Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
If passwords are used for authentication, SQL Server must transmit only encrypted representations of passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-67865 | SQL4-00-018700 | SV-82355r1_rule | High |
| Description |
|---|
| Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission. DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. |
| STIG | Date |
|---|---|
| MS SQL Server 2014 Instance Security Technical Implementation Guide | 2016-06-27 |
Details
| Check Text ( C-68433r1_chk ) |
|---|
| From a command prompt, open SQL Server Configuration Manager by typing sqlservermanager12.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right-click on Protocols for On the Flags tab, if Force Encryption is set to NO, this is a finding. On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab. If it is not a DoD certificate, or if no certificate is listed, this is a finding. |
| Fix Text (F-73981r1_fix) |
|---|
| Configure SQL Server to encrypt authentication data for remote connections using DoD-approved cryptography. Deploy encryption to the SQL Server Network Connections. From a command prompt, open SQL Server Configuration Manager by typing sqlservermanager12.msc, and pressing [ENTER]. Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right-click on Protocols for On the Flags tab, set Force Encryption to YES, and provide DoD certificate on the Certificate tab. |