Threat Finder

Threat ID
2793
Threat Date
08/06/2013
Threat Name
MUST_CHANGE option
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Medium
Database Type
Microsoft SQL Server
Category
Misconfigurations
Versions
Microsoft SQL Server 2005, 2008, 2008R2 and 2012
Summary
When creating a new SQL login it can be specified that the password must be changed the first time it is used with the MUST_CHANGE option.
Enforcing password change will prevent the account administrators or anyone accessing the initial password to misuse the SQL login created without being noticed.
Overview
Besides enforcing OS's password policy and expiration, a new SQL login should be forced to change the password on its first use. This will prevent anyone accessing the server to misuse the login without being noticed.
To apply this setting, password policy and password expiration must be applied also.
References
http://msdn.microsoft.com/en-us/library/ms161959(v=sql.105).aspx
http://msdn.microsoft.com/en-us/library/ms189828(v=sql.105).aspx
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by