DBMS default accounts should be assigned custom passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15635 | DG0128-SQLServer9 | SV-24108r2_rule | IAIA-1 IAIA-2 | High |
| Description |
|---|
| DBMS default passwords provide a commonly known and exploited means for unauthorized access to database installations. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-23613r2_chk ) |
|---|
| From the query prompt: SELECT name AS [User], type_desc AS [Type], create_date AS [Create Date] FROM [master].sys.sql_logins WHERE PWDCOMPARE ('', password_hash) = 1 If any user accounts are listed, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079. |
| Fix Text (F-14773r1_fix) |
|---|
| Assign a password to accounts that meet DoD complexity requirements. From the query prompt: USE master ALTER LOGIN [name] WITH PASSWORD = '[new password]' Replace [new password] with a password and [name] with the account name. Use the SQL Server Enterprise Manager GUI to change the assigned password of any SQL Server–related service. Each service must be changed individually. |