UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.


Overview

Finding ID Version Rule ID IA Controls Severity
V-72415 SQL2-00-038910 SV-87039r1_rule Medium
Description
Windows domain/enterprise authentication and identification must be used (SQL2-00-023600). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved. The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, the DoD standards for password lifetime must be implemented. The requirements for password lifetime are: a. Password lifetime limits: Minimum 24 hours, Maximum 60 days b. Number of password changes before an old one may be reused: Minimum of 5. To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows.
STIG Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide 2017-04-03

Details

Check Text ( C-72669r2_chk )
Run the statement:
SELECT
name
FROM
sys.sql_logins
WHERE
type_desc = 'SQL_LOGIN'
AND is_disabled = 0
AND is_expiration_checked = 0;

If no account names are listed, this is not a finding.

For each account name listed, determine whether it is documented as requiring exemption from the standard password lifetime rules, if it is not, this is a finding.
Fix Text (F-78817r1_fix)
For each SQL Server Login identified in the Check as out of compliance:
In SQL Server Management Studio Object Explorer, navigate to >> Security >> Logins >> . Right-click, select Properties. Select the check box Enforce Password Expiration. Click OK.

Alternatively, for each identified Login, run the statement:
ALTER LOGIN CHECK_EXPIRATION = ON;