Detections
Analytics
1.6 Enforce password complexity - exec sp_passwordpolicy 'list'
Information
Sybase ASE 15.0 and 15.0.1 supports enforcing password complexity via:. Setting the login mode to Integrated Mode so that password policy is enforced by
the Windows domain.
. A configuration parameter to enforce server-wide, per user account and per role
minimum password length (set to 0 by default)
. A configuration parameter to enforce at least one digit in a password (disabled by
default)
Sybase ASE 15.0.2 supports the above settings as well as more granular password
complexity via:
. A setting to enforce that a login name cannot be a substring of the password.
. A setting to enforce the minimum number of special characters for the password.
. A setting to enforce the minimum number of alphabetic characters for the password
. A setting to enforce the minimum number of upper-case letters for the password.
. A setting to enforce the minimum number of lower-case letters for the password.
. A setting to enforce that the password must be reset is the first time a login is used.
. A setting to enforce the minimum number of digits for the password.
In addition, Sybase ASE 15.0.2 supports the creation of a stored procedure to enforce
custom password complexity requirements.
It is recommended that strong password complexity is enforced in accordance with your
organizations policy. It may not be possible to enforce a sufficient policy on ASE 15.0 and
ASE 15.0.1; if this is the case the System Security Officer should consider one of the
following solutions:
. Upgrade systems to ASE 15.0.2 in order to make use of the more extensive password
complexity options.
. Enable Integrated Mode to rely on the Windows domain password policy.
. Accept the risk associated with the policy conflict and regularly audit password
strength using a password cracking tool.
Rationale:
Arguably the most common cause of database compromise is weak passwords. Setting
password complexity is essential step to ensuring the security and integrity of the data
within the database.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
1. Connect to the ASE server as a user with the sso_role and execute the followingSQL statement in order to set a system-wide minimum password length according
to your organizations password (substitute 8 for an acceptable value):
exec sp_configure 'minimum password length', 8
2. Set a custom minimum password length for specific users and roles as required.
This should not be less than the system-wide length. This can be accomplished via
the sp_modifylogin stored procedure.
3. Execute the following statement to enforce at least one digit in passwords:
exec sp_configure 'check password for digit', 1
See Also
Item Details
Audit Name: CIS Sybase 15.0 L2 DB v1.1.0
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1)(a)
Plugin: SybaseDB
Control ID: 0e21bb1e5ddacd94a0aa06bc32950b680e0bb32bc49c89245be042418e37b5d6