4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated Logins

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Whenever this option is set to ON, SQL Server will prompt for an updated password the first time the new or altered login is used.

Rationale:

Enforcing a password change after a reset or new login creation will prevent the account administrators or anyone accessing the initial password from misuse of the SQL login created without being noticed.

Impact:

CHECK_EXPIRATION and CHECK_POLICY options must both be ON. End users must have the means (application) to change the password when forced.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Set the MUST_CHANGE option for SQL Authenticated logins when creating a login initially:

CREATE LOGIN <login_name> WITH PASSWORD = '<password_value>' MUST_CHANGE, CHECK_EXPIRATION = ON, CHECK_POLICY = ON;

Set the MUST_CHANGE option for SQL Authenticated logins when resetting a password:

ALTER LOGIN <login_name> WITH PASSWORD = '<new_password_value>' MUST_CHANGE;

Default Value:

ON when creating a new login via the SSMS GUI. OFF when creating a new login using T-SQL CREATE LOGIN unless the MUST_CHANGE option is explicitly included along with CHECK_EXPIRATION = ON.

See Also

https://workbench.cisecurity.org/files/3312