UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-72413 SQL2-00-038900 SV-87037r1_rule Medium
Description
Windows domain/enterprise authentication and identification must be used (SQL2-00-023600). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved. The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, the DoD standards for password complexity must be implemented. The requirements for password complexity are: a. minimum of 15 Characters, 1 of each of the following character sets: - Upper-case - Lower-case - Numeric - Special characters (e.g. ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <)]; b. Minimum number of characters changed from previous password: 50% of the minimum password length (that is, 8). To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows.
STIG Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide 2017-12-01

Details

Check Text ( C-72667r2_chk )
Run the statement:
SELECT
name
FROM
sys.sql_logins
WHERE
type_desc = 'SQL_LOGIN'
AND is_disabled = 0
AND is_policy_checked = 0 ;

If no account names are listed, this is not a finding.

For each account name listed, determine whether it is documented as requiring exemption from the standard password complexity rules. If it is not, this is a finding.
Fix Text (F-78881r1_fix)
For each SQL Server Login identified in the Check as out of compliance:
In SQL Server Management Studio Object Explorer, navigate to >> Security >> Logins >> . Right-click, select Properties. Select the check box Enforce Password Policy. Click OK.

Alternatively, for each identified Login, run the statement:
ALTER LOGIN CHECK_POLICY = ON;