DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15654 | DG0165-SQLServer9 | SV-21488r2_rule | IAKM-1 IAKM-2 IAKM-3 | Medium |
| Description |
|---|
| Symmetric keys used for encryption protect data from unauthorized access. However, if not protected in accordance with acceptable standards, the keys themselves may be compromised and used for unauthorized data access. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Database Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-23695r2_chk ) |
|---|
| From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT USER_NAME(grantee_principal_id) FROM sys.database_permissions WHERE class = 0 AND state IN ('G', 'W') AND type = 'CL' ORDER BY USER_NAME(grantee_principal_id) If no records are returned, this is Not a Finding. If any records are returned, verify they are authorized to have access to manage the Database Master Key. If any do not, this is a Finding. |
| Fix Text (F-20181r1_fix) |
|---|
| Document all users authorized to access the database master key in the System Security Plan. Restrict authorized users to the application, database owner and SYSADMINs. For each unauthorized user: From the query prompt: REVOKE CONTROL FROM [user name] |