Search

Contained User syntax does not support bypassing password policy by aaronbertrand

Active

8
0
Sign in
 to vote
Type: Bug
ID: 717069
Opened: 1/6/2012 6:22:01 AM
Access Restriction: Public
0
Workaround(s)
1
User(s) can reproduce this bug
It seems that while CREATE LOGIN allows you to create simple passwords that do not get validated by the Windows password policy (using CHECK_POLICY = OFF), the CREATE USER syntax has not been updated to allow the same.

Not that I am condoning simple passwords, but it seems silly if I can make my server-level logins much easier to hack, but I can't do this for contained users that are far less of an exposure risk. The inconsistency is glaring, and I would hope that this behavior is at least documented so that folks understand that they can't bypass the policy check when creating contained users (the lack of CHECK_POLICY in the syntax diagram is not exactly documentation IMHO).

Of course it will be much better if CREATE USER was extended to support the same functionality afforded to CREATE LOGIN.

In the meantime, the workarounds are easy:

(1) use a password that meets the policy.
(2) disable the policy.
(3) create a normal login with CHECK_POLICY = OFF, then use the system procedure sp_migrate_user_to_contained to convert them to a database user with password. This procedure does not validate the password.

Please see the Details section for the T-SQL script to demonstrate this issue.
Details (expand)

Product Language

English

Version

SQL Server 2012 RC0

Category

Tools (SSMS, Agent, Profiler, Migration, etc.)

Operating System

Windows 7 (all editions) (SP1)

Operating System Language

US English

Steps to Reproduce

On a machine with a password policy in place:

USE [master];
GO

-- works:

CREATE LOGIN blat_login WITH PASSWORD = 'splunge', CHECK_POLICY = OFF;
GO
EXEC sp_configure 'contained database authentication', 1;
GO
RECONFIGURE WITH OVERRIDE;
GO
CREATE DATABASE Contained;
GO
ALTER DATABASE Contained SET CONTAINMENT = PARTIAL;
GO
USE Contained;
GO

-- fails:

CREATE USER blat_user WITH PASSWORD = 'splunge';
GO

Actual Results

Msg 15116, Level 16, State 1, Line 1
Password validation failed. The password does not meet Windows policy requirements because it is too short.

Expected Results

When the CREATE USER syntax is used to create a contained user (e.g. in conjunction with WITH PASSWORD), it should allow for the same CHECK_POLICY, CHECK_EXPIRATION, MUST_CHANGE settings etc. that are allowed for server-level logins.

Platform

X64
File Attachments
0 attachments
Sign in to post a comment.
Posted by aaronbertrand on 1/20/2012 at 11:32 AM
Don, these details are listed further down in the Connect item. Did you expand the "Details" node? I'll repeat for you here. First, set up a machine that has a password policy in place and active. I can't write a T-SQL script for that. Then, on an instance that resides on the machine with the password policy in place:

USE [master];
GO

-- works:
CREATE LOGIN blat_login WITH PASSWORD = 'splunge', CHECK_POLICY = OFF;
GO

-- fails:
CREATE LOGIN splung_login WITH PASSWORD = 'splunge';
GO

/*
Msg 15116, Level 16, State 1, Line 1
Password validation failed. The password does not meet Windows policy requirements because it is too short.
*/

-- now set up a contained database:

EXEC sp_configure 'contained database authentication', 1;
GO
RECONFIGURE WITH OVERRIDE;
GO
CREATE DATABASE Contained;
GO
ALTER DATABASE Contained SET CONTAINMENT = PARTIAL;
GO
USE Contained;
GO

-- fails:

CREATE USER blat_user WITH PASSWORD = 'splunge';
GO

/*
Msg 15116, Level 16, State 1, Line 1
Password validation failed. The password does not meet Windows policy requirements because it is too short.
*/

There is no way to make this succeed, as there is no way to use CREATE USER syntax that does NOT go through the windows password policy checks. These checks are not the basic password validation policy you're talking about, they're coming from Windows. If you still can't see the problem here (I can make a server-level login with a weak password, but I need a strong password for a much more restricted contained user), can you please have Isaac Kunen take a look at this issue?
Posted by Microsoft on 1/20/2012 at 11:24 AM
Hi Aaron,

Thank you for your feedback!

We have some really basic password validation policy in place if we don't go through windows password policy checks -

Rules:
------
1.    Cannot be null
2.    Cannot be same as the login name
3.    Cannot be same as the machine name
4.    Cannot be any of the fixed names such as -{"password", "admin", "administrator", "sa", "sysadmin"};

If you can provide me with the T-SQL script, I'll be more than happy to investigate this issue further for you.

Thank you and regards,
Don Pinto
SQL Server Engine Security
Posted by aaronbertrand on 1/17/2012 at 12:09 PM
Don, I can only guess you didn't try the repro, because your explanation does not match my experience. Can you please explain how I can set CHECK_POLICY off for a contained database user? This user is not associated with a login, and CHECK_POLICY is not an option for CREATE USER.
Posted by Microsoft on 1/17/2012 at 11:53 AM
Hi Aaron,

Thanks for your feedback on the product!

After taking a deeper look into the design, we only do simple password validation checks and don't enforce the policy if CHECK_POLICY is set to OFF.

Thank you and regards,
Don Pinto
SQL Server Engine Security
Posted by Greg Low - Australia on 1/6/2012 at 5:45 PM
Quite agree Aaron. I'd also suggest that contained users will be the most likely ones that will need the ability to turn off policy checking as they'll often be used for application databases where apps connect with fixed credentials.

Regards,

Greg
Sign in to post a workaround.
© 2012 Microsoft Corporation. All rights reserved. Microsoft Connect Terms of Use | Trademarks | Privacy Statement