DBMS login accounts require passwords to meet complexity requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15152	DG0079-SQLServer9	SV-24092r2_rule	IAIA-1 IAIA-2	Medium

Description
Weak passwords are a primary target for attack to gain unauthorized access to databases and other systems. Where username/password is used for identification and authentication to the database, requiring the use of strong passwords can help prevent simple and more sophisticated methods for guessing at passwords.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-23535r2_chk )
If SQL server is configured for Windows Authentication only, this check is Not a Finding. If the server is configured to allow SQL Server Authentication, verify passwords are checked for complexity requirements where DBMS version permits: From the query prompt: SELECT name FROM [master].sys.sql_logins WHERE type = 'S' AND is_policy_checked <> '1' ORDER BY name If any rows are returned, this is a Finding.

Check Text ( C-23535r2_chk )

If SQL server is configured for Windows Authentication only, this check is Not a Finding.

If the server is configured to allow SQL Server Authentication, verify passwords are checked for complexity requirements where DBMS version permits:

From the query prompt:

SELECT name
FROM [master].sys.sql_logins
WHERE type = 'S'
AND is_policy_checked <> '1'
ORDER BY name

If any rows are returned, this is a Finding.

Fix Text (F-20068r1_fix)
For all DBMS accounts using SQL Server logins, set the accounts for password complexity checking: From the query prompt: ALTER LOGIN [login name] CHECK_POLICY = ON Note: This setting depends upon host system password complexity settings. The host system must be configured to comply with Windows STIG requirements.