SQL4-00-038910 - If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime.

Information

Windows domain/enterprise authentication and identification must be used (SQL4-00-030300). Native SQL Server authentication may be used only when circumstances make it unavoidable; and must be documented and AO-approved.

The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.

In such cases, the DoD standards for password lifetime must be implemented.

The requirements for password lifetime are:
a. Password lifetime limits for interactive accounts: Minimum 24 hours, Maximum 60 days
b. Password lifetime limits for non-interactive accounts: Minimum 24 hours, Maximum 365 days
c. Number of password changes before an old one may be reused: Minimum of 5.

To enforce this in SQL Server, configure each DBMS-managed login to inherit the rules from Windows.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

For each SQL Server Login identified in the Check as out of compliance:
In SQL Server Management Studio Object Explorer, navigate to <SQL Server instance name> >> Security >> Logins >> <login name>. Right-click, select Properties. Select the check box Enforce Password Expiration. Click OK.

Alternatively, for each identified Login, run the statement:
ALTER LOGIN <login name> CHECK_EXPIRATION = ON;

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2014_Y24M07_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(d), 800-53|IA-5(1)(e), CAT|II, CCI|CCI-000198, CCI|CCI-000199, CCI|CCI-000200, Rule-ID|SV-213895r981946_rule, STIG-ID|SQL4-00-038910, STIG-Legacy|SV-82435, STIG-Legacy|V-67945, Vuln-ID|V-213895

Plugin: MS_SQLDB

Control ID: e6033b4e77415e19839551df8a418fc692c4f3725879e999d80d83f48c68aba1