Title: The DBMS must provide automated mechanisms for supporting user account management.
Vulnerability ID: V-32192
IA Controls: None
Description: A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores, such as multiple servers.
Enterprise environments make application user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight.
Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization’s automated account management requirements.
Databases can have large numbers of users in disparate locations and job functions. Automatic account management can help mitigate the risk of human error found in manually managing database access.
Check Text: Check DBMS settings to determine if account management is automated. If account management foeing autoamtir the database is handled by the OS, check the OS for account management automabtion. If all account management is manual, this is a finding.
Fix Text: Utilize a DBMS, OS, or third party product that can automate some or all account maintenance functionality.[divider]
SQL Server doesn’t really have account management to the extent of being automated. A process can be created to perform checks and take actions if required. The easier way to approach this is to use integrated security, another STIG (V-41036) requirement, to take full advantage of Windows Authentication and user management. This way the database system and team can focus on making all the other aspects of SQL Server, such as security audits & performance their primary focus rather than maintaining accounts.
If you are using SQL Server generated logins they can be configured to follow the host server’s password and expiration policies for each Login as shown here: