Title: The DBMS must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.
Vulnerability ID: V-32450
IA Controls: None
Description: An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.
Techniques used to address this include protocols using nonce’s (e.g., numbers generated for a specific one time use) or challenges (e.g., TLS, WS_Security), and time synchronous or challenge-response one-time authenticators.
Replay attacks, if successfully used against a database account could result in unfettered access to the database settings and data. A successful replay attack against a privileged database account could result in a complete compromise of the database.
Check Text: Review DBMS settings to determine whether organization defined replay-resistant authentication mechanisms for network access to privileged accounts exist. If these mechanisms do not exist, this is a finding.
Fix Text: Configure the DBMS to utilize replay resistant authentication mechanisms such as nonce’s (e.g., numbers generated for a specific one time use) or challenges (e.g., TLS, WS_Security), and time synchronous or challenge-response one-time authenticators.[divider]
There is an option with SQL Server to use SSL / TLS to encrypt connections and we highly advise it to be implemented. By default SQl Server does not protect connections and relays data in both directions in plain text. As of SQL Server 2008, internal algorithms encrypt the UserID and password being passed through if using SQL Server security, but prior to that (SQL 2005 and earlier) the userid and passwords may have been transferred in plain text.
To enable connection encryption you need to have a valid SSL or TLS certificate with permission granted to the SQL Engine service account to use the certificate. You can then select the certificate and force encryption from the server for all connections. Enabling SSL/TLS will require a restart of the service. Keep an eye out for an upcoming post regarding how to configure SSL or TLS on your SQL Server!