Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Software Vendor Security

By Steve Jones,

Anyone remember a few years ago when we had a small worm that affected SQL Server? I never had a problem with any of the SQL Server instances under my management for one simple reason. I didn't have a blank sa password, which was the default at that time for SQL Server 2000. Plenty of other instances in my company, including thousands of MSDE instances, were affected, as were many instances around the world. Since then Microsoft has tightened security in their products, especially SQL Server. If you want a blank sa password in SQL Server now you need to check the "yes-I'm-really-an-idiot" box in order to bypass the password entry dialog.

However some other companies haven't learned, or haven't bothered to improve their software. A new worm is attacking manufacturing software from Seimens, and the guidance from the vendor is to "not change the password" because it will break things. I used to test Oracle instances by inputting the default "System" and "Manager" accounts on instances to see if they worked. I was always amazed by how many places kept default accounts and passwords in place.

That's incredibly stupid, and unless some CIOs start holding vendor's feet to the fire regardig stupid practices like this, it will continue. A quick search on the Internet will find you lists of default accounts, which exist because they commonly exist in so many companies. Default passwords are good for initial installation, or for hardware resets, but a common practice should be to immediatly change passwords.

Mike Walsh wrote a nice blog recently that talked about some things that vendors should do to produce better software running on SQL Server. I also found a nice article this week that talks about how simple some security practices can be, but many businesses don't bother to implement them. Ultimately I think it comes down to each person taking it upon themselves to learn some basic security practices, and then ensuring that they are implemented at your company. Make it a point to educate your management about the risks of default passwords and ensure there is a password management system in place, such as Password Safe of KeePass inside your company. Ask your CIO or VP to pressure software vendors to comply with best practices for security inside their software.

If we can build secure software ourselves that follow best practices, independent vendors should be able to as well.

Steve Jones

 

Total article views: 79 | Views in the last 30 days: 2
 
Related Articles
FORUM

osql unable to connect to default instance when explicitly stated

osql default instance connection error

FORUM

uninstall default instance

uninstall default instance

FORUM

One machine 2 Instances SQL Server - Set Default ?

One machine 2 Instances SQL Server - Set Default. How do I set the default/startup instance?

FORUM

Default instance vs Named instances - best practice?

running production server with only named instances

FORUM

Default Instance Install Help

Problem installing default instance after uninstall

Tags
database weekly    
editorial    
security    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones