Password policies checked by CHECK_POLICY

  • Dr. Diana Dee

    SSCarpal Tunnel

    Points: 4232

    Comments posted to this topic are about the item Password policies checked by CHECK_POLICY

  • Mohit K. Gupta

    SSChampion

    Points: 12130

    That is interseting .. I didn't expect that answer.

    I expected if SQL Server was told not to force password expirey then following will not be checked:

    Enforce password history

    Minimum password age

    Simplying the following:

    Minimum password length

    Password must meet complexity requirements

    But as I said I assumed, so even though the password does not expire. User can still change their password multiple times. So in your experiment you tried to change password, and it didn't let you change password too soon? And it kept the history for previous password? Thanks for the good question :). I'll have to remeber that.

    [font="Arial"]---

    Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
    Microsoft FTE - SQL Server PFE

    * Some time its the search that counts, not the finding...
    * I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]

    How to ask for help .. Read Best Practices here[/url].

  • Dr. Diana Dee

    SSCarpal Tunnel

    Points: 4232

    Yes, I expected only

    Complexity, and

    Minimum Length

    policies to be checked by CHECK_POLICY.

    However, in my experiments, with a SQL Server login having only CHECK_POLICY in effect (but not CHECK_EXPIRATION), when minimum age was set, I could not change the password until then, and with History set I could not change the password to the same one for as many as specified by the History.

    Try it and let me know if you get different behavior.

    ):-D

  • majorbloodnock

    SSCrazy Eights

    Points: 9389

    At the risk of being obvious, your scenario mentions SQL 2005 running on Windows Server 2003, whilst your tests were SQL 2005 running on Vista. Have you subsequently carried out the same tests on Windows Server 2003 to verify you get the same results?

    Semper in excretia, sumus solum profundum variat

  • Dr. Diana Dee

    SSCarpal Tunnel

    Points: 4232

    If you have Server 2003, perhaps you could run the experiment and report back to us. NT version 5.2 and version 6.0 should behave the same with respect to policies, but you never know.

    I have not had Latin since high school. Please translate.

    ):-D

  • majorbloodnock

    SSCrazy Eights

    Points: 9389

    Dr. Diana Dee (11/24/2008)


    If you have Server 2003, perhaps you could run the experiment and report back to us. NT version 5.2 and version 6.0 should behave the same with respect to policies, but you never know.

    I'll see if I can, but not too sure how quickly I'll be able to come up with an answer - time constraints just like most of us....

    I have not had Latin since high school. Please translate.

    He, he. You're not the first to ask. Literally, it translates to "Always in the manure; it's only the depth that varies" 😀

    Semper in excretia, sumus solum profundum variat

  • Dr. Diana Dee

    SSCarpal Tunnel

    Points: 4232

    That reminds me of what motivational speaker Doug Wead said:

    "If you don't have any horses, your barn will be clean."

    ):-D

  • craigpessano

    SSCertifiable

    Points: 5358

    I tried this out on Windows 2003 to see how it reacts (Windows 2003 SP2; SQL Server 2005 Standard SP2 64-bit).

    Using the SSMS GUI, the following commands are issued.

    [font="Courier New"]-- Create the login

    CREATE LOGIN [xxx] WITH PASSWORD=N'qwerty12!', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON

    --Command(s) completed successfully.

    -- Change the password

    ALTER LOGIN [xxx] WITH PASSWORD=N'zxcvbn12!'

    --Command(s) completed successfully.

    -- Change the password back to the original password

    ALTER LOGIN [xxx] WITH PASSWORD=N'qwerty12!'

    --Command(s) completed successfully.

    -- Change to a password that is too short

    ALTER LOGIN [xxx] WITH PASSWORD=N'abc'

    --Msg 15116, Level 16, State 1, Line 1

    --Password validation failed. The password does not meet Windows policy requirements because it is too short.

    -- Change to a password that is not complex enough

    ALTER LOGIN [xxx] WITH PASSWORD=N'abcdefgh'

    --Msg 15118, Level 16, State 1, Line 1

    --Password validation failed. The password does not meet Windows policy requirements because it is not complex enough.[/font]

    From the above, the only two things that are enforced are

    (1) Minimum password length

    (2) Password must meet complexity requirements

    NOTE that the GUI does not specify OLD_PASSWORD.

