SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Password policies checked by CHECK_POLICY


Password policies checked by CHECK_POLICY

Author
Message
craigpessano
craigpessano
SSCertifiable
SSCertifiable (5K reputation)SSCertifiable (5K reputation)SSCertifiable (5K reputation)SSCertifiable (5K reputation)SSCertifiable (5K reputation)SSCertifiable (5K reputation)SSCertifiable (5K reputation)SSCertifiable (5K reputation)

Group: General Forum Members
Points: 5016 Visits: 2276
Mohit (11/24/2008)
Old Password is required if a user was changing the password. If you were changing the password with SysAdmin account it doesn't care.


Yes I was using a sysadmin account to change the password. Thanks for the additional info Mohit. This wasn't clear from BOL.



dgabele
dgabele
Hall of Fame
Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)

Group: General Forum Members
Points: 3847 Visits: 647
Could someone elaborate on what "Store password using reversible encryption" is and why it does not apply? I couldn't locate any info to prove it is/is not applicable.



Mohit K. Gupta
Mohit K. Gupta
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1422 Visits: 1089
I am not sure if applys to SQL Server directly ... I found the following artile:

Store passwords using reversible encryption
http://technet.microsoft.com/en-us/library/cc784581.aspx

EDIT: But since it is a policy setting maybe it can affect it indirectly. Although I am not sure if we are using that on our domain so I cannot confirm if this policy setting has an affect on SQL Server or not.

Thanks ...

---

Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN.
Microsoft FTE - SQL Server PFE

* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. Smooooth


How to ask for help .. Read Best Practices here.
Dr. Diana Dee
Dr. Diana Dee
Hall of Fame
Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)

Group: General Forum Members
Points: 3245 Visits: 143
If I recall correctly, "store password with reversible encryption" is used when the domain has NT 4.0 RAS servers. Use of that policy is considered dangerous.

Off the top of my head, I think that policy would affect Windows logins only, because SQL Server uses a one-way hash to store passwords for SQL Server logins.

):-D
Chad Crawford
 Chad Crawford
SSCrazy
SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)

Group: General Forum Members
Points: 2830 Visits: 18717
Dr. Diana Dee (11/23/2008)
However, in my experiments, with a SQL Server login having only CHECK_POLICY in effect (but not CHECK_EXPIRATION), when minimum age was set, I could not change the password until then, and with History set I could not change the password to the same one for as many as specified by the History.

That implies that the quote from the article below is incorrect, which is what I used to answer the QOD. Sad shucks.

http://searchsqlserver.techtarget.com/news/article/0,289142,sid87_gci1102101,00.html
CHECK_EXPIRATION encompasses minimum and maximum password age, and CHECK_POLICY encompasses all the other policies. When you run afoul of either policy, the SQL Server login must be unlocked by the DBA, as shown shortly in an example.

Interestingly, they included Store Passwords using reversable encryption in the list, but I don't know exactly how that would be (or if it is) implemented with 2K5.
Dr. Diana Dee
Dr. Diana Dee
Hall of Fame
Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)

Group: General Forum Members
Points: 3245 Visits: 143
Thank you for the reference. I had not been able to find any articles that were so definitive about which password policies went with which login option.

):-D
Soren Nielsen
Soren Nielsen
SSC-Addicted
SSC-Addicted (415 reputation)SSC-Addicted (415 reputation)SSC-Addicted (415 reputation)SSC-Addicted (415 reputation)SSC-Addicted (415 reputation)SSC-Addicted (415 reputation)SSC-Addicted (415 reputation)SSC-Addicted (415 reputation)

Group: General Forum Members
Points: 415 Visits: 348
Hi,

I also disagree like others here, this is what I found on the net:

There are two password options for SQL Server logins: CHECK_EXPIRATION and CHECK_POLICY. CHECK_EXPIRATION encompasses minimum and maximum password age, and CHECK_POLICY encompasses all the other policies. When you run afoul of either policy, the SQL Server login must be unlocked by the DBA, as shown shortly in an example.

//SUN
Dr. Diana Dee
Dr. Diana Dee
Hall of Fame
Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)

Group: General Forum Members
Points: 3245 Visits: 143
Is your URL source different from and later than that posted by Chad Crawford? His dates from February 2005.

):-D
David in .AU
David in .AU
SSChasing Mays
SSChasing Mays (600 reputation)SSChasing Mays (600 reputation)SSChasing Mays (600 reputation)SSChasing Mays (600 reputation)SSChasing Mays (600 reputation)SSChasing Mays (600 reputation)SSChasing Mays (600 reputation)SSChasing Mays (600 reputation)

Group: General Forum Members
Points: 600 Visits: 561
Per Books Online under the section headed Password Policy

Policy Enforcement
The enforcement of password policy can be configured separately for each SQL Server login. Use ALTER LOGIN (Transact-SQL) to configure the password policy options of a SQL Server login. The following rules apply to the configuration of password policy enforcement:

When CHECK_POLICY is changed to ON, the following behaviors occur:

CHECK_EXPIRATION is also set to ON unless it is explicitly set to OFF.

The password history is initialized with the value of the current password hash.

What it doesn't mention is whether complexity is also checked, but I have the suspicion that may be default behaviour.

-d
Dr. Diana Dee
Dr. Diana Dee
Hall of Fame
Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)

Group: General Forum Members
Points: 3245 Visits: 143
Books Online never said which policies were associated with which login option. That's why I performed the experiment.

):-D
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search