UCF STIG Viewer Logo

Database Master Key passwords must not be stored in credentials within the database.


Overview

Finding ID Version Rule ID IA Controls Severity
V-41416 SQL2-00-024200 SV-53945r2_rule Medium
Description
Storage of the Database Master Key password in a database credential allows decryption of sensitive data by privileged users who may not have a need-to-know requirement to access the data.
STIG Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide 2019-01-08

Details

Check Text ( C-47952r1_chk )
From the query prompt:
SELECT COUNT(credential_id)
FROM [master].sys.master_key_passwords

If count is not 0, this is a finding.
Fix Text (F-46845r2_fix)
Use the stored procedure sp_control_dbmasterkey_password to remove any credentials that
store Database Master Key passwords.
From the query prompt:
EXEC SP_CONTROL_DBMASTERKEY_PASSWORD @db_name = '[database name]', @action
= N'drop'