STIGQter STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

When using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.

DISA Rule

SV-214045r617437_rule

Vulnerability Number

V-214045

Group Title

SRG-APP-000178-DB-000083

Rule Version

SQL6-D0-018100

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Where possible, change the login mode to Windows-only:
USE [master]
GO
EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 1;
GO

If mixed-mode authentication is necessary, then for SQLCMD, which cannot be configured not to accept a plain-text password when mixed-mode authentication is enabled, and any other essential tool with the same limitation:
1) Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval.
2) Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden.

Check Contents

Run this query to determine whether SQL Server authentication is enabled:
EXEC master.sys.xp_loginconfig 'login mode';

If the config_value returned is "Windows NT Authentication", this is not a finding.

For SQLCMD, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations; and that AO approval has been obtained; if not, this is a finding.

Request evidence that all users of the tool are trained in the importance of not using the plain-text password option and in how to keep the password hidden; and that they adhere to this practice; if not, this is a finding.

Vulnerability Number

V-214045

Documentable

False

Rule Version

SQL6-D0-018100

Severity Override Guidance

Run this query to determine whether SQL Server authentication is enabled:
EXEC master.sys.xp_loginconfig 'login mode';

If the config_value returned is "Windows NT Authentication", this is not a finding.

For SQLCMD, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations; and that AO approval has been obtained; if not, this is a finding.

Request evidence that all users of the tool are trained in the importance of not using the plain-text password option and in how to keep the password hidden; and that they adhere to this practice; if not, this is a finding.

Check Content Reference

M

Target Key

3993

Comments