Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-28066	SHPT-00-000640	SV-37792r2_rule		High

Description
When data is written to digital media there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Encryption of data at rest in SQL is required if the data owner deems it necessary.

Description

When data is written to digital media there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Encryption of data at rest in SQL is required if the data owner deems it necessary.

STIG	Date
MS SharePoint 2010 Security Technical Implementation Guide	2019-01-02

Details

Check Text ( C-37427r1_chk )
Each of the following scripts must be run as TSQL queries, replacing string text with suitable replacements. Navigate to the SQL Server Management Console and open a new query window to run the following script. 1. Run this TSQL query below. USE SharePointContentDB GO SELECT {NAME},is_encrypted FROM sys.databases WHERE name='TDE_Testing' GO 2. Mark as a finding if return value is not 1. 3. Mark as not a finding if a third-party solution is used and documented with the IAO.

Check Text ( C-37427r1_chk )

Each of the following scripts must be run as TSQL queries, replacing string text with suitable replacements. Navigate to the SQL Server Management Console and open a new query window to run the following script.

1. Run this TSQL query below.

USE SharePointContentDB
GO
SELECT {NAME},is_encrypted
FROM sys.databases
WHERE name='TDE_Testing'
GO

2. Mark as a finding if return value is not 1.
3. Mark as not a finding if a third-party solution is used and documented with the IAO.

Fix Text (F-32667r1_fix)
Data-at-rest encryption is provided by encryption of the SQL 2008 SharePoint database using TDE or a third party solution. Each of the following scripts must be run as TSQL queries and replace string text with suitable replacements. Navigate to the SQL Server Management Console and open a new query window to run the following script. 1. Create the DMK. USE master; GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC'; GO 2. Create the TDE Certificate. USE master; GO CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate'; GO 3. Back up the TDE Certificate. USE master; GO BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'C:\Backup\CompanyABCtdeCERT.cer' WITH PRIVATE KEY ( FILE = 'C:\Backup\CompanyABCtdeCert.pvk', ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!'); GO 4. Create the DEK. USE SharePointContentDB; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert GO 5. Encrypt the database. USE SharePointContentDB GO ALTER DATABASE SharePointContentDB SET ENCRYPTION ON GO 6. Monitor the progress; once encryption_state is ‘3’, the database is encrypted. USE SharePointContentDB GO SELECT * FROM sys.dm_database_encryption_keys WHERE encryption_state = 3; GO

Fix Text (F-32667r1_fix)

Data-at-rest encryption is provided by encryption of the SQL 2008 SharePoint database using TDE or a third party solution. Each of the following scripts must be run as TSQL queries and replace string text with suitable replacements.

Navigate to the SQL Server Management Console and open a new query window to run the following script.

1. Create the DMK.

USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC';
GO

2. Create the TDE Certificate.

USE master;
GO
CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate';
GO

3. Back up the TDE Certificate.

USE master;
GO
BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'C:\Backup\CompanyABCtdeCERT.cer'
WITH PRIVATE KEY (
FILE = 'C:\Backup\CompanyABCtdeCert.pvk',
ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!');
GO

4. Create the DEK.

USE SharePointContentDB;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert
GO

5. Encrypt the database.

USE SharePointContentDB
GO
ALTER DATABASE SharePointContentDB
SET ENCRYPTION ON
GO

6. Monitor the progress; once encryption_state is ‘3’, the database is encrypted.
USE SharePointContentDB
GO
SELECT *
FROM sys.dm_database_encryption_keys
WHERE encryption_state = 3;
GO