V-40948 – SQL Server 2012 Database Instance DISA STIGs

If you have any additional questions that aren’t addressed in the blog, feel free to contact me. I’d be more than happy to help you out!

V-40948

Title: “Software, applications, and configuration files that are part of, or related to, the SQL Server 2012 installation must be monitored to discover unauthorized changes.”

Severity = High

Details = Verify that files and folders that are part of, or related to, the SQL Server 2012 installation have only the appropriate privileges. Continue reading “V-40948 – SQL Server 2012 Database Instance DISA STIGs”

V-40945 – SQL Server 2012 Database Instance DISA STIGs

If you have any additional questions that aren’t addressed in the blog, feel free to contact me. I’d be more than happy to help you out!

V-40945

Title: “Vendor-supported software and patches must be evaluated and patched against newly found vulnerabilities.”

Severity = High

Details = Check Microsoft’s list of supported SQL Server versions http://www.microsoft.com/sqlserver/en/us/support/support-updates.aspx Continue reading “V-40945 – SQL Server 2012 Database Instance DISA STIGs”

V-40941 – SQL Server 2012 Database Instance DISA STIGs

If you have any additional questions that aren’t addressed in the blog, feel free to contact me. I’d be more than happy to help you out!

V-40941

Title: “SQL Server must have the SQL Server Data Tools (SSDT) software component removed from SQL Server if SSDT is unused.”

Severity = High

Details = Review the list of components and features installed with the database. Using an account with System Administrator privileges, from Command Prompt, open control.exe. Continue reading “V-40941 – SQL Server 2012 Database Instance DISA STIGs”

Pros & Cons of Following MCM & MVPs on Twitter

I follow over 80 people on Twitter. Over 30 of them are MVPs and/or MCMs.

That means when I wake up in the morning and scroll through my Twitter timeline…all I see are tweets to intellectual blog posts, discussions, #sqlhelp replies to tough questions, etc.

This is why following so many MCM and MVPs on Twitter (social media) is like a double-edged sword. Let’s start with the cons: Continue reading “Pros & Cons of Following MCM & MVPs on Twitter”

V-40932 – SQL Server 2012 Database Instance DISA STIGs

If you have any additional questions that aren’t addressed in the blog, feel free to contact me. I’d be more than happy to help you out!

V-40932

Title: “SQL Server must recover to a known state that is verifiable.”

Severity = High

Details = Obtain the SQL Server recovery procedures and technical system features to determine if mechanisms exist and are in place to specify use of trusted files during SQL Server recovery. Continue reading “V-40932 – SQL Server 2012 Database Instance DISA STIGs”

V-40907 – SQL Server 2012 Database Instance DISA STIGs

If you have any additional questions that aren’t addressed in the blog, feel free to contact me. I’d be more than happy to help you out!

V-40907

Title: “SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission, unless the transmitted data is otherwise protected by alternative physical measures.”

Severity = High

Details = From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. Continue reading “V-40907 – SQL Server 2012 Database Instance DISA STIGs”

My Very First SQL Saturday Event – SQLSatDC

I attended my very FIRST SQLSaturday event in DC an absolutely loved it. I attended workshops by MCM and MVP Brent Ozar (b | t), MS Senior PFE Ayman El-Ghazali (b | t), MS PFE Patrick Keisler (b | t) and MCM Wayne Sheffield (b | t). If you want to see the session schedule with all Powerpoint presentations, go here.

For anyone who has not been to a SQL Saturday event, it goes something like this… Continue reading “My Very First SQL Saturday Event – SQLSatDC”

How to Create SSL Certificate for SQL Server

Here is a quick way that I use to create a server-level certificate which allows me to use SSL encryption option in SQL Server Configuration Manager. If you have any questions throughout this process, feel free to contact me here. I will be more than happy to help you out.

