Title: A DBMS providing remote access capabilities must utilize approved cryptography to protect the integrity of remote access sessions.
Vulnerability ID: V-32184
IA Controls: None
Description: Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.
Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over the public Internet, the Public Switched Telephone Network (PSTN) or sometimes both. Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized changes to the data traversing the remote access connection thereby providing a degree of integrity. The encryption strength of mechanism is selected based on the security categorization of the information that is traversing the remote connection.
Databases that accept remote connections must use approved cryptography to protect data being passed via an unsecure network. If approved cryptography is not used, data can be intercepted and potentially modified.
Check Text: Review system documentation to determine whether the system handles classified information. If the system handles classified information, the severity of this check should be upgraded to a Category I.
Review database settings to determine if database is configured to accept remote connections. If the database is not configured to accept remote connections, this is NA.
Check database settings to determine whether the data for remote connections is being encrypted with organization defined cryptography. If data for remote connections is not being encrypted with approved cryptography, this is a finding.
Fix Text: Configure database to use organization defined cryptography to encrypt data passing over remote connections.
By default SQL Server does not encrypt communication with it from applications. This STIG’s requirement is that the communication coming into SQL Server transfer encrypted data, especially if the data that should be protected is being transfered over an unsecured network, like the internet. SSL / TLS are optians that can be configured on the SQL Server to ensure that all communication to and from the SQL Server is protected at a base level, even when on an unprotected network.
Encrypting the raw data stored in tables may be enough, as long as the en/decryption of the data occurs on the client system before any data is transferred. If the data is being encrypted and decrypted on the server, the data transferred will be done in plain text.