UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Unlimited account lock times should be specified for locked accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15639 DG0133-SQLServer9 SV-24322r1_rule ECLO-1 ECLO-2 Medium
Description
When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts may continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-16980r1_chk )
If the DBMS does not provide a method or means for configuration of account lock times, this check is Not a Finding.

Review the account lock time configuration setting. If the lock time is not set to unlimited or is set to allow the DBMS to unlock the account after a pre-determined amount of time, this is a Finding.

For DBMS accounts using Windows Authentication:

1. Launch the Group Policy Editor on the DBMS Server
2. Under Computer Configuration:
a. Expand Windows Settings
b. Expand Security Settings
c. Expand Account Policies
d. Select Account Lockout Policy
3. Review Account Lockout Duration, Account Lockout Threshold and Reset Account Lockout Counter After policies

If Account Lockout Duration is not set or set to a value greater than 0, this is a Finding.

If Account Lockout Threshold is not set or set to a value greater than 3, this is a Finding.

If Reset Account Lockout Counter After is not set to its maximum value (For Windows 2003, this is 99999), this is a Finding.

NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.
Fix Text (F-24484r1_fix)
Configure the database to maintain an account lock time until the account is manually unlocked by an authorized account administrator.

For DBMS accounts using Windows Authentication:

1. Launch the Group Policy Editor on the DBMS Server
2. Under Computer Configuration:
a. Expand Windows Settings
b. Expand Security Settings
c. Expand Account Policies
d. Select Account Lockout Policy
3. Set "Account Lockout Threshold" = 3
4. Set or Reset "Account Lockout Duration" = 0
5. Set or Reset "Reset Account Lockout Counter After" = 99999 (about 69 days, which is max for this policy setting)
6. Close Group Policy Editor

Document these settings in the System Security Plan.