Copy the below (in between the ==) into a blank textfile. To find your Fully Qualified Domain Name (or FQDN), open the Command Prompt (Run –> Type cmd then press ENTER), at the prompt type:

ipconfig /all

Your FQDN will be in the following format:

“Host Name.Primary Dns Suffix”

Take that FQDN and replace the MY.FQDN.COM with your FQDN below

========COPY=============
[Version]
Signature = $Windows NT$

[NewRequest]
Subject = “CN=MY.FQDN.COM
Exportable = TRUE
KeyLength = 2048
KeySpec = 1                         ; AT_KEYEXCHANGE
KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment
MachineKeySet = True                ; The key belongs to the local computer account
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
SMIME = FALSE
RequestType = PKCS10
========END COPY==========

Then save it as a .inf file. For example, MyServer.inf

*** Make sure you change the “Save as type” option to “All Files.” The default is “.txt” and if you don’t change it to “All Files” you will end up with a file like “MyServer.inf.txt” which will not work.

Next, open the Command Prompt and type the following:

certreq -new C:\certificate\MyServer.inf (see screenshot below)

How to Create SSL Certificate for SQL Server Cmd Prompt New
Once you hit [Enter], a pop-up will open and prompt you to pick a location to save the hash file. Just choose the same folder that your MyServer.inf file is in to lessen confusion.

Next, if you have a person who acts as the CA (Certificate Authority) or is the single point of contact for all certificate requests then all you have to do is rename the .inf file to a .csr file and send it to them as an attachment in an encrypted/secured email.

They will take that hash output, fill out a form, and submit it to the CA. After a few days (or weeks) they will receive an email with the complete certificate hash and they forward that to you.

I have worked in environments where I had to email the single point of contact as well as fill out the form myself. If you are required to go to https://ca-27.csd.disa.mil/ca/ and submit the request for a certificate yourself, and need help…check out instructions on how to do that below:

How to Request a DoD Server Certificate

How to Request a DoD Server Certificate

I have worked in many government facilities throughout my career and most recently I was in charge of securing a couple SQL Server database servers. One of the items on the “checklist” to secure was installing a server-level DoD SSL certificate. By installing this certificate, it would allow me to enable “Force Encryption” in SQL Server Configuration Manager.

Work environments differ. Some require you to do everything. Some require you to do a certain point before passing it to a point of contact within the organization. If you are in charge of installing a DoD SSL Certificate and have a CAC card, then hopefully this blog will help you save time and headache! (feel free to contact me if you have any issues)

You will first have to submit your hash at the following link to get a “request ID”, which you will need to fill out the form.

Visit: https://ca-27.csd.disa.mil/ca/

**UPDATE: New DoD PKI SHA-256 CAs have been released. Enrollment pages for these CAs are available at: https://ee-id-sw-ca-37.csd.disa.mil

1. You click on the link above, and then choose “New 2048-bit SSL Enrollment form” option (see screenshot below)

DoD Certificate Manager Homepage

2. Then, choose PKCS#10 for Certificate Request Type.

3. Cut and paste your hash in the “Certificate Request” textbox.

4. Type out the FQDN of your server in the “General Name Value” textbox.

5. Enter in your Name, Email, Phone in the “Requestor Information”

6. Click Submit.

DoD Certificate Manager Profile Page

The following screen will display a “Request ID.” Copy that Request ID and paste it in the Certificate Request form. For more details on how to install the certificate, check out my blog post here:

How to Create SSL Certificate for SQL Server

We Couldn’t Verify the Product Key, Hyper-V

If you want a step-by-step walkthrough on setting up a complete Hyper-V networked lab environment consisting of a Domain Controller and five domain member machines, then check out this great in-depth article here.

The lab that you setup using the link above will be used for the “Exam 70-462: Administering Microsoft SQL Server 2012 Databases book by Orin Thomas, Bob Taylor and Peter Ward. Now, of course, not all guides/books are 100% error free. You can find the “errata” of the book here. Continue reading “We Couldn’t Verify the Product Key, Hyper-V”

How to Test Connection to SQL Server Using UDL File

This past week at work we had an application go down. The owner of that application rushed over to me and said the database server was down. I logged into the database server and verified that SQL Server service was up and running. To further allay his concern that the database server was blocking his application from making connections, I logged into the application server and quickly created a UDL file to verify the connection. Below is a step-by-step on how I did that so you can use it in case you run into a similar situation where you have to verify if a server can make a successful connection to a SQL Server database server. Continue reading “How to Test Connection to SQL Server Using UDL File”