Re: sa loginname being hacked
From: Rob R. Ainscough (robains_at_pacbell.net)
Date: 10/19/05
- Next message: Sue Hoegemeier: "Re: Windows users"
- Previous message: José Archondo: "How can I obtain a report of users and roles in SQL Server?"
- In reply to: Joseph Bittman MVP MCSD: "Re: sa loginname being hacked"
- Next in thread: Ken Schaefer: "Re: sa loginname being hacked"
- Reply: Ken Schaefer: "Re: sa loginname being hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Oct 2005 16:07:59 -0700
Not sure I understand, DoS attack could happen to any door open to the
public port 80 or port 1433 or whatever port is being used. IP Spoofing is
the real issue and you should know that as long as IP spoofing is a reality,
the sheer volume of hackers will persist from now til we finally get off
TCP/IP and onto something truely secure and accountable.
What your suggesting as better approach is based purely on Security -- I
don't see how adding a layer in the data chain is going to help performance?
If the layer is added purely for the sake of security, then the flaws in the
design lay elsewhere (and I think we all know where). I don't buy into the
"build another layer" philosophy on any scale.
I have client's with MS Access databases (they come and go and their IPs
change regularly and VPN is not a possibility for my clients). I install a
service on their PC that gathers the MS Access data and communicates with a
SQL Server. I have anonymous web users that communicate with my web app via
a web server which in turn updates the same SQL Server which in turn is
queried by my client's remote PCs to update their MS Access database. Why
should I add another layer (web service) running on a web server? If your
ONLY reason is security, then ask yourself why? My business logic is
removed in my remote PC Windows Service and in the logic used by my web
application -- I have real Windows applications (remote PC) running an
interface to the MS Access data and I have Web Server applications running
an interface to the data. My Windows Service running on remote PC's bridges
the MS Access and SQL Data (two way).
I for one do want additional layers to manage and I don't want the
performance hit either and certainly not in the name of security.
"Joseph Bittman MVP MCSD" <RyanBittman@msn.com> wrote in message
news:ujzVRQC1FHA.2312@TK2MSFTNGP14.phx.gbl...
> October 18, 2005
>
> Sorry, Rob.... I have read over 1600+ pages of MSPress security and I
> have never read anything to back up your claims. A SQL server should not
> be exposed for requests from outside the network. Applications should be
> designed to go through a web server (or web service) and then have the web
> server/service make a request to the SQL DB. Then it should return the
> data to the client. I can't think of one well designed enterprise
> application which would need to have SQL exposed to the outside. Also,
> with requests continually hitting your server, there is a great
> possibility for a DoS attach. Also it takes up a lot of network bandwidth
> which would never be acceptable on an enterprise level. I just can't agree
> with your opinion without further evidence from you to back up your claim.
> Have a great day!
>
> --
> Joseph Bittman
> Microsoft Certified Solution Developer
> Microsoft Most Valuable Professional -- DPM
>
> Web Site: http://71.39.42.23/
> Static IP
> "Rob R. Ainscough" <robains@pacbell.net> wrote in message
> news:uWEy8LC1FHA.2924@TK2MSFTNGP15.phx.gbl...
>> Do realize how insane it sounds to say "SQL Servers should not be
>> directly accessable from the outside world" -- cause when Microsoft first
>> developed SQL Server they said EXACTLY the opposite of what you just
>> said.
>>
>> Come on guys/gals, we need real solutions not "you can't do this and you
>> have to jump thru this hoop".
>>
>> It is getting real frustrating seeing these standard responses -- so why
>> does SQL Server even respond to a port and public IP address? Why build
>> the functionality if one is NEVER supposed to use it to the big scary
>> outside world -- hell may as well just do IPX/SPX.
>>
>> And please no more "and that's just the way it is"
>>
>>
>> "Joseph Bittman MVP MCSD" <RyanBittman@msn.com> wrote in message
>> news:u$AoTIA1FHA.3560@TK2MSFTNGP15.phx.gbl...
>>> October 18, 2005
>>>
>>> lol I didn't set this thread to 'watch' so I lost it....
>>>
>>> How are they being allowed to hit the SQL server with requests? SQL
>>> Servers should not be directly accessable from the outside world, and
>>> should have a web server or some other server in place to receive the
>>> requests first. I would block all traffic going to XXXXXX IP (your SQL
>>> Server's IP) from the outside network, and then implement another router
>>> or somewhere which allows only traffic from XXX IP (your web servers).
>>>
>>> I don't believe you can change the sa account name, as toooooo many
>>> programs rely on it as the 'default' name. Hope this helps!
>>>
>>> --
>>> Joseph Bittman
>>> Microsoft Certified Solution Developer
>>> Microsoft Most Valuable Professional -- DPM
>>>
>>> Web Site: http://71.39.42.23/
>>> Static IP
>>> "Pipo" <Pipo@home.com> wrote in message
>>> news:u7nI%23Bn0FHA.1132@TK2MSFTNGP10.phx.gbl...
>>>> Yes, we did. We know one of their IPs and blocked it...
>>>> But they are using now another IP (IPnumber 9 and 3 different domains
>>>> also!!...:-<)
>>>> It takes a lot of work every time blocking another IP of theirs....
>>>> So the easy thing for us is to just simply(??) change the sa loginname
>>>> into something else.
>>>> But I guess that's not possible??
>>>> We cant change our Domain name or SQL server name also...!!
>>>> Why cant I change the sa loginname???
>>>>
>>>> thanks for the help Joseph
>>>>
>>>> "Joseph Bittman MVP MCSD" <RyanBittman@msn.com> schreef in bericht
>>>> news:ukgdT5m0FHA.2884@TK2MSFTNGP09.phx.gbl...
>>>>> October 16, 2005
>>>>>
>>>>> Don't you have a router in place between the SQL Server and the
>>>>> outside world? Can't you trace where the packets are coming from and
>>>>> block that IP/Domain name?
>>>>>
>>>>> --
>>>>> Joseph Bittman
>>>>> Microsoft Certified Solution Developer
>>>>> Microsoft Most Valuable Professional -- DPM
>>>>>
>>>>> Web Site: http://71.39.42.23/
>>>>> Static IP
>>>>> "Pipo" <Pipo@home.com> wrote in message
>>>>> news:OAK3n%23l0FHA.560@TK2MSFTNGP12.phx.gbl...
>>>>>> Hi,
>>>>>>
>>>>>> Is there a way to change the sa as loginname?
>>>>>> At work we are getting haked by 'brut-force', every second we are
>>>>>> beinbg attacked with sa and a password.
>>>>>> It's a matter of time when the password will be hacked, so changing
>>>>>> the password isnt a solution.
>>>>>> If we also can change the sa loginname we will be better of.
>>>>>> Or is there something else we can do to prevent the hackers to get
>>>>>> our sa password?
>>>>>>
>>>>>> Many thanks
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Sue Hoegemeier: "Re: Windows users"
- Previous message: José Archondo: "How can I obtain a report of users and roles in SQL Server?"
- In reply to: Joseph Bittman MVP MCSD: "Re: sa loginname being hacked"
- Next in thread: Ken Schaefer: "Re: sa loginname being hacked"
- Reply: Ken Schaefer: "Re: sa loginname being hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
