UCF STIG Viewer Logo

Database Master Key passwords shoud not be stored in credentials within the database.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15162 DM6180-SQLServer9 SV-25497r1_rule IAKM-1 IAKM-2 IAKM-3 Medium
Description
Storage of the database master key password in a database credential allows decryption of sensitive data by privileged users who may not have a need-to-know requirement to access the data.
STIG Date
Microsoft SQL Server 2005 Database Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-22863r1_chk )
From the query prompt:

SELECT COUNT(credential_id)
FROM [master].sys.master_key_passwords

If count is not 0, this is a Finding.
Fix Text (F-14844r1_fix)
Use the stored procedure sp_control_dbmasterkey_password to remove any credentials that store database master key passwords.

From the query prompt:

EXEC SP_CONTROL_DBMASTERKEY_PASSWORD @db_name = '[database name]', @action = N'drop'