Re: Internet password attacks

From: Russell Stevens (rustyprogrammer_at_online.nospam)
Date: 08/28/05 

Date: Sun, 28 Aug 2005 11:19:21 -0400

Hal,

<<It is a missing feature
set dating back to the original Sybase decisions made 20 years ago.
Microsoft's fix was to add integrated (aka Windows) security and push people
not to use the legacy SQL Server security stuff at all>>

Its refreshing to hear someone NOT say "SQL server was not designed to allow
open Internet access". As you mention, it was designed exactly for that
originally. Of course, this is further compounded by the fact that you can't
change the sa account. Microsoft recommends you rename the Administrator
account on its servers so that a hacker needs to guess both the user name
and a password. Given that the sa account is fixed, the hacker only needs to
guess a password. Then, on top of that, for years, the default password for
the sa account was an empty string. So hackers knew the login name and knew
the password for lots of SQL servers without having to do anything. It is
now a little harder as they try to crack the password using a dictionary
attack. Put a new SQL server online, and the hacks will start within an
hour.

I think Microsoft could easily fix this in a service pack if they wanted to.
They already have the necessary code for tracking unsuccessful logins (in
Profiler). They don't need to tie it in to group policy, etc. to fix this in
SQL 2000 - after x unsuccessful tries, block out y for z time and allow the
sa account to be renamed. Using another port doesn't help much - the hackers
can easily determine the SQL port.

Sure, the SQL 2005 way is the best way to do it (tied in to the OS), but
anyway you do it is better than the SQL 2000 way. Just imagine the amount of
Internet bandwidth that would then become available for something useful
<g>.

Russ Stevens

Relevant Pages

  • Re: Trusted Connection problems
    ... So we had to login using the -E switch (ie, ... However, now, from her machine she can get into sql server using the ... > account. ... > the KB fix of editing the article where you edit the registry and change ...
    (microsoft.public.sqlserver.msde)
  • Re: sql server - change user database access
    ... FIX: You are prompted for password confirmation after you change a standard ... Jasper Smith (SQL Server MVP) ... > assign databases to the account with the list in the 3rd screen of the ...
    (microsoft.public.sqlserver.security)
  • Re: Error 15401 using sp_grantlogin (not addressed by current KB articles)
    ... Restarting Windows 2000 resolved the problem for this particular account, ... confused when it sees a duplicate SID. ... > One way to get SQL Server to agree with the renamed NT ... > Preview (to ensure the script was created), ...
    (microsoft.public.sqlserver.security)
  • Re: SharePoint V3 Install Error
    ... But it our case it had to do with Group Policies that forbid the account of ... WSS FAQ:www.wssv3faq.com/wss.collutions.com ... Event Source: WindowsSharePointServices3Search ... whatever you are installing WSS as sufficient rights to the SQL Server ...
    (microsoft.public.sharepoint.windowsservices)
  • RE: Problems with WebParts
    ... to a database called aspnetdb. ... > The connection string specifies a local SQL Server Express instance using a ... > server account must have read and write access to the applications directory. ... > This is necessary because the web server account will automatically create ...
    (microsoft.public.dotnet.framework.aspnet)