Re: The SA Mess
From: Russell Stevens (rustyprogrammer_at_online.nospam)
Date: 03/17/05
- Next message: Arif Çimen: "Re: I can not login SQL Server"
- Previous message: William Wang[MSFT]: "Re: The SA Mess"
- In reply to: William Wang[MSFT]: "Re: The SA Mess"
- Next in thread: Don Grover: "Re: The SA Mess"
- Reply: Don Grover: "Re: The SA Mess"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Mar 2005 22:56:06 -0500
William,
I agree - no one needs to use the sa account. The only people that use the
sa account are the hackers. So why can't the account be disabled or renamed
if it is not needed for backward compatibility?
I also understand that SQL 2005 has a fix for this problem. If Microsoft
thought it was a problem that needed fixing for SQL 2005, why can't they
also fix it for SQL 2000?
How does a firewall know that there was an unsuccessful login to SQL
Server? That info has to come from SQL Server. If there is a product that
does that, I would be sure be interested. The firewall must allow the login
attempt - perhaps I am missing the obvious here, but I don't see where a
firewall is solving this problem. And just how many IP numbers can a
firewall block - suppose you are adding 100 IP numbers per day
automatically - how does it perform when it has to check an incoming login
against a list of millions of IP numbers. The computers that are trying to
login are typically innocent robots that got infected. They get banned, then
their owner cleans them up. How do they then get off the banned list? ie -
this doesn't look like a job for the firewall - SQL server should be doing
this - if there are a dozen unsuccessful logins in succession, stop
additional logins from that source for x period of time. That solves the
bandwidth issue and eventually would reduce the number of attempts as the
nerds will find something more productive to do. If you can only try 100
different passwords in a day or whatever, about the only password you will
be able to crack is 'pw'. And if they had to guess both the login name and
password, there basically wouldn't be any hacks except for those still using
blank sa passwords.
As the hacking programs proliferate, this problem continues to worsen. It
is only a matter of time before SQL server will be totally unuseable as an
Internet accessible database - not because people are sucessful in breaking
in, just because of all the break in attempts using up all the bandwidth and
computer resources.
This problem is not restricted to access via the Internet - the problem is
the same for someone trying to hack in via the LAN where the SQL server
isn't connected to the Internet at all. There are more security options
available to work around the problem in this situation, but the problem is
still there. Actually, since LAN speed is typically 100 Mbps and Internet
speed for remote connections is typically 256Kbs/3Mbs, this type of attack
via the LAN can be much more forceful. I suspect someone automating sa
logins via the LAN can totally bring SQL server down. How many SACAPS can
SQL Server handle (sa connection attempts per second) <g>?
I just don't understand why Microsoft thinks allowing constant sa login
attempts is acceptable.
Thanks
Russ Stevens
- Next message: Arif Çimen: "Re: I can not login SQL Server"
- Previous message: William Wang[MSFT]: "Re: The SA Mess"
- In reply to: William Wang[MSFT]: "Re: The SA Mess"
- Next in thread: Don Grover: "Re: The SA Mess"
- Reply: Don Grover: "Re: The SA Mess"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
