Question

Hello, I would like to know there is a known vulnerabilities for an SQL server on Windows operating systems and should databases have the ability to set a policy and enforce the rules that the password should abide by?

Answer 1

Microsoft SQL Server is a relational database management system developed by Microsoft. It is a software product with the primary function of storing and retrieving data. Vulnerability management is the cyclical practice that varies in theory but contains common processes which include: discover all assets, prioritize assets, assess or perform a complete vulnerability scan, report on results, remediate vulnerabilities, verify remediation - repeat. This practice generally refers to software vulnerabilities in computing systems.

  SQL Vulnerability Assessment is an easy to use tool that can help you discover, track, and remediate potential database vulnerabilities. Vulnerability Assessment is supported for SQL Server 2012 and later, and can also be run on Azure SQL Database. SQL Vulnerability Assessment is a service that provides visibility into your security state, and includes actionable steps to resolve security issues and enhance your database security. It can help you by:

• Meet compliance requirements that require database scan reports.
• Meet data privacy standards.
• Monitor a dynamic database environment where changes are difficult to track.

Password Complexity

Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. When password complexity policy is enforced, new passwords must meet the following guidelines:

• The password does not contain the account name of the user.

• The password is at least eight characters long.

• The password contains the following four categories

• Latin uppercase letters (A through Z)

• Latin lowercase letters (a through z)
• Base 10 digits (0 through 9)
• Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).

Passwords can be up to 128 characters long. Use passwords that are as long and complex as possible.

SQL Server can use Windows password policy mechanisms. The password policy applies to a login that uses SQL Server authentication, and to a contained database user with password. SQL Server can apply the same complexity and expiration policies used in Windows to passwords used inside SQL Server. This functionality depends on the NetValidatePasswordPolicy AP.