Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2008 Forums
 SQL Server Administration (2008)
 Should we Enforce Policy Password?

Author  Topic 

denis_the_thief
Aged Yak Warrior

596 Posts

Posted - 2014-09-24 : 09:36:07
We have a vendor who has several servers connecting to ours. Since we changed the password for their login, they have been unable to update all there logins and several are regularly failing the login, while some are not. So I temporarily unchecked "Enforce Policy Password". So they are happy, I guess the processes they needed, they were able to correctly update the password, the ones that are constantly failing, they don't need.

I'm debating whether or not to turn "Enforce Policy Password" back on. Any ideas?

What are the benefits of turning this on? The obvious one is that if someone if trying to hack, they'll get only 3 tries. Another one is that this is the best way that when the password changes they are forced to either update all processes and servers using the passwords or turn off what they don't need. On the other hand, we are a development team and we don't have production servers so security, although important, is less critical.

Is there any way to enforce other aspects of the policy but turn off the 3 incorrect attempts and you're locked out? Or to change the attempts before lock-out from 3 to 10?

tkizer
Almighty SQL Goddess

38200 Posts

Posted - 2014-09-24 : 12:03:58
SQL Server uses the policy in Active Directory. So if you want to change the lockout value from 3 to 10, you would do that in AD.

Personally I would force the vendor to fix their shit so that you could adhere to best practices.

We use "Enforce password policy" but not "Enforce password expiration".

Tara Kizer
SQL Server MVP since 2007
http://weblogs.sqlteam.com/tarad/
Go to Top of Page

denis_the_thief
Aged Yak Warrior

596 Posts

Posted - 2014-09-24 : 13:57:22
Thanks, that's awesome.

Plus, their servers are doing this every minute, filling our error log with junk.
Go to Top of Page
   

- Advertisement -