How to check SQL Server password policy

21 March,2016 by Jack Vamvas

Question: I noticed in the SQL Server Error Logs a regular Nessus Scan . The Nessus Scan was attempting to login using various SQL Login accounts – such as SA. The scan is completing a penetration test on SQL Servers and is part of  a suite of measures to fulfill SQL Server - Security Risk Analysis and database security

A number of login failures were occurring triggering an account lockout. I was able to check the lockout status  and the time the lockout occured via:

 

SELECT name, is_disabled, LOGINPROPERTY(name, N'isLocked') as is_locked,
 LOGINPROPERTY(name, N'LockoutTime') as LockoutTime
 FROM sys.sql_logins
 WHERE LOGINPROPERTY(name, N'isLocked') = 1

 

The interesting aspect was that after 30 minutes the account was unlocked. I’m curious to find out more about how these settings are managed and where to find the information.

Where can I check the password policy details ?

Answer: To check the password policy , you’ll need to use secpool.msc on your Windows system.  Once secpool.msc is opened, check Account Policies and Account Lockout Policy.

Local_security_policy

How you manage the Account lockout duration,account lockout threshold and reset account lockout counter  values will depend on how the Windows servers are managed. To change the value may include speaking to the domain administrator and discussing changing the policy to a different setting.

Read more on Security management

SQL Server Security Violations Report for t-sql tuesday - SQL

Database Security Countermeasures against hacker attacks - SQL ...

SQL Server - Database Server Security Audit Process - SQL Server ...

 


Author: Jack Vamvas (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on How to check SQL Server password policy


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer