Login or Sign Up to become a member!
LessThanDot Sit Logo

LessThanDot

Data Management

Less Than Dot is a community of passionate IT professionals and enthusiasts dedicated to sharing technical knowledge, experience, and assistance. Inside you will find reference materials, interesting technical discussions, and expert tips and commentary. Once you register for an account you will have immediate access to the forums and all past articles and commentaries.

LTD Social Sitings

Lessthandot twitter Lessthandot Linkedin Lessthandot friendfeed Lessthandot facebook Lessthandot rss

Note: Watch for social icons on posts by your favorite authors to follow their postings on these and other social sites.

Your profile

    Tools

    Tag cloud

    azure book business intelligence ctp database dates denali dmv functions gotcha high availability how to howto indexing mirroring performance sql sql friday sql server sql server 2000 sql server 2005 sql server 2008 sql server 2008 r2 sql server 2012 sql server denali sql server integration services ssis t-sql tip trick

    Authors

    Main Categories

    Search

    XML Feeds

    What is RSS?

    Google Ads

    « Blocking due to fragmented HEAP TablesSplit string in SQL Server 2005+ CLR vs. T-SQL »
    4
    comments

    Please Mr. DBA, Change default passwords and use strong passwords

    by Ted Krueger (onpnt) on Apr 23, 2009 in categories Database Administration, Microsoft SQL Server Admin
    Instapaper

    It's your job to make sure security is not compromised. Part of that job is to make sure installations out of your control have not been left with default passwords set. If the passwords are controlled in the applications, then you have little control other than complaining until your blue in the face. If the accounts are SQL Authentication then they are in your control and you need to fix it.

    Example: I can't tell you what the system is of course but I can say the system holds highly sensitive data. The group managing the software installed it and got off running. A week later my network scan of instances picked up a SQL Express edition running on the server in which this software was installed. When I logged into the instance, BUILTIN\Admins was enabled. SA at least had a password even knowing it took me 3 guesses to figure it out. What kind of got me in a bunch was a user I noticed set in the sysadmin server role. I am firm in believing this role has only one place and that is for either the DBAs SQL account or more securely handled, an AD group named DBA and so managed that way. The software didn't think so though and the odd user was in the sysadmin role. I'm guessing some developer wasn't smart enough to figure out any kind of security model for the software they were writing and instead of look like complete idiots by using SA, they created a user and gave them sysadmin. *sigh*

    So why is this such a big problem? Here is how I cracked the password to this super user in under 10 seconds. Open google, type "default password {username}", hit enter.

    First hit I got back was another idiot posting in a forum begging for help. That doesn't make them an idiot other than the fact they posted their DNS-Less connection string in the thread. When I tried the password they had in the string with my instance I was in and dropping objects. Well, I didn't drop anything, but you get the idea.

    So please, make sure you help out everyone by educating them how important it is to change default passwords, create solids security models and create strong passwords.

    BTW..This is not made up. At some point in all of our careers it will happen. It's almost as a sure thing as you either truncating your first table by accident or deleting something that probably was important ;)

    About the Author

    Ted Krueger is a SQL Server MVP and has been working in development and database administration for 13+ years. Specialties range from High Availability and Disaster / Recovery setup and testing methods down to custom assembly development for SQL Server Reporting Services. Ted blogs and is also one of the founders of LessThanDot.com technology community. Some of the articles focused on are Backup / Recovery, Security, SSIS and working on SQL Server and using all of the SQL Server features available to create stable and scalable database services. @onpnt
    Social SitingsTwitterLinkedInLTD RSS Feed
    1008 views
    Read More Posts by Ted Krueger (onpnt)
    Instapaper

    4 comments

    Comment from: SQLDenis [Member] Email
    *****
    SQLDenis Password? I use sa and a blank password.....I guess people learned their lesson after the Slammer worm

    The sad thing is that there is a ton of software out there that requires the sa login for it to work
    04/23/09 @ 12:44
    Comment from: SQLDenis [Member] Email
    *****
    SQLDenis sqlping is also very nice to use to 'guess' the password when you use a dictionary attack
    04/23/09 @ 12:48
    Comment from: Ted Krueger (onpnt) [Member]
    Ted Krueger (onpnt) Yup and the regular scan tells you about blanks

    (SA)**** Server present with blank SA password! ****
    04/23/09 @ 12:54
    Comment from: ca8msm [Member] Email
    *****
    ca8msm Our server team have just rejected two different system installations (after they had been given the go ahead at a corporate level) due to their need to run with system admin privileges.
    04/24/09 @ 04:48

    Leave a comment


    Your email address will not be revealed on this site.

    Your URL will be displayed.
    (Line breaks become <br />)
    (Name, email & website)
    (Allow users to contact you through a message form (your email will not be revealed.)

    Powered by B2Evolution
    Valid XHTML | Valid CSS