May 29, 2008 at 10:27 pm
Is there are way to increase response time, ie, add a delay, to a failed login in SQL Server?
I'm using strong passwords, but I'm looking for a way to further discourage dictionary/brute force attacks on my SQL Server.
May 30, 2008 at 12:18 am
Not that I know of, but on SQL 2005 (which I assume you're using because of teh forum this is posted in), you can enforce password policy which includes a lockout after x failed logins.
Best way is not to used mixed authentication and to rely on the domain to do all the password enforcing, lockout, etc.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
May 31, 2008 at 2:44 pm
SQL Server only supports what the Windows operating system supports (and this only started in SQL Server 2005). Neither the operating system nor SQL Server supports increased delays in logging in. It is a nice feature, it's something I've used on other security products.
However, as Gail indicated, you can force account lockout based on the security policy found in Windows. If your SQL Server is part of an Active Directory domain, this is probably set at the domain level. What SQL Server will do is enforce whatever those settings are. If your server is not part of an Active Directory domain, you can set them in the Local Security Policy at the operating system level. This will affect the operating system for sure and in SQL Server any logins for which you set policy enforcement on. Account lockout can be set to kick in after so many failures over a particular period of time. It can also be set to unlock after a certain period of time.
For instance, according to the Windows Server 2003 Security Guide, the high security configuration is 50 failures in a 15 minute period with a 15 minute unlock. The reason the number 50 is so high is because some applications will try mulitple times before telling the user a failure happened. Outlook was notorious for this. It used to try at least 3 times before telling the user the attempt failed. As a result, a user could try 3 times and find out later that the operating system tracked 9 or more failures.
K. Brian Kelley
@kbriankelley
May 31, 2008 at 7:07 pm
Thanks for the helpful replies.
This is a stand alone server, not part of a domain.
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply