Title: The application must validate the binding of the reviewers identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
Vulnerability ID: V-32353
IA Controls: None
Description: This non-repudiation control enhancement is intended to mitigate the risk that information could be modified between review and transfer/release particularly when transfer is occurring between security domains.
In those instances where the application is transferring data intended for release across security domains, the application must validate the binding of the reviewer’s identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
This requirement is specific to applications responsible for managing data crossing security domains. This is NA for databases.
Check Text: This check is NA for databases.
Fix Text: This fix is NA for databases.[divider]
There is an option with SQL Server to use SSL / TLS to encrypt connections and we highly advise it to be implemented. By default SQl Server does not protect connections and relays data in both directions in plain text. As of SQL Server 2008, internal algorithms encrypt the UserID and password being passed through if using SQL Server security, but prior to that (SQL 2005 and earlier) the userid and passwords may have been transferred in plain text.
To enable connection encryption you need to have a valid SSL or TLS certificate with permission granted to the SQL Engine service account to use the certificate. You can then select the certificate and force encryption from the server for all connections. Enabling SSL/TLS will require a restart of the service.
By ensuring a copy of the certificate is also on client machines you also reduce the chance of man-in-the-middle attacks.
Keep an eye out for an upcoming post regarding how to configure SSL or TLS on your SQL Server!