UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage.


Overview

Finding ID Version Rule ID IA Controls Severity
V-28066 SHPT-00-000640 SV-37792r2_rule High
Description
When data is written to digital media there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Encryption of data at rest in SQL is required if the data owner deems it necessary.
STIG Date
MS SharePoint 2010 Security Technical Implementation Guide 2018-04-02

Details

Check Text ( C-37427r1_chk )
Each of the following scripts must be run as TSQL queries, replacing string text with suitable replacements. Navigate to the SQL Server Management Console and open a new query window to run the following script.

1. Run this TSQL query below.

USE SharePointContentDB
GO
SELECT {NAME},is_encrypted
FROM sys.databases
WHERE name='TDE_Testing'
GO

2. Mark as a finding if return value is not 1.
3. Mark as not a finding if a third-party solution is used and documented with the IAO.
Fix Text (F-32667r1_fix)
Data-at-rest encryption is provided by encryption of the SQL 2008 SharePoint database using TDE or a third party solution. Each of the following scripts must be run as TSQL queries and replace string text with suitable replacements.

Navigate to the SQL Server Management Console and open a new query window to run the following script.

1. Create the DMK.

USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC';
GO

2. Create the TDE Certificate.

USE master;
GO
CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate';
GO

3. Back up the TDE Certificate.

USE master;
GO
BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'C:\Backup\CompanyABCtdeCERT.cer'
WITH PRIVATE KEY (
FILE = 'C:\Backup\CompanyABCtdeCert.pvk',
ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!');
GO

4. Create the DEK.

USE SharePointContentDB;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert
GO

5. Encrypt the database.

USE SharePointContentDB
GO
ALTER DATABASE SharePointContentDB
SET ENCRYPTION ON
GO

6. Monitor the progress; once encryption_state is ‘3’, the database is encrypted.
USE SharePointContentDB
GO
SELECT *
FROM sys.dm_database_encryption_keys
WHERE encryption_state = 3;
GO