Title: The DBMS must utilize approved cryptography when passing authentication data for remote access sessions.
Vulnerability ID: V-32182
IA Controls: None
Description: Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.
Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information traversing the remote connection.
Login/Account information can be compromised if authentication data being passed over a public network is not secured via approved cryptography. This can result in unauthorized access to the database.
Check Text: Review settings to determine if DBMS is configured to accept remote connections. If the DBMS is not configured to accept remote connections, this is NA.
Check DBMS settings to determine whether the authentication data for remote connections is being encrypted with approved cryptography. If authentication data for remote connections is not being encrypted with approved cryptography, this is a finding.
Fix Text: Configure the DBMS to encrypt authentication data for remote connections using organization defined encryption.
Starting with SQL 2008 the credentials to connect to SQL Server are sent encrypted automatically, even if no additional steps are taken to protect them. In systems running SQL 2005 and earlier the UID and password are transmitted in plain text. To ensure all data being transferred is protected SSL\TLS certificates should be configured on each instance of SQL that is being used.