October 22, 2002 at 12:00 am
Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/sjones/whysecurethedatabase.asp
October 28, 2002 at 12:00 pm
This was removed by the editor as SPAM
November 4, 2002 at 2:58 am
It just goes to show that the biggest security risk isn't some spotty onanite in a bedroom, its your own staff or recent ex-staff.
This harks back to the Windows Authentication article earlier this year. If Jim could only access the network via his logon it would be a good line of defence.
One of the IT Newspapers over in the UK has a character called BOFH (B***d operator from hell) and his response would be to log all attempts to access the network via an ex-employees logon and forward those logs to the legal department.
It does beg the question, shouldn't all the necessary people have been told of Jim's departure.
November 4, 2002 at 4:37 am
Great Article Steve and quite probably happens more than we realise...!
Aside from SQLServerCentral.com a good source of security information is http://http://www.sqlsecurity.com.
Clive Strong
November 4, 2002 at 10:52 am
Thanks. I'm sure there are many more holes than this. I just had this occur to me one day when looking at our environment.
Love to hear what others think about their own environments.
Steve Jones
November 4, 2002 at 1:19 pm
I totally agree with this. All logins should be removed or changed when an employee leaves and those responsible for security informed. Log files should track and see if any of these are used later on. Some companies don't like to do this but if you want more protection from disgruntled ex-employees then it must be considered. The statement always seems to be 'I can't remember all those!' or 'What do you mean it's changed again?'
I certainly only give limited rights to a login and delete it as soon as they leave the company.
The only pain is if they hack the system from inside whilst still employed. In a big company this could be lots of time removing and then creating new logins just for starters. Spyware anybody?
Ali
Ali
November 4, 2002 at 1:24 pm
Agree this is an issue. Fighting a number of inherited accounts whose passwords haven't changed. #$%$#^#$ developers claim it can't be changed.
Send a password lockout and expiration policy to sqlwish@microsoft.com. Not against SQL accounts, just make them more secure.
Steve Jones
November 4, 2002 at 2:05 pm
If a sales guy can do any of this, he wouldn't be outta'v a job! I agree that the biggest threat is social engineering/hacking. Many people are more gullible than you would think...plus there is the added thing about some employees feeling sorry for someone and giving away information to help them out too!...
I agree that there are security risks... tho I would take out jim out of this equation or at least make Jim a dba of some sort.. how many people do you think acctually know SQL?..
-Francisco
-Francisco
November 4, 2002 at 9:21 pm
You are right about removing / disabling logins.
One reason is Project Managers often forget to inform us "lowly network guys" about the people who have quit the Org.
So as a result most of the logins stay as they were. We had one contractor who returned to our company after a year and a half and she called us to delete her emails. She was on some mailing lists and they had filled her Inbox over that period. She called us to ask us if we could it automatically for her. Thats when we realized that we had never been informed that she had gone to work elsewhere for a year and a half.
Abhijit
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply