SQL6-D0-009600 - The Service Master Key must be backed up and stored in a secure location that is not on the SQL Server.

Information

Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. Creating this backup should be one of the first administrative actions performed on the server. Not having this key can lead to loss of data during recovery.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Document and implement procedures to safely back up and store the Service Master Key in a secure location that is not on the SQL Server. Include in the procedures methods to establish evidence of backup and storage, and careful, restricted access and restoration of the Service Master Key.

BACKUP SERVICE MASTER KEY TO FILE = 'path_to_file'
ENCRYPTION BY PASSWORD = 'password';

As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2016_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28, CAT|II, CCI|CCI-001199, Rule-ID|SV-213973r961128_rule, STIG-ID|SQL6-D0-009600, STIG-Legacy|SV-93913, STIG-Legacy|V-79207, Vuln-ID|V-213973

Plugin: MS_SQLDB

Control ID: f2eb9d45febafc6c4b06f0f366f0a339a43a17a1747b95ace2b71a1a0a131829