2.5.1 Enable password encryption

Information

When a local Sybase ASE server connects to a remote server, the user account password is
sent across the network encrypted or in plain text dependant on the net password
encryption setting for the server.

. On Sybase ASE 15.0, net password encryption is set to false by default.
. On Sybase ASE 15.0.1, net password encryption is set to false by default.
. On Sybase ASE 15.0.2, net password encryption is set to false by default (for any
new server added using sp_addserver and for sysservers entries with an
ASEnterprise class value during upgrade to this release).

The net password encryption should be set to true for each remote server.

Rationale:

An attacker that is able to sniff the traffic between two servers would be able to capture
passwords that are sent in plain text.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Connect to the database as a user with the sso_role and execute the following SQL
statement (where <ServerName> represents the name of the remote server for
which password encryption will be enabled):

exec sp_serveroption <ServerName>, 'net password encryption', true

See Also

https://workbench.cisecurity.org/files/1612

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c)

Plugin: SybaseDB

Control ID: d83693a197f1ea00566d8d85bb0194114128ecf6662d010be344fcef483e5350