|
|
|
SSChampion
Group: Administrators
Last Login: Yesterday @ 10:25 PM
Points: 23,148,
Visits: 6,914
|
|
|
|
|
|
Old Hand
Group: General Forum Members
Last Login: Tuesday, March 02, 2010 12:29 AM
Points: 378,
Visits: 43
|
|
from the faq @ http://www.sentrigo.com/passwordizer-faq
Are all user logins affected?
The vulnerability exists only when using mixed authentication in the SQL Server, which is typically used by DBA’s, system administrators, developers, and application programmers . If you cannot install the utility, we strongly recommend you use Windows Authentication only, in which case you will not be exposed to the vulnerability.
so TURN OFF MIXED MODE today, and make your server more secure!
|
|
|
|
|
SSC-Enthusiastic
Group: General Forum Members
Last Login: 2 days ago @ 10:38 PM
Points: 106,
Visits: 208
|
|
As Steve pointed out in his podcast, having plain text passwords for SQL Logins in memory is not a major threat and that too when only sysadmins can see them.
Sysadmins have all the rights on their server already to do any activity and can reset passwords. There are better ways to secure a server than using this utility to mess with a production server's memory contents.
-------------------------------------------------
-Amit
Give a man a fish and he'll ask for a lemon. Teach a man to fish and he wont get paged on weekends !!  - desparately trying to fish
|
|
|
|
|
SSC Journeyman
Group: General Forum Members
Last Login: Thursday, November 19, 2009 8:54 AM
Points: 76,
Visits: 147
|
|
Of course an admin is receiving considerable trust anyway. But giving them possession of all other users' passwords is something else again. As you say, they can impersonate the finance officer and get the server upgrade that was rejected last month... it's for the company's good really, isn't it?
I mean, have I got this wrong: I can change your password to what I want it to be. But I can't change it back, or can I? Someone will know I've been fiddling.
My organisation has mixed clients, not all running Windows. We develop in Java. Two ways for Microsoft to be very unhappy with us, so I'm not sure why we even picked their SQL Server. They'd love to say "Sorry - you can only use SQL Server with Windows clients now!" (But our desktop application doesn't get a connection to SQL Server, we're 3-tier. I think we still pay Microsoft for each user, Windows or not...)
If Microsoft starts making umbrellas then it'll be compulsory for new PCs to have an open wire mesh topside. Yeah, laptops too. Sure, they'll dress it up with talk about low-CO2 fanless cooling...
|
|
|
|
|
SSC-Enthusiastic
Group: General Forum Members
Last Login: Monday, March 01, 2010 11:50 AM
Points: 176,
Visits: 439
|
|
Good editorial!!
I fully agree with your comments on this and am wondering if this is not just another way for Sentrigo to get some press and possible clients. Have you downloaded the tool? It asks for a lot of information for a "free" tool.
We seem to be in a better position then most others as we use a product called SecureSphere from Imperva that acts like a SQL firewall. Works very well can protects from this issue too. (no.. this not a plug for yet another vendor).
Lets face it, has anyone hear of passwords been stolen via server memory? SQL Injection yes, server memory, none with my eyes or ears.
Here's an thought for everyone. Maybe Microsoft released this information on purpose to Sentrigo. Knowing that it would get out and thus helping to push companies off of SQL 2000 / 2005 and move ahead with 2008 / 2008 R2?
|
|
|
|
|
SSC-Enthusiastic
Group: General Forum Members
Last Login: Thursday, March 11, 2010 6:14 AM
Points: 115,
Visits: 456
|
|
If sql server can not do the job then of course I'd use other programs to do them if it is needed.
I find these weaknesses and lack of professionalism annoying with the sql server team.
Like Steve argues it might not be the issue to some people but I believe it's more work to go throu the hash than fast and easily take a password from the memory. Considering some likes to call ms sql the ms sql OS, things like these are not acceptable.
|
|
|
|
|
SSChampion
Group: Administrators
Last Login: Yesterday @ 10:25 PM
Points: 23,148,
Visits: 6,914
|
|
The bigger worry, for me, is that someone's SQL auth pwd is likely their password elsewhere. Lots of people use the same password at work, for their Windows login, at their bank site, etc.
|
|
|
|
|
SSC-Enthusiastic
Group: General Forum Members
Last Login: Monday, March 01, 2010 11:50 AM
Points: 176,
Visits: 439
|
|
If people are using 1 password for many things then part of the issue is end user training. No patch or free app will fix that.
|
|
|
|
|
SSC Journeyman
Group: General Forum Members
Last Login: Yesterday @ 3:35 PM
Points: 95,
Visits: 688
|
|
rja.carnegie (9/9/2009)
I mean, have I got this wrong: I can change your password to what I want it to be. But I can't change it back, or can I? Someone will know I've been fiddling.
I'm pretty sure it is possible. If the server is configured to prevent direct updates to the system tables (hopefully it is) it is a bit trickier, but I believe it IS possible.
Andrew
|
|
|
|
|
SSC Rookie
Group: General Forum Members
Last Login: 2 days ago @ 9:40 AM
Points: 26,
Visits: 110
|
|
The issue is not so much the specific vulnerability as the fact that some developer at Microsoft didn't think it was a problem to store passwords in memory as plaintext. While Microsoft is getting better, their culture of persuing marketable features over boring but necessary security is bound to cause them (and us) grief for years to come.
|
|
|
|
