SHPT-00-000640 - Applications must support organizational requirements to employ cryptographic mechanisms to protect information in storage.

Information

When data is written to digital media there is risk of data loss and data compromise. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Encryption of data at rest in SQL is required if the data owner deems it necessary.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Data-at-rest encryption is provided by encryption of the SQL 2008 SharePoint database using TDE or a third party solution. Each of the following scripts must be run as TSQL queries and replace string text with suitable replacements.

Navigate to the SQL Server Management Console and open a new query window to run the following script.

1. Create the DMK.

USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC';
GO

2. Create the TDE Certificate.

USE master;
GO
CREATE CERTIFICATE CompanyABCtdeCert WITH SUBJECT = 'CompanyABC TDE Certificate';
GO

3. Back up the TDE Certificate.

USE master;
GO
BACKUP CERTIFICATE CompanyABCtdeCert TO FILE = 'C:\Backup\CompanyABCtdeCERT.cer'
WITH PRIVATE KEY (
FILE = 'C:\Backup\CompanyABCtdeCert.pvk',
ENCRYPTION BY PASSWORD = 'CrypticTDEpw4CompanyABC!');
GO

4. Create the DEK.

USE SharePointContentDB;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE CompanyABCtdeCert
GO

5. Encrypt the database.

USE SharePointContentDB
GO
ALTER DATABASE SharePointContentDB
SET ENCRYPTION ON
GO

6. Monitor the progress; once encryption_state is '3', the database is encrypted.
USE SharePointContentDB
GO
SELECT *
FROM sys.dm_database_encryption_keys
WHERE encryption_state = 3;
GO

See Also

https://iasecontent.disa.mil/stigs/zip/U_MS_SharePoint_2010_V1R9_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28(1), CAT|I, CCI|CCI-002475, Rule-ID|SV-37792r2_rule, STIG-ID|SHPT-00-000640, Vuln-ID|V-28066

Plugin: Windows

Control ID: 710076b00342df16ef319a3934a2096609330b16fe4f4dc97803735ffbcbba52