|
Brought to you by:
Suppliers of:
|
|
|
| |
| MS SQL Server 7.0 and earlier may be configured to run with Mixed Mode Authentication. The sa (system administrator) account is created during the installation process, and this account has full rights to the SQL environment. Users must manually configure a strong password for the 'sa' account, and this is not done by most. This leaves the server open to an attack that can lead to a full system compromise. The guidelines were posted by Microsoft in regard to this vulnerability. |
| |
Credit:
The information has been provided by Microsoft Security Response Center.
|
| |
Tool:
A special tool has been created to test for this vulnerability:
LinSQL - MS-SQL Server checkup tool
Following the practices below would negate the impact of the blank sa password vulnerability:
1) Microsoft recommended running SQL Servers with Integrated Authentication (utilizing NT credentials) rather than Mixed Mode Authentication. To determine which mode your SQL Server is using, open SQL Enterprise Manager, select Server Properties for the server in question, and review the information on the Security tab. Details about running in Integrated Mode can be found in the following white paper:
http://www.microsoft.com/technet/SQL/Technote/secure.asp
2) If you must run in Mixed Mode, assign a complex password to the sa account. Passwords should be selected and managed in accordance with your company's password composition and maintenance policy. Blank passwords may be changed from the SQL query window with the following syntax:
exec sp_password null, 'complexpwd', sa
(NOTE: Change complepwd to a good password, containing alpha, numeric and lower case/ upper case characters)
3) Block inbound traffic to the SQL port (tcp 1433) at your Internet connected border devices (routers/firewalls). Best practices dictate that all traffic should be blocked at your Internet connected border devices and that only protocols that support your security policy be allowed through. NOTE: tcp 1433 is the default port for SQL communication; however, this value may be modified by the SQL Server administrator. If the SQL port cannot be blocked on the border devices, utilize IPSec filters (Win2K) or Advanced IP Security filters (NT4) to block connections, originating from the Internet, destined for the SQL Server.
SQL Server 2000 uses Integrated Authentication by default. Users requiring Mixed Mode authentication are prompted to supply a non-blank sa password during the installation process.
|
|
|
|
|
