V-213912
CAT IIThe Database Master Key must be encrypted by the Service Master Key, where a Database Master Key is required and another encryption method has not been specified.
- Ships Affected
- 1
- Total Findings
- 5
- Open
- 0
- Closed
- 5
Check Text
If no databases require encryption, this is not a finding.
From the query prompt:
SELECT name
FROM [master].sys.databases
WHERE is_master_key_encrypted_by_server = 1
AND owner_sid <> 1
AND state = 0;
(Note that this query assumes that the [sa] account is not used as the owner of application databases, in keeping with other STIG guidance. If this is not the case, modify the query accordingly.)
If no databases are returned by the query, this is not a finding.
For any databases returned, verify in the System Security Plan that encryption of the Database Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding.
If approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring.
If the additional requirements are not in place, this is a finding.
Fix Text
Where possible, encrypt the Database Master Key with a password known only to the application administrator.
Where not possible, configure additional audit events or alerts to detect unauthorized access to the Database Master Key by users not authorized to view sensitive data.
STIG Reference
- STIG
- MS SQL Server 2016 Database Security Technical Implementation Guide
- Version
- 3
- Release
- 5
- Rule ID
- SV-213912r961128_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_tempdb_V3R3_20251023-144154.ckl | Unassigned | 2026-01-14T12:57:40.769694 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_msdb_V3R3_20251023-144148.ckl | Unassigned | 2026-01-14T12:57:40.663257 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_model_V3R3_20251023-144128.ckl | Unassigned | 2026-01-14T12:57:40.569961 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_master_V3R3_20251023-144120.ckl | Unassigned | 2026-01-14T12:57:40.470811 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_SQL2016DB_MONT-BE-002-BKUPEXEC64_BEDB_V3R3_20251023-143959.ckl | Unassigned | 2026-01-14T12:57:40.371699 | View in Context |