Creating a secure SQL server login - CHECK_EXPIRATION & CHECK_POLICY

Posted by cabhilash on ASP.net Weblogs See other posts from ASP.net Weblogs or by cabhilash
Published on Wed, 07 Apr 2010 09:28:00 GMT Indexed on 2010/04/07 10:13 UTC
Read the original article Hit count: 454

Filed under:

SQL Server

In SQL Server you can create users using T-SQL or using the options provided by SQL Server Management Studio.

Create user sql server

CREATE LOGIN sql_user WITH PASSWORD ='sql_user_password' MUST_CHANGE,

DEFAULT_DATABASE = defDB,

CHECK_EXPIRATION = ON,

CHECK_POLICY = ON

As mentioned in the previous article (http://weblogs.asp.net/cabhilash/archive/2010/04/07/login-failed-for-user-sa-because-the-account-is-currently-locked-out-the-system-administrator-can-unlock-it.aspx) when CHECK_POLICY = ON user account follows the password rules provided in the system on which the SQL server is installed.

When MUST_CHANGE keyword is used user is forced to change the password when he/she tries to login for the first time.

CHECK_EXPIRATION and CHECK_POLICY are only enforced on Windows Server 2003 and later.

If you want to turn off the password expiration enforcement or security policy enforcement, you can do by using the following statements. (But these wont work if you have created your login with MUST_CHANGE and user didn't change the default password)

ALTER LOGIN sql_login WITH CHECK_EXPIRATION = OFF

go

ALTER LOGIN sql_login WITH CHECK_POLICY = OFF

Related posts about SQL Server

SQL SERVER – Concat Strings in SQL Server using T-SQL – SQL in Sixty Seconds #035 – Video

as seen on SQL Authority - Search for 'SQL Authority'
Concatenating string is one of the most common tasks in SQL Server and every developer has to come across it. We have to concat the string when we have to see the display full name of the person by first name and last name. In this video we will see various methods to concatenate the strings. SQL… >>> More
SQL SERVER – Concat Function in SQL Server – SQL Concatenation

as seen on SQL Authority - Search for 'SQL Authority'
Earlier this week, I was delivering Advanced BI training on the subject of “SQL Server 2008 R2″. I had great time delivering the session. During the session, we talked about SQL Server 2010 Denali. Suddenly one of the attendees suggested his displeasure for the product. He said, even though… >>> More
Nested SQL Select statement fails on SQL Server 2000, ok on SQL Server 2005

as seen on Stack Overflow - Search for 'Stack Overflow'
Here is the query: INSERT INTO @TempTable SELECT UserID, Name, Address1 = (SELECT TOP 1 [Address] FROM (SELECT TOP 1 [Address] FROM [UserAddress] ua INNER JOIN UserAddressOrder uo ON ua.UserID = uo.UserID WHERE ua.UserID = u.UserID ORDER BY uo.AddressOrder ASC) q ORDER BY AddressOrder… >>> More
How can I detect which version of SQL (eg SQL 2008 or SQL Azure)

as seen on Stack Overflow - Search for 'Stack Overflow'
I need to detect which version of SQL I am dealing with to perorm various tasks, I need specifically detect if I am on SQL 2008 or SQL Azure. How can I do this with detection code written in SQL? >>> More
Putting data from local SQL database to remote SQL database without remote SQL access enabled (PHP)

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I have a local database, and all the tables are defined. Eventually I need to publish my data remotely, which I can do easily with PHPmyadmin. Problem however is that my remote host doesn't allow remote SQL connections at all, so writing a script that does a mysqldump and run it through a client… >>> More

Developer IT