Database password changes by users should be limited to one change within 24 hours where supported by the DBMS.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15612 | DG0072-SQLServer9 | SV-24222r1_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Frequent password changes may indicate suspicious activity or attempts to bypass password controls based on password histories. Limiting the frequency of password changes helps to enforce password change rules and can lead to the discovery of compromised accounts. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13758r1_chk ) |
|---|
| If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. If the DBMS supports this functionality, review the settings and function logic or have the DBA demonstrate a password change to ensure that the function does not allow user changes to database passwords to occur more than once within a 24-hour period. If the review or demonstration reveals that database passwords can be changed by users more than once within a 24-hour period, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079. |
| Fix Text (F-18386r1_fix) |
|---|
| Develop, configure and test a password verify feature or function that authenticates passwords on change to ensure that changes to database passwords do not occur more than once within a 24-hour period where supported by the DBMS. |