UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords.


Overview

Finding ID Version Rule ID IA Controls Severity
V-67865 SQL4-00-018700 SV-82355r1_rule High
Description
Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission. DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.
STIG Date
MS SQL Server 2014 Instance Security Technical Implementation Guide 2016-06-27

Details

Check Text ( C-68433r1_chk )
From a command prompt, open SQL Server Configuration Manager by typing sqlservermanager12.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right-click on Protocols for , where is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, if Force Encryption is set to NO, this is a finding.

On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab.

If it is not a DoD certificate, or if no certificate is listed, this is a finding.
Fix Text (F-73981r1_fix)
Configure SQL Server to encrypt authentication data for remote connections using DoD-approved cryptography.

Deploy encryption to the SQL Server Network Connections.

From a command prompt, open SQL Server Configuration Manager by typing sqlservermanager12.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right-click on Protocols for , where is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, set Force Encryption to YES, and provide DoD certificate on the Certificate tab.