Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V-79191 - Check if a member server inherits the password policy #38

Open
potatoqualitee opened this issue Jan 22, 2020 · 5 comments
Open

V-79191 - Check if a member server inherits the password policy #38

potatoqualitee opened this issue Jan 22, 2020 · 5 comments

Comments

@potatoqualitee
Copy link
Member

I dont know how to do this

Ensure SQL Server is configured to inherit password complexity rules from the operating system for SQL logins.
@tboggiano
Copy link
Collaborator

I believe this is just the CHECK_POLICY = ON.

@potatoqualitee
Copy link
Member Author

That is indeed true for the SQL Server part. The thing I'm looking at is the Windows server portion.

@tboggiano
Copy link
Collaborator

trying to read between the lines in MSDocs which is fun, they have three properites in bold under CHECK_POLICY then below tell us where we can go in Windows to check those properties to see if what they are set to, I'm still thinking it might be as simple as setting the checkbox, I'll keep looking around for more verification https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-ver15

@tboggiano
Copy link
Collaborator

From https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-login-transact-sql?view=sql-server-ver15:

CHECK_POLICY = { ON | OFF } Applies only to SQL Server logins. Specifies that the Windows password policies of the computer on which SQL Server is running should be enforced on this login. The default value is ON.

@potatoqualitee
Copy link
Member Author

ohh looks like they give us the info!

Check the server operating system for password complexity:

Navigate to Start >> All Programs >> Administrative Tools >> Local Security Policy and to review the local policies on the machine. Account Policy >> Password Policy:

Ensure the DISA Windows Password Policy is set on the SQL Server member server.

Fix Text: Configure the SQL Server operating system and SQL Server logins for compliance. 

1. Ensure the DISA Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide password complexity guidelines are met. 

2. Ensure SQL Server is configured to inherit password complexity rules from the operating system for SQL logins. Ensure check of policy and expiration are enforced when SQL logins are created. 

CREATE LOGIN [] WITH PASSWORD=N'', CHECK_EXPIRATION=ON, CHECK_POLICY=ON

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@potatoqualitee @tboggiano