Thursday, April 22, 2010

SQL Server 2000 - Implement Password Policy

Password composition & Minimum password length
No SQL Server 2000 policy/settings can be set to enable this minimum password length for sql server login,
Workaround :- Set a new sp_password_neww to implement the feature or replace the existing sp_password procedure. (If Upgrading the SQL Server 2000, the original sp_password have to be put back) .

For creating a new sp_password_new and sp_addlogin_new
To make sure that the old procedures are not used, revoke execute permissions for both the SP_ADDLOGIN stored procedure and for the SP_PASSWORD stored procedure.Important :- The sa must not use Enterprise Manager, or use any other application that uses menu-driven methods for adding logins.

e.g.
add the below for the sp_addlogin
if @passwd is NULL
begin
Raiserror 20010 'The new password can not be blank/NULL.'
return (1)
end

if len(@passwd) < 6
begin
Raiserror 20020 'The new password can not be less than 6 characters.'
return (1)
end

if not (@passwd like '%[0-9]%' and @passwd like '%[a-z]%')
begin
Raiserror 20020 'The new password must be alphanumeric.'
return (1)
end



Number of unsuccessful logons before lockout & Lockout duration
Unable to implement this on SQL 2000, since we're using sql server login and this feature are not availaible in Microsoft SQL 2000 it is only if we used Windows integrated login that it can be implemented. SQL 2000 don't have the "Alter Login ...." command
Info :http://www.sqlservercentral.com/Forums/Topic767023-146-1.aspx



How to implement password expiration dates for SQL Server 2000 or SQL Server 7.0 login IDs.
http://support.microsoft.com/kb/80397

No comments: