Can't See The Forest For the Logins

Question

Can't See The Forest For the Logins

Andy Warren

SSC Guru

Points: 119902
More actions
March 27, 2014 at 8:54 pm

#150089

Comments posted to this topic are about the item Can't See The Forest For the Logins
Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter
March 28, 2014 at 2:48 am

This was removed by the editor as SPAM

Viewing 15 posts - 1 through 15 (of 30 total)

You must be logged in to reply to this topic. Login to reply

free_mascot One Orange Chip Points: 27169 More actions · Answer 1

Bit tricky question. Overlooked word "hardened".

Now if the correct answer is "Login is not created" than second correct answer "If the login is created the password policy will be ignored" will exactly contradictory. If the login is not created why do we worry about the password policy? And Question is Does the login get created successfully? Confusing.

Looks like something is missing. Out of 22 only 1 got it correct that too I guess Andy 🙂

Anyway thanks Andy for the question.

---------------------------------------------------
"Thare are only 10 types of people in the world:
Those who understand binary, and those who don't."

shanjan.sapra Mr or Mrs. 500 Points: 555 More actions · Answer 2

A tricky one ... But still most of the people got atleast one right ...

lyn.buchanan SSC Journeyman Points: 94 More actions · Answer 3

Why would you point users to the master database = only administrators should be able to access that database.

Mighty SSCrazy Eights Points: 9063 More actions · Answer 4

I don't agree on the "correct answer". According to me the only correct combination of options can be option 1 and 2.

Nowhere it has been said that the AdventureWorks2012 database doesn't exist (or that it exists either). But the option "master will be used...if...doesn't exist" even hints on the fact that the database exists, but if it would not...

This is in line with

Now if the correct answer is "Login is not created" than second correct answer "If the login is created the password policy will be ignored" will exactly contradictory.

paul.knibbs SSCoach Points: 15320 More actions · Answer 5

I read the word "hardened" and still got it wrong, probably because "hardened" is such a nebulous term--I had no idea what it meant with relation to SQL server. (Is there actually any reason why you COULDN'T include a sample database like AdventureWorks on a "hardened" server? I don't see that it increases the attack surface notably).

Raghavendra Mudugal SSChampion Points: 10658 More actions · Answer 6

Very good one, Andy, thank you for the post.

(glad to be part of that 5%...)

ww; Raghu
--
The first and the hardest SQL statement I have wrote- "select * from customers" - and I was happy and felt smart.

Andy Warren SSC Guru Points: 119902 More actions · Answer 7

Paul, I'd argue it does increase the attack surface. Not a lot, but why do it at all? Most auditors flag it right away as 'extra'. Not just for code surface, but having sample code/sandbox in a secure environment.

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter

Andy Warren SSC Guru Points: 119902 More actions · Answer 8

Paul, I do agree hardened is nebulous at the detail level, I was just hoping to get you thinking about a production/secure environment and general steps you would take.

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter

Andy Warren SSC Guru Points: 119902 More actions · Answer 9

Free, agree the answers are contradictory...yet correct! I probably pushed the boundaries of fairness there.

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter

Andy Warren SSC Guru Points: 119902 More actions · Answer 10

Lyn, I've always pointed them there because I want to force the dev's to put the catalog in the connection string. The minor gotcha with setting the default is when you restore/reattach it could end up with a different dbid and that leads to five minutes of chaos since the default db is now wrong. If we ever get to full containment maybe the issue goes away? I'd like to see connections rejected that don't specify the catalog and just kill the idea of a default (just my take!).

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter

SQLRNNR SSC Guru Points: 281334 More actions · Answer 11

Andy Warren (3/28/2014)
Free, agree the answers are contradictory...yet correct! I probably pushed the boundaries of fairness there.

Yeah probably just a bit. But based on the question criteria it could be acceptable.:-D

Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events

Revenant SSC-Forever Points: 42467 More actions · Answer 12

It looks that it was not simple after all. Thanks for the challenge, Andy!

Toni-256719 SSCertifiable Points: 5812 More actions · Answer 13

Only 7% have the right answer. For me, it was the "hardened" word. I didn't know what was meant by that.

On the server I tried this on, the login was created and it doesn't follow the password policy.

I've got the AdventureWorks2012 database on this server so it was set as the default database.

Confusing question.

I guess this is another one of the QOTD where you have to very carefully read and reread the question.