Title

DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes. (Cat II impact)

Discussion

Symmetric keys used for encryption protect data from unauthorized access. However, if not protected in accordance with acceptable standards, the keys themselves may be compromised and used for unauthorized data access.

Check Content

From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT USER_NAME(grantee_principal_id) FROM sys.database_permissions WHERE class = 0 AND state IN ('G', 'W') AND type = 'CL' ORDER BY USER_NAME(grantee_principal_id) If no records are returned, this is Not a Finding. If any records are returned, verify they are authorized to have access to manage the Database Master Key. If any do not, this is a Finding.

Fix Text

Document all users authorized to access the database master key in the System Security Plan. Restrict authorized users to the application, database owner and SYSADMINs. For each unauthorized user: From the query prompt: REVOKE CONTROL FROM [user name]

Additional Identifiers

Rule ID: SV-21488r2_rule

Vulnerability ID: V-15654

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.