4.3 Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins

Information

Applies the same password complexity policy used in Windows to passwords used inside SQL Server.

Rationale:

Ensure SQL authenticated login passwords comply with the secure password policy applied by the Windows Server Benchmark so that they cannot be easily compromised via brute force attack.

Solution

For each <login_name> found by the Audit Procedure, execute the following T-SQL statement:

ALTER LOGIN [<login_name>] WITH CHECK_POLICY = ON;

Note: In the case of AWS RDS do not perform this remediation for the Master account.


Impact:

This is a mitigating recommendation for systems which cannot follow the recommendation to use only Windows Authenticated logins.

Weak passwords can lead to compromised systems. SQL Server authenticated logins will utilize the password policy set in the computer's local policy, which is typically set by the Default Domain Policy setting.

The setting is only enforced when the password is changed. This setting does not force existing weak passwords to be changed.

Default Value:

CHECK_POLICY is ON

References:

http://msdn.microsoft.com/en-us/library/ms161959(v=sql.110).aspx

See Also

https://workbench.cisecurity.org/files/2837

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv6|16, CSCv7|4.4

Plugin: MS_SQLDB

Control ID: da91f4e99aaadf9f32cf09287752d5be9ecfcfeb61f086d41e008ad8fa2d3812