SQLD-22-001600 - The Database Master Key encryption password must meet DOD password complexity requirements.

Information

Weak passwords may be easily guessed. When passwords are used to encrypt keys used for encryption of sensitive data, the confidentiality of all data encrypted using that key is at risk.

Current DOD passwords require the following:
- minimum of 15 characters;
- at least one uppercase character;
- one lowercase character;
- one special character;
- one numeric character, and
- at least eight characters changed from the previous password.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Assign an encryption password to the Database Master Key that is a minimum of 15 characters with at least one uppercase character, one lowercase character, one special character, one numeric character, and at least eight characters changed from the previous password. To change the Database Master Key encryption password:

USE [database name];
ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'new password';

Note: Do not change the Database Master Key encryption method until the effects are thoroughly reviewed. Changing the master key encryption causes all encryption using the Database Master Key to be decrypted and reencrypted. This action should not be taken during a high-demand time.

Refer to the SQL Server documentation found here prior to reencrypting the Database Master Key:
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/create-a-database-master-key?

See Also

https://dl.dod.cyber.mil/wp-content/uploads/U_MS_SQL_Server_2022_Y25M06_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28, CAT|II, CCI|CCI-001199, Rule-ID|SV-271169r1109188_rule, STIG-ID|SQLD-22-001600, Vuln-ID|V-271169

Plugin: MS_SQLDB

Control ID: 27eeb5f32d466fa3546acaf15afc2a1ae54b00c8c016d82eb7e22908ec4d78ac