Information
Whenever this option is set to ON, SQL Server will prompt for an updated password the first time the new or altered login is used.
Rationale:
Enforcing a password change after a reset or new login creation will prevent the account administrators or anyone accessing the initial password from misuse of the SQL login created without being noticed.
Impact:
CHECK_EXPIRATION and CHECK_POLICY options must both be ON. End users must have the means (application) to change the password when forced.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Set the MUST_CHANGE option for SQL Authenticated logins when creating a login initially:
CREATE LOGIN <login_name> WITH PASSWORD = '<password_value>' MUST_CHANGE, CHECK_EXPIRATION = ON, CHECK_POLICY = ON;
Set the MUST_CHANGE option for SQL Authenticated logins when resetting a password:
ALTER LOGIN <login_name> WITH PASSWORD = '<new_password_value>' MUST_CHANGE;
Default Value:
ON when creating a new login via the SSMS GUI. OFF when creating a new login using T-SQL CREATE LOGIN unless the MUST_CHANGE option is explicitly included along with CHECK_EXPIRATION = ON.