Home Forums SQL Server 2008 Security (SS2K8) Malicious files on the sql server found RE: Malicious files on the sql server found

  • April 2, 2014 at 2:28 pm

    #1702632

    muthyala_51 (4/2/2014)

    george sibbald (4/2/2014)

    I am sure you have already thought of it, but change the sa password or disable sa, turn off xp_cmdshell if you don't need it. By having sysadmin rights they would have broken out of SQL into the OS with the rights of the SQL service account, so make sure that has only the rights it needs (i.e. is not in local admins).

    Hi George,

    My security team is questioning why we need to enable "sa". i need a supportive answer to explain them that we can enable "sa" but with strong password. correct me if i am wrong.

    Also our environment is in cloud and we do not have AD domain controller.

    You don't necessarily need the 'SA' account, but if you must leave it enables, then of course use a strong password. However, a trojan with local admin privillages may be able to login to SQL Server as sysadmin even without using 'SA' account.

    https://www.netspi.com/blog/entryid/133/sql-server-local-authorization-bypass

    So you really need to lockdown and minimize what accounts can potentially gain access to SQL Server in the event the Windows server is compromised. I wrote a script a few years back you can use to list what domain, mssql, and local system accounts can login as sysadmin, either explicitly or because they inherit from domain group.

    http://www.sqlservercentral.com/articles/Security/76919/

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho