SQL6-D0-001700 - The Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

When not encrypted by the Service Master Key, system administrators or application administrators may access and use the Database Master Key to view sensitive data that they are not authorized to view. Where alternate encryption means are not feasible, encryption by the Service Master Key may be necessary. To help protect sensitive data from unauthorized access by DBAs, mitigations may be in order. Mitigations may include automatic alerts or other audit events when the Database Master Key is accessed outside of the application or by a DBA account.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Where possible, encrypt the Database Master Key with a password known only to the application administrator.

Where not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2016_Y23M07_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001199, Rule-ID|SV-213912r879642_rule, STIG-ID|SQL6-D0-001700, STIG-Legacy|SV-93793, STIG-Legacy|V-79087, Vuln-ID|V-213912

Plugin: MS_SQLDB

Control ID: c345ac252d710970c0730f6a94f84fcf03c6951ca60e78ea993c1f0f6c46c2d8