SA0090 : SQL Server password policy is vulnerable for login

The problem focuses on the risk of security breaches when SQL Server logins do not have proper password policies in place, specifically when password policy checks and password expiration are not enabled. This is critical as improperly managed SQL logins can lead to unauthorized access or account compromise.

For example:

1-- Example of a SQL login creation without enforcing password policies
2CREATE LOGIN exampleUser WITH PASSWORD = 'password123';

In this example, the login is created without specifying the password policy or expiration options, making it potentially vulnerable to attacks. To enhance security, always ensure that these options are enabled.

• Increased chance of unauthorized access due to weak or frequently reused passwords.

• Lack of mandatory password updates leading to long-term use of potentially compromised passwords.

Enable ‘Enforce password policy’ and ‘Password expiration’ for all SQL Server logins to enhance security and reduce the risk of unauthorized access.

Follow these steps to address the issue:

1. Open SQL Server Management Studio (SSMS) and connect to your server instance.

2. Locate the Security folder in the Object Explorer and expand the Logins node.

3. Right-click on each login to modify and select Properties.

4. Navigate to the Password section and check the options for Enforce password policy and Enforce password expiration.

5. Click OK to apply the changes.

You can also use T-SQL to alter the logins:

1-- Example of enabling password policy and expiration for a SQL login
2ALTER LOGIN exampleUser WITH CHECK_POLICY = ON, CHECK_EXPIRATION = ON;

The rule has a ContextOnly scope and is applied only on current server and database schema.

The rule requires Analysis Context. If context is missing, the rule will be skipped during analysis.

Maintenance Rules, Security Rules

sys.sql_logins

Password Policy

Other Resources