SQL Server authentication mode should be set to Windows authentication mode or Mixed mode.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2487 | DM3566-SQLServer9 | SV-25448r1_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| SQL Server authentication does not provide a sufficiently robust password complexity and management capability to meet stringent security requirements. SQL Server allows use of Windows authentication, a more robust and security authentication service, to control access to the database. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-1447r1_chk ) |
|---|
| From the query prompt: EXEC XP_LOGINCONFIG 'login mode' If a value of 'Windows Authentication' is returned for config_value, this is Not a Finding. If a value of 'Mixed' is returned for config_value, confirm in the System Security Plan that SQL Server authentication is required and authorized. If it is not, this is a Finding. Note: SQL Server authentication and the use of passwords are dependent on password management configured on the host platform. Sufficient password management is available only in SQL Server 2005 on Windows 2003 or later. Password authentication is discouraged and only authorized where Windows authentication is not possible. Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079. |
| Fix Text (F-20268r1_fix) |
|---|
| Configure the instance to accept Windows authentication. From the query prompt: EXEC XP_LOGINCONFIG 'login mode', 1 If SQL Server authentication is required and authorized, document the requirement with a justification in the System Security Plan. Configure the instance to accept SQL Server authentication. From the query prompt: EXEC XP_LOGINCONFIG 'login mode', 2 |