Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Your Password has Failed the Test

By Phil Factor,

When giving advice to, or doing an audit for, a SQL Server shop, I do a whole range of checks, including security checks. There is one that I do to check the password strength of the SQL Server logins, based on this page on MSDN, PWDCOMPARE (Transact-SQL), except that I join to a huge list of all the common passwords that I can find that are known to the hacker community. I expire the password of any account that fails the check. It takes a minute or so, but it is very effective. I hope you have a similar system in place, even if you are already enforcing a windows password policy on SQL Server logins.

Why? Several times in the past, I've found SQL Server Logins with ridiculously weak passwords that have been assigned the SysAdmin role. In one case, it was the same password for that login on all machines in the domain. The test I run tells you what the password is, of course, but there are many ways to do that without leaving any forensic clues.

As a DBA and custodian of data, I'm motivated to be a saint rather than a sinner, of course, but I must admit that I enjoy checking that I indeed have access to all the other SQL Server instances in the domain at SysAdmin level. These privileges would give you control over every SQL Server instance, and if XP_CmdShell was enabled, then you could control the machine. Any determined and well-informed person would be able to make this permanent control. Your data is in the public domain and as a DBA you need to be very familiar with what it is possible for the sinner to do with a handy password, and how easily that sinner can get hold of it.

If you have a SQL Server that is exposed to the internet, even on just a couple of ports, you will probably find, as I have, that your intrusion-detection software will pick up countless probing attempts to log in via id/password. If you have a password that is weak, then the instance is at high risk. If the same password is used on several machines, then an intruder can leapfrog to the other machines, just as can be done from a SQL Injection attack.

If you really don't need SQL Server passwords, as when your instances are within the domain, then don't use them. Use Windows security instead.

Phil Factor

Total article views: 135 | Views in the last 30 days: 1
 
Related Articles
FORUM

How to find the SQL Server Instances running across the given activer directory domain?

How to find the SQL Server Instances running across the given activer directory domain?

SCRIPT

Check Instance Info

Named or default instance, this will check info like Virtual Server Name, Cluster Name , Current own...

FORUM

blocking check instance xxxxx

blocking check instance xxxxx

FORUM

Cross Domain Log Shipping

Cross Domain Log Shipping (2 Domain , 2 Servers)

Tags
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones