Post reply

security risk

  • June 9, 2011 at 8:33 am

    #238869

    We have got below security risk for our production server during the DB scan. Please let me know whether this fix will effect the application? Thank you.

    Encryption of DBMS sensitive data in transit

    Summary: Data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review.

    Overview: Data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review. This

    can be prevented by enforcing the encryption of communication using SQL Server settings.

    When the ForceEncryption option for the Database Engine is set to Yes, all client/server communication is encrypted. In cases when clients

    cannot support encryption, they will be denied access.

    When the ForceEncryption option for the Database Engine is set to No, encryption can be requested by the client application but is not required.

    NOTE: Review the system security plan to determine if any encryption is needed for network transmission of DBMS data. If found that

    encryption is needed then DISA-STIG rates this as High Risk Level.

    Fix / Recommendations: To configure encryption, use SQL Server Configuration Manager:

    1) Expand SQL Server Network Configuration,

    2) Right-click on Protocols for needed MSSQL Instance ("Protocols for <instance name>")

    3) Select the Flags tab

    4) Select Yes for ForceEncryption from the pull-down options.

    SQL Server must be restarted after you change the ForceEncryption

  • June 9, 2011 at 9:54 am

    #1336452

    If the way the application connects doesn't support encryption then you'll have problems.

  • June 9, 2011 at 10:18 am

    #1336475

    Since you reference the DISA-STIG.. I assume you are referencing DG0167, this is a Category I item, and really only applies if you have sensitive/classified information or you are transmitting the data over the internet directly.

    If you are not sending that kind of information then it is "Not Applicable" with the comment that such data is not contained in the databases.

    While there are some good reasons to enable encryption for in-transit data, I would not blindly do it because a scan says so. You have to read the item and get a handle on what it means.

    CEWII

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply