UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

DBMS account passwords should not be set to easily guessed words or values.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15634 DG0127-SQLServer9 SV-24314r1_rule IAIA-1 IAIA-2 Medium
Description
DBMS account passwords set to common dictionary words or values render accounts vulnerable to password guessing attacks and unauthorized access.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-23839r1_chk )
If no DBMS accounts authenticate using passwords, this check is Not a Finding.

If DBMS uses Windows Authentication only, this check is Not a Finding.

Review methods for protecting accounts from assignment of easily guessed passwords. If methods do not include at least one of the following or a viable alternate means to prevent use of easily guessed passwords, this is a Finding.

1. Password cracker run frequently to report easily guessed passwords
2. Automated routine to check passwords against password dictionaries at password assignment time
3. User training and understanding of the risk of easily guessed passwords
4. Using Windows Authentication for database accounts

NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.
Fix Text (F-20171r1_fix)
Employ preventative means, user training and/or password cracking routines to discover and prevent easily guessed passwords in the database.