If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.

From MS SQL Server 2014 Instance Security Technical Implementation Guide

Part of SRG-APP-000164-DB-000401

Associated with: CCI-000198 CCI-000199 CCI-000200

SV-82435r2_rule If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.

Vulnerability discussion

Windows domain/enterprise authentication and identification must be used (SQL4-00-030300). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved.The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.In such cases, the DoD standards for password lifetime must be implemented. The requirements for password lifetime are:a. Password lifetime limits for interactive accounts: Minimum 24 hours, Maximum 60 daysb. Password lifetime limits for non-interactive accounts: Minimum 24 hours, Maximum 365 daysc. Number of password changes before an old one may be reused: Minimum of 5.To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows.

Check content

Run the statement: SELECT name FROM sys.sql_logins WHERE type_desc = 'SQL_LOGIN' AND is_disabled = 0 AND is_expiration_checked = 0; If no account names are listed, this is not a finding. For each account name listed, determine whether it is documented as requiring exemption from the standard password lifetime rules, if it is not, this is a finding.

Fix text

For each SQL Server Login identified in the Check as out of compliance: In SQL Server Management Studio Object Explorer, navigate to >> Security >> Logins >> . Right-click, select Properties. Select the check box Enforce Password Expiration. Click OK. Alternatively, for each identified Login, run the statement: ALTER LOGIN CHECK_EXPIRATION = ON;

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer