Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««123»»

Password policies checked by CHECK_POLICY Expand / Collapse
Author
Message
Posted Monday, November 24, 2008 8:24 AM
SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Today @ 4:23 PM
Points: 4,370, Visits: 1,726
Mohit (11/24/2008)
Old Password is required if a user was changing the password. If you were changing the password with SysAdmin account it doesn't care.


Yes I was using a sysadmin account to change the password. Thanks for the additional info Mohit. This wasn't clear from BOL.



Post #607578
Posted Monday, November 24, 2008 9:04 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Monday, April 07, 2014 5:42 AM
Points: 2,739, Visits: 452
Could someone elaborate on what "Store password using reversible encryption" is and why it does not apply? I couldn't locate any info to prove it is/is not applicable.


Post #607635
Posted Monday, November 24, 2008 9:19 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Monday, March 10, 2014 9:39 AM
Points: 942, Visits: 1,050
I am not sure if applys to SQL Server directly ... I found the following artile:

Store passwords using reversible encryption
http://technet.microsoft.com/en-us/library/cc784581.aspx

EDIT: But since it is a policy setting maybe it can affect it indirectly. Although I am not sure if we are using that on our domain so I cannot confirm if this policy setting has an affect on SQL Server or not.

Thanks ...


---

Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN.
Microsoft FTE - SQL Server PFE

* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing.


How to ask for help .. Read Best Practices here.
Post #607656
Posted Monday, November 24, 2008 9:26 AM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Tuesday, April 15, 2014 10:59 PM
Points: 3,143, Visits: 132
If I recall correctly, "store password with reversible encryption" is used when the domain has NT 4.0 RAS servers. Use of that policy is considered dangerous.

Off the top of my head, I think that policy would affect Windows logins only, because SQL Server uses a one-way hash to store passwords for SQL Server logins.

)
Post #607662
Posted Monday, November 24, 2008 10:48 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Friday, April 04, 2014 8:25 AM
Points: 2,602, Visits: 17,845
Dr. Diana Dee (11/23/2008)
However, in my experiments, with a SQL Server login having only CHECK_POLICY in effect (but not CHECK_EXPIRATION), when minimum age was set, I could not change the password until then, and with History set I could not change the password to the same one for as many as specified by the History.

That implies that the quote from the article below is incorrect, which is what I used to answer the QOD. shucks.

http://searchsqlserver.techtarget.com/news/article/0,289142,sid87_gci1102101,00.html
CHECK_EXPIRATION encompasses minimum and maximum password age, and CHECK_POLICY encompasses all the other policies. When you run afoul of either policy, the SQL Server login must be unlocked by the DBA, as shown shortly in an example.

Interestingly, they included Store Passwords using reversable encryption in the list, but I don't know exactly how that would be (or if it is) implemented with 2K5.
Post #607728
Posted Monday, November 24, 2008 1:41 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Tuesday, April 15, 2014 10:59 PM
Points: 3,143, Visits: 132
Thank you for the reference. I had not been able to find any articles that were so definitive about which password policies went with which login option.

)
Post #607850
Posted Monday, November 24, 2008 2:05 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, March 10, 2014 8:45 AM
Points: 329, Visits: 334
Hi,

I also disagree like others here, this is what I found on the net:

There are two password options for SQL Server logins: CHECK_EXPIRATION and CHECK_POLICY. CHECK_EXPIRATION encompasses minimum and maximum password age, and CHECK_POLICY encompasses all the other policies. When you run afoul of either policy, the SQL Server login must be unlocked by the DBA, as shown shortly in an example.

//SUN
Post #607867
Posted Monday, November 24, 2008 2:18 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Tuesday, April 15, 2014 10:59 PM
Points: 3,143, Visits: 132
Is your URL source different from and later than that posted by Chad Crawford? His dates from February 2005.

)
Post #607878
Posted Monday, November 24, 2008 2:39 PM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Tuesday, January 14, 2014 1:56 PM
Points: 522, Visits: 553
Per Books Online under the section headed Password Policy

Policy Enforcement
The enforcement of password policy can be configured separately for each SQL Server login. Use ALTER LOGIN (Transact-SQL) to configure the password policy options of a SQL Server login. The following rules apply to the configuration of password policy enforcement:

When CHECK_POLICY is changed to ON, the following behaviors occur:

CHECK_EXPIRATION is also set to ON unless it is explicitly set to OFF.

The password history is initialized with the value of the current password hash.

What it doesn't mention is whether complexity is also checked, but I have the suspicion that may be default behaviour.

-d
Post #607894
Posted Monday, November 24, 2008 3:17 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Tuesday, April 15, 2014 10:59 PM
Points: 3,143, Visits: 132
Books Online never said which policies were associated with which login option. That's why I performed the experiment.

)
Post #607914
« Prev Topic | Next Topic »

Add to briefcase ««123»»

Permissions Expand / Collapse