Re: Application password
From: Mary Chipman (mchip@nomail.please)
Date: 09/11/02
- Next message: simonzupan: "INSERT Permission"
- Previous message: Sue Hoegemeier: "Re: Firehose mode?"
- In reply to: Thomas: "Re: Application password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mary Chipman <mchip@nomail.please> Date: Wed, 11 Sep 2002 09:03:19 -0400
That is correct -- and with SQL logins, there is no way to enforce
lockout after a certain number of invalid attempts. Windows
authentication only is considered much more secure (as long as you
lock down Windows).
-- Mary
MCW Technologies
http://www.mcwtech.com
On Wed, 11 Sep 2002 08:15:36 +0200, "Thomas" <ohjustme@hotmail.com>
wrote:
>They definitely not. There biggest effort so far is replacing the sa login
>with another one. Still I think theres a huge problem since if someone gets
>hold of that single password there entirely security scheme is broken. There
>is no way to tell who accessed the data.
>
>//Thomas
>
>"Mary Chipman" <mchip@nomail.please> skrev i meddelandet
>news:a0ehnu0n1lob9iqdj6up1d2dutmjhithg6@4ax.com...
>> I guess nobody in your development environment follows any of the
>> breaking news items on security vulnerabilities. You don't need a
>> sniffer to hack into SQLS that has the sa login enabled with a blank
>> or weak password. The problem is much worse than you think--not only
>> is your data vulnerable, but so is the entire system. So basically
>> your developer's ignorance of how security works is jeopardizing your
>> entire network.
>>
>> Microsoft's central location for SQLS security papers and information
>> is
>> http://www.microsoft.com/SQL/techinfo/administration/2000/security.asp.
>> You might try printing out and distributing some of the information
>> you find. You can also subscribe to bulletins from the SANS institute
>> at www.sans.org to obtain timely updates on security vulnerabilities.
>>
>> -- Mary
>> MCW Technologies
>> http://www.mcwtech.com
>>
>> On Fri, 6 Sep 2002 12:36:52 +0200, "Thomas" <ohjustme@hotmail.com>
>> wrote:
>>
>> >We have a lot of in house developed applications which all share the same
>> >method of accessing the SQL Server, application password.
>> >Some are worse than others by using the sa account. The password are
>stored
>> >encrypted in the applications or encrypted in an ini-file.
>> >To me this seems extremely unsecure since all you have to do is finding
>out
>> >the user and password which frankly sometimes are the same as the user or
>> >blank. When you have accomplished that you have access to all the data in
>> >the database no matter what the applications own security system say.
>> >I try to convince the developers that this is bad but they won't really
>> >listen.
>> >
>> >Is there an easy way to show them how unsecure this is by hijacking the
>> >session or at least sniffing the session for user and password.
>> >
>> >Regards Thomas
>> >
>> >
>>
>
- Next message: simonzupan: "INSERT Permission"
- Previous message: Sue Hoegemeier: "Re: Firehose mode?"
- In reply to: Thomas: "Re: Application password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
