Title

Database accounts should not specify account lock times less than the site-approved minimum. (Cat II impact)

Discussion

Unauthorized access to database accounts may be thwarted by instituting a lock on the target account after the specified number of unsuccessful logins. If allowed to continue an attack unimpeded, the attempt could eventually become successful and compromise the database and data integrity.

Check Content

If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Host Authentication only, this check is Not a Finding. If the DBMS does not natively support this functionality, this check is Not a Finding. If the DBMS is not configured to lock database accounts after three or an IAO-specified number of consecutive unsuccessful connection attempts within a 60 minute period, this is a Finding. Note: The counter may be reset to 0 if a third failed logon attempt does not occur before reset. Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079.

Fix Text

Set the failed login attempt count to 3 to trigger an account lockout or to the number specified in the System Security Plan where supported by the DBMS. Where this requirement is not compatible with the operation of a front-end application, the unsuccessful logon count and time will be specified and the operational need documented in the System Security Plan.

Additional Identifiers

Rule ID: SV-25285r1_rule

Vulnerability ID: V-3817

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.