- Threat ID
- Threat Date
- Threat Name
- MUST_CHANGE option
- CVE Reference
- CCE Reference
- Database Type
- Microsoft SQL Server
- Microsoft SQL Server 2005, 2008, 2008R2 and 2012
- When creating a new SQL login it can be specified that the password must be changed the first time it is used with the MUST_CHANGE option.
Enforcing password change will prevent the account administrators or anyone accessing the initial password to misuse the SQL login created without being noticed.
- Besides enforcing OS's password policy and expiration, a new SQL login should be forced to change the password on its first use. This will prevent anyone accessing the server to misuse the login without being noticed.
To apply this setting, password policy and password expiration must be applied also.
Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.