Title: The DBMS must allow all remote access to be routed through managed access control points.
Vulnerability ID: V-32186
IA Controls: None
Description: This requirement relates to the use of applications providing remote access services. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.
Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN).
Please note, utilization of a virtual private network when adequately provisioned with appropriate security controls, is considered an internal network and is not considered remote access.
Without centralized control of inbound connections, management of these access points is difficult at best. It is critical that applications providing or offering remote access capabilities also have the capability to route the access through managed access control points.
One example is the use of software applications, such as PCAnywhere or Terminal Services. Rather than having PCAnywhere installed on multiple systems, remote access software must have the capability to be centrally managed and controlled, so there are not multiple disparate access points into the environment.
Check Text: Review database settings to determine if the database is configured to accept remote connections. If the database is not configured to accept remote connections, this is NA.
Review DBMS vendor documentation and verify the DBMS does not preclude remote access from coming from a managed access control point. If the DBMS does not allow remote connections to come from a centrally managed access point, this is a finding.
Fix Text: Utilize a DBMS product that will accept remote connections passed through a centrally managed access point.[divider]
Of course SQL Server permits remote connections. If it didn’t it would get quite awkward to work with.
Remote connections by default come in the endpoints, usually the TCPIP default endpoint. It is possible in SQL Server to configure custom endpoints to avoid coming through te defaults. WHen an endpoint is configured it can have permission granted to connect to not only users, but also applications.
In respect to this STIG, the SQL Server system requires the connection to come through these endpoints which are similar to a centrally managed access point.
The other options to connect include telnet and remote desktop applications to connect & login to the server itself. If you are using any method other than connecting via the endpoints in SQL Server, then you need to review your setup for managing those external / 3rd party components.