STIGQter: STIG Summary: EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The EDB Postgres Advanced Server must protect the confidentiality and integrity of all information at rest.

DISA Rule

SV-224178r508023_rule

Vulnerability Number

V-224178

Group Title

SRG-APP-000231-DB-000154

Rule Version

EP11-00-005700

Severity

CAT II

CCI(s)

• CCI-001199 - The information system protects the confidentiality and/or integrity of organization-defined information at rest.

Weight

10

Fix Recommendation

Complete these steps as the Windows user that serves as the user who is configure to run the EDB Postgres database service. If done as a different user, the Windows database service user will be unable to view this folder and therefore unable to start the database. By default, the service is configured to be run by the NetworkService account, which is a special Windows account that may not have the ability to encrypt the data directory. As a result, it may be necessary to change the service to run under a different account that can access the directory and encrypt it.

Use the following steps, to update the service, encrypt the data directory, and restart the service:
1. Change the edb-as-11 service to run as a local user account that is the same domain user that will be used to encrypt the data directory (ex. "administrator").
Open Computer Management >> Services.
Highlight the "edb-as-11 service".
Stop the service.
Select the service properties.
Select the "Log On" tab, and update the "Log on as" setting to an account such as "Administrator".

2. Encrypt the data directory by following these instructions (logged in as the user who runs the service):
Right-click on <postgresql data directory>, select properties, select the Advanced button in the General tab, and then select the "Encrypt contents to secure data" checkbox in the "Advanced Attributes" window. Select the option to apply to subfolders and files when prompted.

3. Restart the EDB service after encrypting the drive.

Check Contents

If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.

Right-click on <postgresql data directory>, select properties, then select the General tab and the Advanced button.

If the "Encrypt contents to secure data" check box is not checked, this is a finding.

Vulnerability Number

V-224178

Documentable

False

Rule Version

EP11-00-005700

Severity Override Guidance

If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.

Right-click on <postgresql data directory>, select properties, then select the General tab and the Advanced button.

If the "Encrypt contents to secure data" check box is not checked, this is a finding.

Check Content Reference

M

Target Key

4107

Comments