    Now let's try changing the password this time including the OLD_PASSWORD.

    [font="Courier New"]-- Change the password to a previously used password, specifying the old password

    ALTER LOGIN xxx WITH PASSWORD = 'zxcvbn12!' OLD_PASSWORD = 'qwerty12!'

    --Msg 15115, Level 16, State 1, Line 1

    --Password validation failed. The password cannot be used at this time.

    -- Change the password to a completely new password, specifying the old password

    ALTER LOGIN xxx WITH PASSWORD = 'asdfgh12!' OLD_PASSWORD = 'qwerty12!'

    --Command(s) completed successfully.[/font]

    Interestingly, the old password does not seem to be required, but if specified SQL Server appears to check password history.

    [font="Courier New"]-- Clean up

    DROP LOGIN xxx[/font]

  • Mohit K. Gupta

    SSChampion

    Points: 12130

    Old Password is required if a user was changing the password. If you were changing the password with SysAdmin account it doesn't care. It allows for force over-write. Just in case user lock out their account and you need to reset the password :).

    I tried in SQL Server 2005, SP2.

    When I set the password using SA, no issues. I logged on to the user and did password set, and I get this message:

    Msg 15151, Level 16, State 1, Line 1

    Cannot alter the login 'test', because it does not exist or you do not have permission.

    :).

    [font="Arial"]---

    Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
    Microsoft FTE - SQL Server PFE

    * Some time its the search that counts, not the finding...
    * I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]

    How to ask for help .. Read Best Practices here[/url].

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 719037

    Vista should exceed W2K3 in what is support, if I remember correctly. I don't have a W2K3 server to check on at the moment, but I'll try to later.

  • craigpessano

    SSCertifiable

    Points: 5358

    Mohit (11/24/2008)


    Old Password is required if a user was changing the password. If you were changing the password with SysAdmin account it doesn't care.

    Yes I was using a sysadmin account to change the password. Thanks for the additional info Mohit. This wasn't clear from BOL.

  • dgabele

    SSCarpal Tunnel

    Points: 4896

    Could someone elaborate on what "Store password using reversible encryption" is and why it does not apply? I couldn't locate any info to prove it is/is not applicable.

  • Mohit K. Gupta

    SSChampion

    Points: 12130

    I am not sure if applys to SQL Server directly ... I found the following artile:

    Store passwords using reversible encryption

    http://technet.microsoft.com/en-us/library/cc784581.aspx

    EDIT: But since it is a policy setting maybe it can affect it indirectly. Although I am not sure if we are using that on our domain so I cannot confirm if this policy setting has an affect on SQL Server or not.

    Thanks ...

    [font="Arial"]---

    Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
    Microsoft FTE - SQL Server PFE

    * Some time its the search that counts, not the finding...
    * I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]

    How to ask for help .. Read Best Practices here[/url].

  • Dr. Diana Dee

    SSCarpal Tunnel

    Points: 4232

    If I recall correctly, "store password with reversible encryption" is used when the domain has NT 4.0 RAS servers. Use of that policy is considered dangerous.

    Off the top of my head, I think that policy would affect Windows logins only, because SQL Server uses a one-way hash to store passwords for SQL Server logins.

    ):-D

  • Chad Crawford

    SSChampion

    Points: 11605

    Dr. Diana Dee (11/23/2008)

    However, in my experiments, with a SQL Server login having only CHECK_POLICY in effect (but not CHECK_EXPIRATION), when minimum age was set, I could not change the password until then, and with History set I could not change the password to the same one for as many as specified by the History.

    That implies that the quote from the article below is incorrect, which is what I used to answer the QOD. 🙁 shucks.

    http://searchsqlserver.techtarget.com/news/article/0,289142,sid87_gci1102101,00.html

    CHECK_EXPIRATION encompasses minimum and maximum password age, and CHECK_POLICY encompasses all the other policies. When you run afoul of either policy, the SQL Server login must be unlocked by the DBA, as shown shortly in an example.

    Interestingly, they included Store Passwords using reversable encryption in the list, but I don't know exactly how that would be (or if it is) implemented with 2K5.

Viewing 15 posts - 1 through 15 (of 26 total)

You must be logged in to reply to this topic. Login to reply