DoD STIGs – V-32189

STIGs Image


Title: The DBMS must support the disabling of network protocols deemed by the organization to be non-secure.

Vulnerability ID: V-32189


IA Controls: None

Severity: medium

Description: This requirement is related to remote access, but more specifically to the networking protocols allowing systems to communicate. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.

Some networking protocols allowing remote access may not meet security requirements to protect data and components. Bluetooth and peer-to-peer networking are examples of less than secure networking protocols.

The DoD Ports, Protocols, and Services Management (PPSM) program provides implementation guidance on the use of IP protocols and application and data services traversing the DoD Networks in a manner supporting net-centric operations.

Applications implementing or utilizing remote access network protocols need to ensure the application is developed and implemented in accordance with the PPSM requirements. In situations where it has been determined that specific operational requirements outweigh the risks of enabling an insecure network protocol, the organization may pursue a risk acceptance.

Using protocols deemed unsecure would compromise the ability of the DBMS to operate in a secure fashion. The database must be able to disable network protocols deemed unsecure.

Check Text: Review PPSM Technical Assurance List to acquire an up-to-date list of network protocols deemed unsecure.

Review DBMS settings to determine if the database is utilizing any network protocols deemed unsecure. If the DBMS is not using any network protocols deemed unsecure, this is NA.

If the database is utilizing protocols specified as unsecure in the PPSM, verify the protocols are explicitly identified in the System Security Plan and that they are in support of specific operational requirements, if they are identified in the SSP or are not supporting specific operational requirements, this is a finding.

If unsecure network protocols are not being used but are not disabled in the DBMS’s configuration, this is a finding.

Fix Text: Disable any network protocol listed as unsecure in the PPSM documentation.

Interpreting V-32189:

You really should only use the protocols you actively support to connect to SQL Server. Installation will tend to enable Shared Memory, which is used by SQL when communicating internally. In general companies use TCP/IP and it should be enabled as well. Named Pipes is rarely used, but it may be required. By sure to review these various protocols and disable the ones you are not using.

You can use the SQL Server configuration manager to check which of these are set on each server. You will need to look in the SQL Server Network Configuration section for the instance in question. Remember that there could be more than 1 instance installed on any given server.

SQL protocols

Allen White (B|T) has a nice tutorial on using PowerShell to check the protocols on you SQL Server instances here.

Return to the DoD STIGs – Database Security Requirements Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.