If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-72415	SQL2-00-038910	SV-87039r2_rule		Medium

Description
Windows domain/enterprise authentication and identification must be used (SQL2-00-023600). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved. The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, the DoD standards for password lifetime must be implemented. The requirements for password lifetime are: a. Password lifetime limits for interactive accounts: Minimum 24 hours, Maximum 60 days b. Password lifetime limits for non-interactive accounts: Minimum 24 hours, Maximum 365 days c. Number of password changes before an old one may be reused: Minimum of 5. To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows.

Description

Windows domain/enterprise authentication and identification must be used (SQL2-00-023600). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved. The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, the DoD standards for password lifetime must be implemented. The requirements for password lifetime are: a. Password lifetime limits for interactive accounts: Minimum 24 hours, Maximum 60 days b. Password lifetime limits for non-interactive accounts: Minimum 24 hours, Maximum 365 days c. Number of password changes before an old one may be reused: Minimum of 5. To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows.

STIG	Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide	2017-12-01

Details

Check Text ( C-72669r2_chk )
Run the statement: SELECT name FROM sys.sql_logins WHERE type_desc = 'SQL_LOGIN' AND is_disabled = 0 AND is_expiration_checked = 0; If no account names are listed, this is not a finding. For each account name listed, determine whether it is documented as requiring exemption from the standard password lifetime rules, if it is not, this is a finding.

Fix Text (F-78817r1_fix)
For each SQL Server Login identified in the Check as out of compliance: In SQL Server Management Studio Object Explorer, navigate to >> Security >> Logins >> . Right-click, select Properties. Select the check box Enforce Password Expiration. Click OK. Alternatively, for each identified Login, run the statement: ALTER LOGIN CHECK_EXPIRATION = ON;