STIGQter STIGQter: STIG Summary: Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide Version: 1 Release: 18 Benchmark Date: 25 Jan 2019: SQL Server must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

DISA Rule

SV-53940r5_rule

Vulnerability Number

V-41412

Group Title

SRG-APP-000196-DB-000140

Rule Version

SQL2-00-019500

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Ensure the database is backed up.

Run the following SQL to undo encryption and drop the existing database encryption key:
USE master;
GO
ALTER DATABASE <database name> SET ENCRYPTION OFF;
GO
USE <database name> ;
GO
DROP DATABASE ENCRYPTION KEY;
GO

Run the following SQL to drop a server certificate from the SQL Server instance:
USE master;
GO
DROP CERTIFICATE <certificate name>;
GO

If applicable, run the following SQL to drop a symmetric key:
USE <database name>;
GO
DROP SYMMETRIC KEY <key name>;
GO

Configure encryption to use approved encryption algorithms. Existing keys are not reconfigurable to use different algorithms.

Run SQL along the lines of the following to import an externally-created server certificate (see Microsoft documentation for options and syntax details):
USE master;
GO
CREATE CERTIFICATE <certificate name>
FROM FILE = '<path\file_name>'
...
;
GO

Run the following SQL to create a database encryption key and encrypt the database:
USE <database name>;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE <certificate name>;
GO
USE master;
GO
ALTER DATABASE <database name> SET ENCRYPTION ON;
GO

Note: The acceptable algorithms are: "AES 128", "AES 192", "AES 256" and "Triple DES".

If required, run the following SQL to create a symmetric key and assign an existing certificate:
USE <database name>;
GO
CREATE SYMMETRIC KEY <key name>
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE <certificate name>;

Check Contents

If encryption is not required for this database, this is not a finding.

Run the following SQL queries to review SQL Server's cryptographic settings for the database:

USE <database name> ;
IF NOT EXISTS
(
SELECT 1
FROM sys.dm_database_encryption_keys
WHERE DB_NAME(database_id) = DB_NAME()
)
SELECT
DB_NAME() AS [Database Name],
'No database encryption key present, no encryption' AS [Encryption State],
NULL AS [Algorithm],
NULL AS [Key Length]
ELSE
SELECT
DB_NAME(database_id) AS [Database Name],
CASE encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
WHEN 6 THEN 'Protection change in progress'
END AS [Encryption State],
key_algorithm AS [Algorithm],
key_length AS [Key Length]
FROM sys.dm_database_encryption_keys
WHERE DB_NAME(database_id) = DB_NAME()

SELECT DB_NAME() AS [Database], name, algorithm_desc
FROM sys.symmetric_keys
ORDER BY name, algorithm_desc;

Note: The acceptable algorithms are: "AES 128", "AES 192", "AES 256" and "Triple DES".

If SQL Server cryptographic algorithms are not listed or are found not to be compliant with applicable federal laws, Executive Orders, directives, policies, regulations, standards and guidance, this is a finding.

If the encryption state indicates that the database is unencrypted, this is a finding.

Vulnerability Number

V-41412

Documentable

False

Rule Version

SQL2-00-019500

Severity Override Guidance

If encryption is not required for this database, this is not a finding.

Run the following SQL queries to review SQL Server's cryptographic settings for the database:

USE <database name> ;
IF NOT EXISTS
(
SELECT 1
FROM sys.dm_database_encryption_keys
WHERE DB_NAME(database_id) = DB_NAME()
)
SELECT
DB_NAME() AS [Database Name],
'No database encryption key present, no encryption' AS [Encryption State],
NULL AS [Algorithm],
NULL AS [Key Length]
ELSE
SELECT
DB_NAME(database_id) AS [Database Name],
CASE encryption_state
WHEN 0 THEN 'No database encryption key present, no encryption'
WHEN 1 THEN 'Unencrypted'
WHEN 2 THEN 'Encryption in progress'
WHEN 3 THEN 'Encrypted'
WHEN 4 THEN 'Key change in progress'
WHEN 5 THEN 'Decryption in progress'
WHEN 6 THEN 'Protection change in progress'
END AS [Encryption State],
key_algorithm AS [Algorithm],
key_length AS [Key Length]
FROM sys.dm_database_encryption_keys
WHERE DB_NAME(database_id) = DB_NAME()

SELECT DB_NAME() AS [Database], name, algorithm_desc
FROM sys.symmetric_keys
ORDER BY name, algorithm_desc;

Note: The acceptable algorithms are: "AES 128", "AES 192", "AES 256" and "Triple DES".

If SQL Server cryptographic algorithms are not listed or are found not to be compliant with applicable federal laws, Executive Orders, directives, policies, regulations, standards and guidance, this is a finding.

If the encryption state indicates that the database is unencrypted, this is a finding.

Check Content Reference

M

Target Key

2560

Comments