Title

Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage. (Cat I impact)

Discussion

When data is written to digital media there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Encryption of data at rest in SQL is required if the data owner deems it necessary.

Check Content

Each of the following scripts must be run as TSQL queries, replacing string text with suitable replacements. Navigate to the SQL Server Management Console and open a new query window to run the following script. 1. Run this TSQL query below. USE SharePointContentDB GO SELECT {NAME},is_encrypted FROM sys.databases WHERE name='TDE_Testing' GO 2. Mark as a finding if return value is not 1. 3. Mark as not a finding if a third-party solution is used and documented with the IAO.

Fix Text

Data-at-rest encryption is provided by encryption of the SQL 2008 SharePoint database using TDE or a third party solution. Each of the following scripts must be run as TSQL queries and replace string text with suitable replacements. Navigate to the SQL Server Management Console and open a new query window to run the following script. 1. Create the DMK. USE master; GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC'; GO 2. Create the TDE Certificate. USE master; GO CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate'; GO 3. Back up the TDE Certificate. USE master; GO BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'C:\Backup\CompanyABCtdeCERT.cer' WITH PRIVATE KEY ( FILE = 'C:\Backup\CompanyABCtdeCert.pvk', ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!'); GO 4. Create the DEK. USE SharePointContentDB; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert GO 5. Encrypt the database. USE SharePointContentDB GO ALTER DATABASE SharePointContentDB SET ENCRYPTION ON GO 6. Monitor the progress; once encryption_state is ‘3’, the database is encrypted. USE SharePointContentDB GO SELECT * FROM sys.dm_database_encryption_keys WHERE encryption_state = 3; GO

Additional Identifiers

Rule ID: SV-37792r2_rule

Vulnerability ID: V-28066

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.