Unapproved inactive or expired database accounts should not be found on the database.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15130	DG0074-SQLServer9	SV-24224r1_rule	IAAC-1	Medium

Description
Unused or expired DBMS accounts provide a means for undetected, unauthorized access to the database.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-04-03

Details

Check Text ( None )
None

Fix Text (F-20162r1_fix)
Develop, document and implement procedures to monitor database accounts for inactivity and expiration. Investigate, document and authorize if appropriate any accounts that are expired or locked or have been inactive for more than 30 days. Where appropriate, protect authorized expired or inactive accounts by disabling them or applying some other similar protection: ALTER LOGIN [NAME] DISABLE Note: DBMS accounts using Windows Authentication or linked to certificates can be monitored or managed by the host or through Active Directory for domain accounts. Ensure DBA and SA coordinate host/domain account management and host/domain account management meets host/domain-level STIG requirements.

Fix Text (F-20162r1_fix)

Develop, document and implement procedures to monitor database accounts for inactivity and expiration.

Investigate, document and authorize if appropriate any accounts that are expired or locked or have been inactive for more than 30 days.

Where appropriate, protect authorized expired or inactive accounts by disabling them or applying some other similar protection:

ALTER LOGIN [NAME] DISABLE

Note: DBMS accounts using Windows Authentication or linked to certificates can be monitored or managed by the host or through Active Directory for domain accounts. Ensure DBA and SA coordinate host/domain account management and host/domain account management meets host/domain-level STIG requirements.