Title: The DBMS must ensure remote sessions that access an organization defined list of security functions and security-relevant information are audited.
Vulnerability ID: V-32188
IA Controls: None
Description: Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.
Remote network and system access is accomplished by leveraging common communication protocols to establish a remote connection. These connections will typically originate over either the public Internet or the Public Switched Telephone Network (PSTN). Neither of these internetworking mechanisms is private or secure and they do not by default restrict access to networked resources once connectivity is established.
Numerous best practices are employed to protect remote connections, such as utilizing encryption to protect data sessions and firewalls to restrict and control network connectivity. In addition to these protections, auditing must also be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident.
When organizations define security related application functions or security-related application information, it is incumbent upon the application providing access to that data to ensure auditing of remote connectivity to those resources occurs in support of organizational requirements.
Remote access to security functions (e.g., user management, audit log management, etc.) and security relevant information requires the activity be audited by the organization. Any application providing remote access must support organizational requirements to audit access or organization defined security functions and security-relevant information.
Databases security features accessed through remote methods must be audited to ensure the access is authorized and appropriate.
Check Text: Review database settings to determine if database is configured to accept remote connections. If the database is not configured to accept remote connections, this is NA.
Review DBMS settings and verify the auditing of security features accessed via remote database access is enabled. If auditing of security feature access is not enabled, this is a finding.
Fix Text: Enable auditing of security feature access via remote connections.[divider]
In general SQL Server is configured to allow remote connections. Very rarely is it configured to not allow remote connections as working on the server itself steals valuable resources that SQL Server could use to process the data more efficiently.
To determine if SQL Server is configured to allow remote connections you can check the properties of the server. In SSMS, right click on the server name, select properties and the click on the connections page. 3/4 of the way down the dialog, there is a Remote server connections section. If this check mark is marked, the SQL Server is allowing remote connections.
If the checkbox is marked, you can confirm that base level auditing is configured by selecting the Security page and checking the Login auditing level and swell as the options for additional Audit tracing for C2 compliance.
A final check would be to ensure SQL Audit is enabled and monitoring for security feature access.