UCF STIG Viewer Logo

If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.


Overview

Finding ID Version Rule ID IA Controls Severity
V-213895 SQL4-00-038910 SV-213895r397501_rule Medium
Description
Windows domain/enterprise authentication and identification must be used (SQL4-00-030300). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved. The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, the DoD standards for password lifetime must be implemented. The requirements for password lifetime are: a. Password lifetime limits for interactive accounts: Minimum 24 hours, Maximum 60 days b. Password lifetime limits for non-interactive accounts: Minimum 24 hours, Maximum 365 days c. Number of password changes before an old one may be reused: Minimum of 5. To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows.
STIG Date
MS SQL Server 2014 Instance Security Technical Implementation Guide 2022-09-12

Details

Check Text ( C-15114r313036_chk )
Run the statement:
SELECT
name
FROM
sys.sql_logins
WHERE
type_desc = 'SQL_LOGIN'
AND is_disabled = 0
AND is_expiration_checked = 0;

If no account names are listed, this is not a finding.

For each account name listed, determine whether it is documented as requiring exemption from the standard password lifetime rules, if it is not, this is a finding.
Fix Text (F-15112r313037_fix)
For each SQL Server Login identified in the Check as out of compliance:
In SQL Server Management Studio Object Explorer, navigate to >> Security >> Logins >> . Right-click, select Properties. Select the check box Enforce Password Expiration. Click OK.

Alternatively, for each identified Login, run the statement:
ALTER LOGIN CHECK_EXPIRATION = ON;