Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15152 | DG0079-SQLServer9 | SV-24092r2_rule | IAIA-1 IAIA-2 | Medium |
Description |
---|
Weak passwords are a primary target for attack to gain unauthorized access to databases and other systems. Where username/password is used for identification and authentication to the database, requiring the use of strong passwords can help prevent simple and more sophisticated methods for guessing at passwords. |
STIG | Date |
---|---|
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Check Text ( C-23535r2_chk ) |
---|
If SQL server is configured for Windows Authentication only, this check is Not a Finding. If the server is configured to allow SQL Server Authentication, verify passwords are checked for complexity requirements where DBMS version permits: From the query prompt: SELECT name FROM [master].sys.sql_logins WHERE type = 'S' AND is_policy_checked <> '1' ORDER BY name If any rows are returned, this is a Finding. |
Fix Text (F-20068r1_fix) |
---|
For all DBMS accounts using SQL Server logins, set the accounts for password complexity checking: From the query prompt: ALTER LOGIN [login name] CHECK_POLICY = ON Note: This setting depends upon host system password complexity settings. The host system must be configured to comply with Windows STIG requirements. |