DoD STIGs – V-32476


Title: The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

Vulnerability ID: V-32476

STIG ID: SRG-APP-000176-DB-000068

IA Controls: None

Severity: High

Description: The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. All access to the private key of the DBMS must be restricted to authorized and authenticated users. If unauthorized users have access to the DBMS’s private key, an attacker could gain access to the primary key and use it to impersonate the database on the network.

Check Text: Review DBMS configuration to determine whether appropriate access controls exist to protect the DBMS’s private key. If strong access controls do not exist to enforce authorized access to the private key, this is a finding.

Fix Text: Implement strong access and authentication controls to protect the database’s private key.


Interpreting V-32476:

In SQL Server, encryption keys include a combination of public, private, and symmetric keys that are used to protect sensitive data. The symmetric key is created during SQL Server initialization when you first start the SQL Server instance. The key is used by SQL Server to encrypt sensitive data that is stored in SQL Server. Public and private keys are created by the operating system and they are used to protect the symmetric key. A public and private key pair is created for each SQL Server instance that stores sensitive data in a database.

With respect to SQL Server, the private keys being referenced are those that reside not in SQL Server, but on the Windows Server itself. One of the ways you can check if a key has strong protection is to use the certutil.exe -store command. This will perfomr a key operation on each certificate it enumerates. If protection is set, the UI will be displayed.

There are more details on the concept of the OS private keys available here

Return to the DoD STIGs – Database Security Requirements Guide





Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.