3.4 Ensure SQL Authentication is not used in contained databases

Information

Contained databases do not enforce password complexity rules for SQL Authenticated users.

Rationale:

The absence of an enforced password policy may increase the likelihood of a weak credential being established in a contained database.

Impact:

While contained databases provide flexibility in relocating databases to different instances and different environments, this must be balanced with the consideration that no password policy mechanism exists for SQL Authenticated users in contained databases.

Solution

Leverage Windows Authenticated users in contained databases.

Default Value:

SQL Authenticated users (USER WITH PASSWORD authentication) are allowed in contained databases.

See Also

https://workbench.cisecurity.org/files/4544