STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Apr 2020:

When using command-line tools such as SQLCMD in a mixed-mode authentication environment, users must use a logon method that does not expose the password.

DISA Rule

SV-82359r1_rule

Vulnerability Number

V-67869

Group Title

SRG-APP-000178-DB-000083

Rule Version

SQL4-00-039020

Severity

CAT I

CCI(s)

• CCI-000206 - The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

Weight

10

Fix Recommendation

Where possible, change the login mode to Windows-only:
USE [master]
GO
EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 1;
GO

If mixed-mode authentication is necessary, then for SQLCMD, which cannot be configured not to accept a plain-text password when mixed-mode authentication is enabled, and any other essential tool with the same limitation:
1) Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval.
2) Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden.

Check Contents

Run this query to determine whether SQL Server authentication is enabled:
EXEC master.sys.xp_loginconfig 'login mode';

If the config_value returned is "Windows NT Authentication", this is not a finding.

For SQLCMD, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations; and that AO approval has been obtained; if not, this is a finding.

Request evidence that all users of the tool are trained in the importance of not using the plain-text password option and in how to keep the password hidden; and that they adhere to this practice; if not, this is a finding.

Vulnerability Number

V-67869

Documentable

False

Rule Version

SQL4-00-039020

Severity Override Guidance

Run this query to determine whether SQL Server authentication is enabled:
EXEC master.sys.xp_loginconfig 'login mode';

If the config_value returned is "Windows NT Authentication", this is not a finding.

For SQLCMD, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations; and that AO approval has been obtained; if not, this is a finding.

Request evidence that all users of the tool are trained in the importance of not using the plain-text password option and in how to keep the password hidden; and that they adhere to this practice; if not, this is a finding.

Check Content Reference

M

Target Key

2639

Comments