UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SQL Server authentication mode should be set to Windows authentication mode or Mixed mode.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2487 DM3566-SQLServer9 SV-25448r1_rule IAIA-1 IAIA-2 Medium
Description
SQL Server authentication does not provide a sufficiently robust password complexity and management capability to meet stringent security requirements. SQL Server allows use of Windows authentication, a more robust and security authentication service, to control access to the database.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-1447r1_chk )
From the query prompt:

EXEC XP_LOGINCONFIG 'login mode'

If a value of 'Windows Authentication' is returned for config_value, this is Not a Finding.

If a value of 'Mixed' is returned for config_value, confirm in the System Security Plan that SQL Server authentication is required and authorized. If it is not, this is a Finding.

Note: SQL Server authentication and the use of passwords are dependent on password management configured on the host platform. Sufficient password management is available only in SQL Server 2005 on Windows 2003 or later. Password authentication is discouraged and only authorized where Windows authentication is not possible. Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.
Fix Text (F-20268r1_fix)
Configure the instance to accept Windows authentication.

From the query prompt:

EXEC XP_LOGINCONFIG 'login mode', 1

If SQL Server authentication is required and authorized, document the requirement with a justification in the System Security Plan. Configure the instance to accept SQL Server authentication.

From the query prompt:

EXEC XP_LOGINCONFIG 'login mode', 2