Re: Internet password attacks
From: Hal Berenson (haroldb_at_truemountainconsulting.com)
Date: 08/29/05
- Next message: Sue Hoegemeier: "Re: SQL Agent Account log on"
- Previous message: Russell Stevens: "Re: Internet password attacks"
- In reply to: Russell Stevens: "Re: Internet password attacks"
- Next in thread: Russell Stevens: "Re: Internet password attacks"
- Reply: Russell Stevens: "Re: Internet password attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Aug 2005 18:06:41 -0600
Allow the SA account to be renamed in a service pack? You are mad. That
would break the entire product and require many thousands of lines of code
to be changed (not to mention all the customer apps that would be broken).
Put in a hard coded delay (z) after x failed login attempts for a particular
account (y), with no user interface for controlling x or z? That might be
reasonable. An even easier change would be to just insert a timeout-1
second delay before responding to a TDS Login packet that contained an
invalid password. That would effectively kill the automated attacks without
breaking anything (important). Unfortunately, it is likely to be a long
time until the next SQL Server 2000 Service Pack and that will (I'm
guessing) be little more than a hotfix rollup. So we've probably missed the
boat on doing anything for SQL Server 2000.
-- Hal Berenson, President PredictableIT Phone: 805-212-1025 ext 101 hberenson@predictableit.com Helpdesk: 805-212-1024 ext 1 "Russell Stevens" <rustyprogrammer@online.nospam> wrote in message news:u7sJiP%23qFHA.3600@TK2MSFTNGP10.phx.gbl... > Hal, > > <<It is a missing feature > set dating back to the original Sybase decisions made 20 years ago. > Microsoft's fix was to add integrated (aka Windows) security and push > people > not to use the legacy SQL Server security stuff at all>> > > Its refreshing to hear someone NOT say "SQL server was not designed to > allow open Internet access". As you mention, it was designed exactly for > that originally. Of course, this is further compounded by the fact that > you can't change the sa account. Microsoft recommends you rename the > Administrator account on its servers so that a hacker needs to guess both > the user name and a password. Given that the sa account is fixed, the > hacker only needs to guess a password. Then, on top of that, for years, > the default password for the sa account was an empty string. So hackers > knew the login name and knew the password for lots of SQL servers without > having to do anything. It is now a little harder as they try to crack the > password using a dictionary attack. Put a new SQL server online, and the > hacks will start within an hour. > > I think Microsoft could easily fix this in a service pack if they wanted > to. They already have the necessary code for tracking unsuccessful logins > (in Profiler). They don't need to tie it in to group policy, etc. to fix > this in SQL 2000 - after x unsuccessful tries, block out y for z time and > allow the sa account to be renamed. Using another port doesn't help much - > the hackers can easily determine the SQL port. > > Sure, the SQL 2005 way is the best way to do it (tied in to the OS), but > anyway you do it is better than the SQL 2000 way. Just imagine the amount > of Internet bandwidth that would then become available for something > useful <g>. > > Russ Stevens > >
- Next message: Sue Hoegemeier: "Re: SQL Agent Account log on"
- Previous message: Russell Stevens: "Re: Internet password attacks"
- In reply to: Russell Stevens: "Re: Internet password attacks"
- Next in thread: Russell Stevens: "Re: Internet password attacks"
- Reply: Russell Stevens: "Re: Internet password attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
