DoD STIGs – V-32468

Overview:

Title: If passwords are used for authentication, the DBMS must store only hashed, salted representations of passwords

Vulnerability ID: V-32468

STIG ID:

IA Controls: None

Severity: medium

Description: Review the list of DBMS database objects, database configuration files, associated scripts, and applications defined within and external to the DBMS that access the database. The list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts.

Determine whether any DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are hashed using FIPS-approved cryptographic algorithms and include a salt. If any passwords are stored in clear text, this is a finding. If any passwords are stored with reversible encryption, this is a finding. If any passwords are stored using unsalted hashes, this is a finding

Check Text: Ask the DBA to review the list of DBMS database objects, database configuration files, associated scripts, and applications defined within and external to the DBMS that access the database. The list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts.

Ask the DBA and/or IAO to determine if any DBMS database objects, database configuration files, associated scripts, and applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are encoded or encrypted. If any passwords are stored in clear text, this is a finding.

Fix Text: Develop, document, and maintain a list of DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings in the System Security Plan.

Record whether they do or do not contain DBMS passwords. If passwords are present, ensure that they are correctly hashed using one-way, salted hashing functions, and that the hashes are protected by host system security.

[divider]

Interpreting V-32468:

Depending on the version of SQL Server you are running, user passwords for SQL Server logins are stored using the Triple DES or, if after 2012, the stronger AES encryption algorithms.

If your application creates and stores it own UIDs in the database, ensure it is using appropriate encyrption/hashing methods for storing the passwords.

If passwords are being stored as hashed values ( a common practice) then ensure that appropriate salting occurs and plain text value of salts and passwords are not elsewhere in the database. If plain text values are stored this could aide in cracking the hashing performed to protect the data.

Return to the DoD STIGs – Database Security Requirements Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.