DBMS account passwords should be set to expire every 60 days or more frequently.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15153	DG0125-SQLServer9	SV-19452r2_rule	IAIA-1 IAIA-2	Medium

Description
Unchanged passwords provide a means for compromised passwords to be used for unauthorized access to DBMS accounts over a long time.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-20472r2_chk )
If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. From the query prompt: SELECT name FROM [master].sys.sql_logins WHERE type = 'S' AND is_expiration_checked <> '1' ORDER BY name If any names are returned, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Check Text ( C-20472r2_chk )

If no DBMS accounts authenticate using passwords, this check is Not a Finding.

If DBMS uses Windows Authentication only, this check is Not a Finding.

From the query prompt:

SELECT name
FROM [master].sys.sql_logins
WHERE type = 'S'
AND is_expiration_checked <> '1'
ORDER BY name

If any names are returned, this is a Finding.

NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Fix Text (F-18422r1_fix)
Set SQL Server logins to check password expiration. ALTER LOGIN [user name] WITH CHECK_EXPIRATION = ON