Title: A DBMS providing remote access capabilities must utilize organization defined cryptography to protect the confidentiality of data passing over remote access sessions.
Vulnerability ID: V-32183
IA Controls: None
Description: Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.
Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.
Databases that accept remote connections must use approved cryptography to prevent disclosure of data being passed via an unsecure network. If approved cryptography is not used, data can be intercepted or compromised.
Check Text: Review system documentation to determine whether the system handles classified information. If the system handles classified information, the severity of this check should be upgraded to a Category I.
Review database settings to determine if database is configured to accept remote connections. If the database is not configured to accept remote connections, this is NA.
Check database settings to determine whether the data for remote connections is being encrypted with organization defined cryptography. If data for remote connections is not being encrypted with organization defined cryptography, this is a finding.
Fix Text: Configure database to encrypt data passing over remote connections.
Of course SQL Server permits remote connections. If it didn’t it would get quite awkward to work with.
The issue here is that not all networks are secured in the sense of encrypting the information sent across the wire. There are a few ways to deal with this, but the primary method withing SQL Server itself if to ensure connections are encrypted. This is managed through the SQL Server Configuration Manager in the Protocols section. Right click on the Protocols for <instancename> and there are a couple of options present.
Force Encryption will tell SQL Server to create a self-signed SSL certificate to use to ensure connections via native drivers is encrypted. No further action is needed to get this basic level of security. To properly secure the connection, an SSL / TLS certificate should be obtained for the server, permissions granted to the service account to use the certificate, and then the certificate entered on the ‘certificate’ tab in the Protocol for <instancename> properties windows.
Keep an eye out for a video coming in mid-2016 about how to setup the certificate to ensure data from SQL Server is protected across the network.