Re: Internet password attacks
From: Hal Berenson (haroldb_at_truemountainconsulting.com)
Date: 08/28/05
- Next message: Hal Berenson: "Re: How secure is MS SQL Server 2000?"
- Previous message: ErwinB: "Server Registration fails - figure this out !"
- In reply to: Russell Stevens: "Re: Internet password attacks"
- Next in thread: Russell Stevens: "Re: Internet password attacks"
- Reply: Russell Stevens: "Re: Internet password attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Aug 2005 08:28:40 -0600
Unfortunately it isn't a bug (where bug = coding error) in SQL Server 2000.
It isn't even a design flaw in the classic sense. It is a missing feature
set dating back to the original Sybase decisions made 20 years ago.
Microsoft's fix was to add integrated (aka Windows) security and push people
not to use the legacy SQL Server security stuff at all. That fixes the
problem. But despite Microsoft's desire to do away with the legacy security
stuff it is still heavily used. Partially for bad reasons (like, it just
being easier to embed a password in the application) and partially for good
reasons (like, we have to access it from a Unix system). So for SQL Server
2005 they are finally acknowleding that and re-working the Sybase-derived
stuff to use the full set of Windows password protections. But I doubt it
is something of a scope that it could be easily (mostly meaning safely and
reliably) backported into a SQL Server 2000 service pack. Not impossible of
course, but just well beyond the scope of a service pack.
Personally, I would NOT put a SQL Server 2000 directly on the Internet.
There are reasons beyond the password security issues that make me queasy
(not that I know of any specific vulnerability). The better way to enable
your users to access SQL Server remotely is to have them VPN in. That is
yet another reason Microsoft wasn't incented to enhance the legacy password
stuff earlier.
At a minimum you should use a non-standard port for your SQL Server if it is
going to be on the net. That should minimize the attacks (since I imagine
most of them are built on the premise that SQL Server uses 1433).
-- Hal Berenson, President PredictableIT Phone: 805-212-1025 ext 101 hberenson@predictableit.com Helpdesk: 805-212-1024 ext 1 "Russell Stevens" <rustyprogrammer@online.nospam> wrote in message news:um$43caqFHA.3524@tk2msftngp13.phx.gbl... > Microsoft refuses to fix this glaring problem in SQL 2000. You can use a > port monitor to get the IP numbers then block them with a firewall or use > IPsec to block the IP numbers. It is a never ending job as new drones will > be attacking every day. > > Microsoft's reply is that you shouldn't be doing this. Of course, they > will be glad to sell you a copy of SQL Server 2005 that does fix this > (non) problem. > > With a strong password, the attackers will never be successful, but they > can eat up a lot of bandwidth trying. > > Russ Stevens > >
- Next message: Hal Berenson: "Re: How secure is MS SQL Server 2000?"
- Previous message: ErwinB: "Server Registration fails - figure this out !"
- In reply to: Russell Stevens: "Re: Internet password attacks"
- Next in thread: Russell Stevens: "Re: Internet password attacks"
- Reply: Russell Stevens: "Re: Internet password attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
