-23

Details

Check Text ( C-47576r2_chk )
From a command prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is not a DoD certificate, this is a finding.
Fix Text (F-46203r2_fix)
Configure SQL Server to encrypt authentication data for remote connections using organization-defined encryption.

Deploy encryption to the SQL Server Network Connections.

From a command prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, set Force Encryption to YES, and provide DoD certificate on the Certificate tab.