Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3811 | DG0066-SQLServer9 | SV-24193r1_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| New accounts authenticated by passwords that are created without a password or with an easily guessed password are vulnerable to unauthorized access. Procedures for creating new accounts with passwords should include the required assignment of a temporary password to be modified by the user upon first use. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-28588r1_chk ) |
|---|
| If all DBMS accounts are configured to authenticate using certificates or other credential besides passwords, this check is Not a Finding. Where accounts are authenticated using passwords, review procedures and implementation evidence for creation of temporary passwords. If the procedures or evidence do not exist or do not enforce passwords to meet DoD password requirements, this is a Finding. |
| Fix Text (F-26574r1_fix) |
|---|
| Develop, document and implement procedures for assigning temporary passwords to user accounts. Procedures should include instruction to meet current DoD password length and complexity requirements and provide a secure method to relay the temporary password to the user. Temporary passwords should also be short-lived and require immediate update by the user upon first login. |