If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity.

From Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide

Part of SRG-APP-000164-DB-000401

Associated with: CCI-000192 CCI-000193 CCI-000194 CCI-000195 CCI-000205 CCI-001619

SV-87037r1_rule If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity.

Vulnerability discussion

Windows domain/enterprise authentication and identification must be used (SQL2-00-023600). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved.The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.In such cases, the DoD standards for password complexity must be implemented.The requirements for password complexity are:a. minimum of 15 Characters, 1 of each of the following character sets:- Upper-case- Lower-case- Numeric- Special characters (e.g. ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <)];b. Minimum number of characters changed from previous password: 50% of the minimum password length (that is, 8).To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows.

Check content

Run the statement: SELECT name FROM sys.sql_logins WHERE type_desc = 'SQL_LOGIN' AND is_disabled = 0 AND is_policy_checked = 0 ; If no account names are listed, this is not a finding. For each account name listed, determine whether it is documented as requiring exemption from the standard password complexity rules. If it is not, this is a finding.

Fix text

For each SQL Server Login identified in the Check as out of compliance: In SQL Server Management Studio Object Explorer, navigate to >> Security >> Logins >> . Right-click, select Properties. Select the check box Enforce Password Policy. Click OK. Alternatively, for each identified Login, run the statement: ALTER LOGIN CHECK_POLICY = ON;

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer