SQL Server must be configured to use Windows Integrated Security.

From Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide

Associated with: CCI-000366

SV-53411r5_rule SQL Server must be configured to use Windows Integrated Security.

Vulnerability discussion

SQL Server Authentication does not provide for many of the authentication requirements of the DoD. In some cases workarounds are present, but the authentication is not as robust and does not provide needed functionality. Without that functionality, SQL Server is vulnerable to authentication attacks. Consideration must be given to the placement of SQL server inside a forest to ensure evaluation of risk within the environment is considered. Risk includes introduction of risk to SQL Server from other applications or workstations as well as risk from introduction of SQL server itself into an established environment.There may be situations where SQL Server Authentication must remain enabled, because of constraints imposed by a third-party application. In such a case, document the constraint in the system security plan, and obtain signed approval.

Check content

To determine the Server Authentication Mode, execute the following: EXEC XP_LOGINCONFIG 'login mode' If the config_value does not equal "Windows NT Authentication", this is a finding.

Fix text

From SQL Server Management Studio, right-click the server, and then click Properties. Select the Security page. Under Server authentication, select Windows Authentication Mode, and then click OK.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.