Database accounts should not specify account lock times less than the site-approved minimum.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3817 | DG0073-SQLServer9 | SV-25285r1_rule | ECLO-1 ECLO-2 | Medium |
| Description |
|---|
| Unauthorized access to database accounts may be thwarted by instituting a lock on the target account after the specified number of unsuccessful logins. If allowed to continue an attack unimpeded, the attempt could eventually become successful and compromise the database and data integrity. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Database Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13830r1_chk ) |
|---|
| If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Host Authentication only, this check is Not a Finding. If the DBMS does not natively support this functionality, this check is Not a Finding. If the DBMS is not configured to lock database accounts after three or an IAO-specified number of consecutive unsuccessful connection attempts within a 60 minute period, this is a Finding. Note: The counter may be reset to 0 if a third failed logon attempt does not occur before reset. Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079. |
| Fix Text (F-20069r1_fix) |
|---|
| Set the failed login attempt count to 3 to trigger an account lockout or to the number specified in the System Security Plan where supported by the DBMS. Where this requirement is not compatible with the operation of a front-end application, the unsuccessful logon count and time will be specified and the operational need documented in the System Security Plan. |