Does the DoD STIG require Transparent Database Encryption (TDE)?

Does the DoD STIG require Transparent Database Encryption (TDE)? The short answer is: It depends on whether or not the Data Owner says the data must be encrypted. The current version of the DoD Database STIG is v8r1. Here are two relevant sections from that document: 3.1.4.3Unique security requirements (encryption of sensitive data)Access to sensitive…


SQL Server, the DoD, and Common Criteria

Common Criteria is an international standard for a set of security characteristics, and the U.S. Department of Defense (DoD) Database Security Technical Implementation Guide (STIG) (via the Security Readiness Review for SQL Server) requires it to be enabled. (See DG0084.) You can turn it on by using sp_configure (“common criteria compliance enabled”) or by using SQL Server…

2

How To STIG a Database System

This post is to provide a little enlightenment to folks who have never STIG’d a database system before and assume that the process is a one-time configuration. It’s not. It’s not even close. STIG compliance requires: One or more named Database Administrators (DBA) A named Information Assurance Officer (IAO) An initial system evaluation A Plan…


Summary of Audit-Specific STIG ID’s

The DoD Database Security Technical Implementation Guide (STIG) has quite a few requirements in the area of auditing, but they’re scattered throughout the document. Here’s a list of all the audit-related STIG ID’s that I found. From the Security Readiness Review: “The majority of Microsoft SQL Server security auditing is provided by the trace facility….


DG0155: Trusted file check

The DoD Database STIG includes DG0155 (CAT II): The DBA will ensure all applicable DBMS settings are configured to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions. In the SQL Server 2005 Security Readiness Review (SRR): If the DBMS does not provide a means to ensure the…

1

Remove Public and Guest Permissions

You can’t get rid of the “public” role and by default in SQL Server 2005 and 2008 many objects have permissions granted to public. For those reasons, you might expect that those permissions are required for SQL Server to function correctly, but you’d be wrong. In fact, you have to wipe them out to comply…

13

Permissions for SQL Server Agent Proxy for SSIS Maintenance Plans

The DM6140 requirement in the SRR Checklist SQL Server v8R1 for the Database STIG can be a little troublesome if you haven’t dealt with it before. Typically, by the time you get around to this requirement, you’ve already removed all unnecessary permissions. A common problem in this scenario is that you create a Credential, then…

2

What’s a STIG?

STIGs  STIG stands for Security Technical Implementation Guide, and there are many STIGs created by the Field Security Office (FSO) of the Information Assurance Support Environment (IASE) of the Defense Information Systems Agency (DISA) for the Department of Defense (DoD). Got that? Good, ’cause there will be a quiz later. Each STIG covers one general…

4