V-40907

If you have any additional questions that aren’t addressed in the blog, feel free to contact me. I’d be more than happy to help you out!

Title: “SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission, unless the transmitted data is otherwise protected by alternative physical measures.”

Severity = High

Details = From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties.

On the Flags tab, if Force Encryption is set to YES, examine the certificate used on the Certificate tab.

If Force Encryption is set, a DoD Certificate is not utilized, and some type of physical encryption measure is utilized, examine the physical encryption devices to determine the following:

1. The plain text connection to the database server is afforded the highest protections, allowing no access to unauthorized or non-cleared personnel.
2. The encryption device is configured to pass traffic to only the specific IP addresses as identified by the database documentation.
3. The encryption keys utilized are current and valid keys.
4. The keys utilized meet approved organizationally defined compliant algorithms.

If any of the preceding requirements is not met, this is a finding.

If Force Encryption is set to No, a DoD Certificate is not utilized, and some type of physical encryption measure is not utilized, this is a finding.

FIX: Deploy organization approved encryption to the SQL Server Network Connections.

From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER].

Provide a DoD certificate on the Certificate tab via the drop down.