STIGQter STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 10 Benchmark Date: 24 Apr 2020:

If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password complexity.

DISA Rule

SV-82433r1_rule

Vulnerability Number

V-67943

Group Title

SRG-APP-000164-DB-000401

Rule Version

SQL4-00-038900

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

For each SQL Server Login identified in the Check as out of compliance:
In SQL Server Management Studio Object Explorer, navigate to <SQL Server instance name> >> Security >> Logins >> <login name>. Right-click, select Properties. Select the check box Enforce Password Policy. Click OK.

Alternatively, for each identified Login, run the statement:
ALTER LOGIN <login name> CHECK_POLICY = ON;

Check Contents

Run the statement:
SELECT
name
FROM
sys.sql_logins
WHERE
type_desc = 'SQL_LOGIN'
AND is_disabled = 0
AND is_policy_checked = 0 ;

If no account names are listed, this is not a finding.

For each account name listed, determine whether it is documented as requiring exemption from the standard password complexity rules, if it is not, this is a finding.

Vulnerability Number

V-67943

Documentable

False

Rule Version

SQL4-00-038900

Severity Override Guidance

Run the statement:
SELECT
name
FROM
sys.sql_logins
WHERE
type_desc = 'SQL_LOGIN'
AND is_disabled = 0
AND is_policy_checked = 0 ;

If no account names are listed, this is not a finding.

For each account name listed, determine whether it is documented as requiring exemption from the standard password complexity rules, if it is not, this is a finding.

Check Content Reference

M

Target Key

2639

Comments