Severity: CAT 2
Description: Weak passwords are a primary target for attack to gain unauthorized access to databases and other systems. Where username/password is used for identification and authentication to the database, requiring the use of strong passwords can help prevent simple and more sophisticated methods for guessing at passwords.
Check:
If SQL server is configured for windows authentication only, then this check is NA.
If the host system is earlier than Windows 2003, then this check is NA.
If the server is configured to allow SQL Server authentication, then verify passwords are checked for complexity requirements:
SELECT name FROM sys.sql_logins WHERE type = ‘S’ and is_policy_checked <> ‘1′
If any rows are returned, then this is a Finding.
Fix:
For all DBMS accounts using SQL Server logins, set the accounts for password complexity checking.
Alter login <login name> check_policy = ON
NOTE: This setting depends upon host system password complexity settings. The host system must be configured to comply with Windows STIG requirements.
The DBA will ensure database password complexity standards meet current minimum requirements for length (9 characters or more for database application user accounts and 15 characters or more for privileged database accounts) and composition (at least two uppercase characters, two lowercase characters, two special characters, two digits ) where supported by the DBMS.
No Comments Yet
No comments yet.
Comments RSS TrackBack Identifier URI
Leave a comment
