If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-213894 | SQL4-00-038900 | SV-213894r397501_rule | Medium |
| Description |
|---|
| Windows domain/enterprise authentication and identification must be used (SQL4-00-030300). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved. The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, the DoD standards for password complexity must be implemented. The requirements for password complexity are: a. minimum of 15 Characters, 1 of each of the following character sets: - Upper-case - Lower-case - Numeric - Special characters (e.g. ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <)]; b. Minimum number of characters changed from previous password: 50% of the minimum password length (that is, 8). To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows. |
| STIG | Date |
|---|---|
| MS SQL Server 2014 Instance Security Technical Implementation Guide | 2021-12-10 |
Details
| Check Text ( C-15113r313033_chk ) |
|---|
| Run the statement: SELECT name FROM sys.sql_logins WHERE type_desc = 'SQL_LOGIN' AND is_disabled = 0 AND is_policy_checked = 0 ; If no account names are listed, this is not a finding. For each account name listed, determine whether it is documented as requiring exemption from the standard password complexity rules, if it is not, this is a finding. |
| Fix Text (F-15111r313034_fix) |
|---|
| For each SQL Server Login identified in the Check as out of compliance: In SQL Server Management Studio Object Explorer, navigate to Alternatively, for each identified Login, run the statement: ALTER LOGIN |