DBMS account passwords should not be set to easily guessed words or values.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15634 | DG0127-SQLServer9 | SV-24314r1_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| DBMS account passwords set to common dictionary words or values render accounts vulnerable to password guessing attacks and unauthorized access. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-23839r1_chk ) |
|---|
| If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. Review methods for protecting accounts from assignment of easily guessed passwords. If methods do not include at least one of the following or a viable alternate means to prevent use of easily guessed passwords, this is a Finding. 1. Password cracker run frequently to report easily guessed passwords 2. Automated routine to check passwords against password dictionaries at password assignment time 3. User training and understanding of the risk of easily guessed passwords 4. Using Windows Authentication for database accounts NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079. |
| Fix Text (F-20171r1_fix) |
|---|
| Employ preventative means, user training and/or password cracking routines to discover and prevent easily guessed passwords in the database. |