Threat Finder

Threat ID
2792
Threat Date
08/05/2013
Threat Name
CHECK_POLICY option
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Medium
Database Type
Microsoft SQL Server
Category
Misconfigurations
Versions
Microsoft SQL Server 2005, 2008, 2008R2 and 2012
Summary
Sql Server 2005 and later allows the enforcing of the same password complexity policy used in Windows to passwords of SQL logins. All SQL logins should have this property enabled.
Overview
SQL Server can apply the same complexity and expiration policies used in Windows Server 2003 (and later) to passwords used inside SQL Server. This ensures that
- The password does not contain all or part of the account name of the user.
- The password is at least eight characters long.
- The password contains characters from three of the following four categories:
Latin uppercase letters (A through Z)
Latin lowercase letters (a through z)
Base 10 digits (0 through 9)
Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).

All SQL logins should have this option selected to increase security.
References
http://msdn.microsoft.com/en-us/library/ms161959(v=sql.105).aspx
http://msdn.microsoft.com/en-us/library/ms189828(v=sql.105).aspx
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by