Re: Is there any way to prevent hacker trying to guess sa password?
From: Russell Stevens (rustyprogrammer_at_online.nospam)
Date: 10/13/05
- Next message: Mike Epprecht \(SQL MVP\): "Re: Proxy Account"
- Previous message: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- In reply to: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Next in thread: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Reply: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Oct 2005 15:37:11 -0400
Rob,
<<What is the migration path like to SQL Server 2005? I've got the betas
but
have not installed or tested with it.>>
>From what I have read (I have also gone to a couple of SQL Server 2005
Intros) you can upgrade directly or install side by side with SQL 2000. Or,
you detach all of your databases, uninstall 2000, do a fresh 2005 install,
then attach all of your databases - of course, you would then need to setup
all of your logins again. The last approach is what I did with the Beta just
to play with some existing apps.
<<How is installation and setup?>>
I just tried one beta - went just fine - there are a lot of issues for users
that have used more than one beta - it is important to uninstall stuff in
the correct order and get matched sets of VS2005. These issues should be na
for the shipping product.
<<Any connection issues with ADO.NET? Do I need to change my connection
string?>>
My apps were totally non affected - same connection string. I tried VB6 apps
and .NET 1.1 Apps - both were fine. Of course if you upgrade a .NET app from
1.1 to 2.0 there are lots of new features in ADO but that is more a VS2005
issue than a SQL server issue.
<<I don't like to use NT authentication because I don't want a hacker
gaining
access to both SQL server and the OS just in case they were able to guess
the password>>
Yes - but you use NT Authentication to do your maintenance, run Enterprise
Manager, etc. That way, you do not need the sa account - give it an
impossible password. If 1433 is open, deleting or renaming the sa account
doesn't do much good (same as an impossible password). The hackers will
still use the bandwidth trying to login to a non existent account. ie - we
don't mind them trying a couple of times - but 24 hours at 50 times per
second is ridiculous. The number of attempts per second depends on how many
drones are attacking you at once and whether they are coming from a dialup
or another server that has a high speed Internet connection. If you go to
task manager (Win2003) and look at the networking tab and see a straight
baseline of bandwidth that never goes down, then you are probably being
attacked.
I have done some research and called a few vendors - programming firewalls,
etc. The bottom line is that buying SQL 2005 is a whole lot cheaper and more
effective than some of the other alternatives that are being suggested.
SQL server was designed to be open to the Internet (regardless of what
others may tell you). However, some company created an sa account that had
full access. That same company tells you to rename the admin account on your
server for security reasons (hackers then need to guess an account and a
password instead of just a password) but doesn't allow you to rename or
delete the sa account. Then to compound confusion with commotion, that same
company made the default sa password a BLANK. This started an entire hacking
industry of going around and checking port 1433 and trying to log in as sa
with a blank password. That company finally issued a service pack so that an
sa password was required for an install, but by that time, all the hackers
were then also using dictionary attacks to guess the sa password. And other
than forcing you to buy the product all over again, that same company
refuses to fix the problem.
Russ Stevens
- Next message: Mike Epprecht \(SQL MVP\): "Re: Proxy Account"
- Previous message: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- In reply to: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Next in thread: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Reply: Rob R. Ainscough: "Re: Is there any way to prevent hacker trying to guess sa password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
