Title: Applications required to identify devices must uniquely identify and authenticate an organization defined list of specific and/or types of devices before establishing a connection.
Vulnerability ID: V-32452
IA Controls: None
Description: Device authentication is a solution enabling an organization to manage both users and devices. It is an additional layer of authentication ensuring only specific pre-authorized devices operated by specific pre-authorized users can access the network.
Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device, as deemed appropriate by the organization.
The application typically uses either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for identification or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and/or wide area networks.
The required strength of the device authentication mechanism is determined by the security categorization of the information system.
This requirement is for applications managing remote devices and performing device authentication for network access. This requirement is NA for databases.
Check Text: This check is NA for databases.
Fix Text: This fix is NA for databases.[divider]
There is an option with SQL Server to use SSL / TLS to encrypt connections and we highly advise it to be implemented. By default SQl Server does not protect connections and relays data in both directions in plain text. As of SQL Server 2008, internal algorithms encrypt the UserID and password being passed through if using SQL Server security, but prior to that (SQL 2005 and earlier) the userid and passwords may have been transferred in plain text.
To enable connection encryption you need to have a valid SSL or TLS certificate with permission granted to the SQL Engine service account to use the certificate. You can then select the certificate and force encryption from the server for all connections. Enabling SSL/TLS will require a restart of the service. Keep an eye out for an upcoming post regarding how to configure SSL or TLS on your SQL Server!