V-40907 – SQL Server 2012 Database Instance DISA STIGs

If you have any additional questions that aren’t addressed in the blog, feel free to contact me. I’d be more than happy to help you out!

V-40907

Title: “SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission, unless the transmitted data is otherwise protected by alternative physical measures.”

Severity = High

Details = From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab.

If Force Encryption is set, a DoD Certificate is not utilized, and some type of physical encryption measure is utilized, examine the physical encryption devices to determine the following:

1. The plain text connection to the database server is afforded the highest protections, allowing no access to unauthorized or non-cleared personnel.
2. The encryption device is configured to pass traffic to only the specific IP addresses as identified by the database documentation.
3. The encryption keys utilized are current and valid keys.
4. The keys utilized meet approved organizationally defined compliant algorithms.

If any of the preceding requirements is not met, this is a finding.

If Force Encryption is set to No, a DoD Certificate is not utilized, and some type of physical encryption measure is not utilized, this is a finding.

FIX: Deploy organization approved encryption to the SQL Server Network Connections.

From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

V-40907 SQL Config Manager
Provide a DoD certificate on the Certificate tab via the drop down.

V-40907 SQL Config Manager Certificate

Now you can go back to the Flags tab and set it to True.

 V-40907 SQL Config Manager Setting

If you need help with obtaining and installing a DoD SSL Certificate, check out the following blogs:

How to Request a DoD Server Certificate

How to Create SSL Certificate for SQL Server

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.