STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to MS SQL Server 2016 Instance Security Technical Implementation Guide

V-213973

CAT II (Medium)

The Service Master Key must be backed up and stored in a secure location that is not on the SQL Server.

Rule ID

SV-213973r961128_rule

STIG

MS SQL Server 2016 Instance Security Technical Implementation Guide

Version

V3R6

CCIs

CCI-001199

Discussion

Backup and recovery of the Service Master Key may be critical to the complete recovery of the database. Creating this backup should be one of the first administrative actions performed on the server. Not having this key can lead to loss of data during recovery.

Check Content

Review procedures for and evidence of backup of the Server Service Master Key in the System Security Plan.  
 
If the procedures or evidence does not exist, this is a finding.
 
If the procedures do not indicate that a backup of the Service Master Key is stored in a secure location that is not on the SQL Server, this is a finding. 

If procedures do not indicate access restrictions to the Service Master Key backup, this is a finding.

Fix Text

Document and implement procedures to safely back up and store the Service Master Key in a secure location that is not on the SQL Server. Include in the procedures methods to establish evidence of backup and storage, and careful, restricted access and restoration of the Service Master Key.
 
BACKUP SERVICE MASTER KEY TO FILE = 'path_to_file'  
ENCRYPTION BY PASSWORD = 'password';  
 
As this requires a password, take care to ensure it is not exposed to unauthorized persons or stored as plain text.