Unlimited account lock times should be specified for locked accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15639	DG0133-SQLServer9	SV-24322r1_rule	ECLO-1 ECLO-2	Medium

Description
When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts may continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-16980r1_chk )
If the DBMS does not provide a method or means for configuration of account lock times, this check is Not a Finding. Review the account lock time configuration setting. If the lock time is not set to unlimited or is set to allow the DBMS to unlock the account after a pre-determined amount of time, this is a Finding. For DBMS accounts using Windows Authentication: 1. Launch the Group Policy Editor on the DBMS Server 2. Under Computer Configuration: a. Expand Windows Settings b. Expand Security Settings c. Expand Account Policies d. Select Account Lockout Policy 3. Review Account Lockout Duration, Account Lockout Threshold and Reset Account Lockout Counter After policies If Account Lockout Duration is not set or set to a value greater than 0, this is a Finding. If Account Lockout Threshold is not set or set to a value greater than 3, this is a Finding. If Reset Account Lockout Counter After is not set to its maximum value (For Windows 2003, this is 99999), this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Check Text ( C-16980r1_chk )

If the DBMS does not provide a method or means for configuration of account lock times, this check is Not a Finding.

Review the account lock time configuration setting. If the lock time is not set to unlimited or is set to allow the DBMS to unlock the account after a pre-determined amount of time, this is a Finding.

For DBMS accounts using Windows Authentication:

1. Launch the Group Policy Editor on the DBMS Server
2. Under Computer Configuration:
a. Expand Windows Settings
b. Expand Security Settings
c. Expand Account Policies
d. Select Account Lockout Policy
3. Review Account Lockout Duration, Account Lockout Threshold and Reset Account Lockout Counter After policies

If Account Lockout Duration is not set or set to a value greater than 0, this is a Finding.

If Account Lockout Threshold is not set or set to a value greater than 3, this is a Finding.

If Reset Account Lockout Counter After is not set to its maximum value (For Windows 2003, this is 99999), this is a Finding.

NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Fix Text (F-24484r1_fix)
Configure the database to maintain an account lock time until the account is manually unlocked by an authorized account administrator. For DBMS accounts using Windows Authentication: 1. Launch the Group Policy Editor on the DBMS Server 2. Under Computer Configuration: a. Expand Windows Settings b. Expand Security Settings c. Expand Account Policies d. Select Account Lockout Policy 3. Set "Account Lockout Threshold" = 3 4. Set or Reset "Account Lockout Duration" = 0 5. Set or Reset "Reset Account Lockout Counter After" = 99999 (about 69 days, which is max for this policy setting) 6. Close Group Policy Editor Document these settings in the System Security Plan.

Fix Text (F-24484r1_fix)

Configure the database to maintain an account lock time until the account is manually unlocked by an authorized account administrator.

For DBMS accounts using Windows Authentication:

1. Launch the Group Policy Editor on the DBMS Server
2. Under Computer Configuration:
a. Expand Windows Settings
b. Expand Security Settings
c. Expand Account Policies
d. Select Account Lockout Policy
3. Set "Account Lockout Threshold" = 3
4. Set or Reset "Account Lockout Duration" = 0
5. Set or Reset "Reset Account Lockout Counter After" = 99999 (about 69 days, which is max for this policy setting)
6. Close Group Policy Editor

Document these settings in the System Security Plan.