STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Service Master Key must be backed up, stored offline and off-site.

DISA Rule

SV-213973r617437_rule

Vulnerability Number

V-213973

Group Title

SRG-APP-000231-DB-000154

Rule Version

SQL6-D0-009600

Severity

CAT II

CCI(s)

• CCI-001199 - The information system protects the confidentiality and/or integrity of organization-defined information at rest.

Weight

10

Fix Recommendation

Document and implement procedures to safely back up and store the Service Master Key. Include in the procedures methods to establish evidence of backup and storage, and careful, restricted access and restoration of the Service Master Key. Also, include provisions to store the key off-site.

BACKUP SERVICE MASTER KEY TO FILE = 'path_to_file'
ENCRYPTION BY PASSWORD = 'password';

As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.

Check Contents

Review procedures for, and evidence of backup of, the Server Service Master Key in the System Security Plan.

If the procedures or evidence does not exist, this is a finding.

If the procedures do not indicate offline and off-site storage of the Service Master Key, this is a finding.

If procedures do not indicate access restrictions to the Service Master Key backup, this is a finding.

Vulnerability Number

V-213973

Documentable

False

Rule Version

SQL6-D0-009600

Severity Override Guidance

Review procedures for, and evidence of backup of, the Server Service Master Key in the System Security Plan.

If the procedures or evidence does not exist, this is a finding.

If the procedures do not indicate offline and off-site storage of the Service Master Key, this is a finding.

If procedures do not indicate access restrictions to the Service Master Key backup, this is a finding.

Check Content Reference

M

Target Key

3993

Comments