RE: MS-SQL Blank Password Enumeration

From: Aaron C. Newman (Application Security, Inc.) (anewman@appsecinc.com)
Date: 05/27/02 

From: "Aaron C. Newman (Application Security, Inc.)" <anewman@appsecinc.com>
To: "'Don Wolf'" <don.wolf@securedsite.org>, "'Focus-MS - Security Focus'" <focus-ms@securityfocus.com>
Date: Mon, 27 May 2002 17:25:06 -0400

It's a bit confusing if you're not intimately familiar with how SQL
Server works, but here goes.

Login ids have passwords. Login ids are in the master database, but they
are global to SQL Server. Each database has a list of users that map to
the login ids, but user ids do not have passwords. You always connect to
the database using a login id.

The sa login has admin privileges to every database, so it's an issue
with every department, however the owner of each database does not "own"
the sa login, so it's a little trick to say which department should
change it. My recommendation is that the security administrator should
change it, and then create a separate account for each department to
manage each separate database.

Regards,
Aaron
_____________________________
Aaron C. Newman
CTO/Founder
Application Security, Inc.
www.appsecinc.com
212-490-6022
- Protection Where It Counts -

Ps. Check out a free evaluation of AppDetective at www.appsecinc.com for
more information on securing your databases.

-----Original Message-----
From: Don Wolf [mailto:securedsite@hotmail.com]
Sent: Monday, May 27, 2002 3:30 PM
To: Focus-MS - Security Focus
Subject: MS-SQL Blank Password Enumeration

Greetings All, a quick question for any MS-SQL folks:

How can I determine which databases have blank passwords on SQL servers
with
multiple databases? I've already determined the servers which contain
blank
passwords, but the tool I am using (sqlbf.c) doesn't display the
individual
database, e.g. Northwind, etc. On one particular server we have 5
databases
and I need to determine which is running blank and what dept. will need
to
fix it. I am asking this question assuming the SA account is not global
and
is configured on each individual database?

Any assistance would be greatly appreciated.

Brian.

Relevant Pages

  • Re: Error 18456
    ... Passwords in SQL Server 2005 are case sensitive so make sure ... The database engine will not allow any logons to any ...
    (microsoft.public.sqlserver.security)
  • .adp, .ade, MSDE and Permissions
    ... is on a Server and I've used MSDE for it. ... using VBA to set the groups and permissions so if the user belongs to the ... mess with SQL commands and they want to be able to set users and passwords... ... Server Database? ...
    (microsoft.public.access.security)
  • Re: event ID 9021 : new security keys have been generated
    ... We have tried to move our Exchange server to new hardware, ... backup the database with ntbackup ... Unfortunately, for some reasons, we have been unable to restore the ... been generated and that passwords must be reentered: ...
    (microsoft.public.exchange.admin)
  • Re: password encode and decode ?
    ... These passwords are encrypted when being written ... to the database and have nothing to do with encrypting passwords between the ... client browser and the server. ... As both the database and PHP are server-side, ...
    (comp.lang.php)
  • Create SharePoint Portal failed.
    ... One mentioned ensuring that SQL Server uses a case ... 13:55:40 Service database server is 'USDC-JOHRIV'. ... Update dbo.propertylist set DisplayName = N'Last name' ...
    (microsoft.public.sharepoint.portalserver)