When the management of the internal SQL Server account and password, it is easy to think that everything was safe.But it is not.Here, we list some of the SQL Server password is very dangerous to judge.
When the management of the internal SQL Server account and password, it is easy to think that everything was safe.After all, your SQL Server systems are protected inside the firewall, but also the protection of Windows authentication, all users need a password to enter.This sounds very safe, especially when you consider all the time to do so.It in fact, it is not so safe as we think.
Here, we list some of the SQL Server password is very dangerous to judge:
No password testing program
When conducting the test, began to try to crack the code directly would be a big mistake.Whether you are testing locally or via the Internet, I strongly recommend that you get permission, and that an account is locked after the rollback program.Finally, you have to do is to make sure the account is locked, the user can not operate the database, and applications connected to will not work correctly.
Through the Internet, the password is still safe
The hybrid approach implemented by SQL Server, you can easily through a number of analysis software (such as OmniPeek, Ethereal) immediately caught it from the Internet password.Meanwhile, Cain and Abel can be used to capture the password based on TDS.You might think via the network switch to avoid this problem? However, Cain to ARP poison routing can easily break it.In about a minute, this free software can break your switch and see the local network's internal data exchange, to help other software more easily capture passwords.
In fact, the problem did not end there.Some misconception that the use of Windows in the SQL Server Authentication is very safe.However, it is not.The software can also quickly caught from the Internet Windows, Web, e-mail and other related password to gain access to SQL Server.
By using the password policy, we can not test the password
No matter how severe your password policy, but always there are ways to bypass it.There is not such as to configure a server, a Windows extraterritorial host, SQL Server or an unknown number of special tools, they can break the strongest password.These things can take advantage of the weaknesses and your password is your policy becomes invalid code
Also, equally important is that some test results may be that because your password has been very strong, your database is safe, but you do not believe in.Must be tested and to test themselves in, the password is still defective.Although you may think all is well, but in fact you may drop off something.
Since the SQL Server password is not regained, that if I knew he was strong, very safe, why do I have to break him?
In fact, SQL Server password is recoverable.In SQL Server 7 and SQL Server 2000, you can use something like Cain and Abel or the charges NGSSQLCrack this tool to obtain the password hash, and then break through the violence of its attack.These tools allow you to on the SQL Server password SHA reverse engineer the hash table.Although the break can not guarantee results, but it is a weakness of SQL Server.
I checked with MBSA defects SQL Server password and did not find any serious problems
Microsoft Baseline Security Analyzer is a tool for the eradication tool for SQL Server vulnerabilities, but he is not perfect, especially in terms of password cracking.For the deep and Windows SQL Server password cracking, we need to use third-party software, such as free SQLat and SQLninja (can be found in the SQLPing 3) and the Windows password cracking tools, such as ElcomSoft's Proactive Password Auditor and Ophcrack.
In addition, the use of the SQL Server using Windows authentication does not mean that your password is safe.Some people just learn how to crack the Windows password, spend some time, you can crack your password and control the entire network.In particular, if they use the <> Ophcrack's LiveCD to attack a physically insecure Windows hosts, such as laptop computers or easy to reach the server, it will become easier.
You only need to worry about your primary database server
It is easy to focus on their concerns SQL Server systems, but ignores the network may have MSDE, SQL Serve Express, and other possible procedures for SQL Server.These systems may be unsafe to use the default settings, or even no password.SQLPing 3 through the use of such tools to the database server to attack these systems, you will be easily cracked.
Like other things in IT, you will always be some of the details are down.If you can abandon them for judging the risk of SQL Server password, you will improve your SQL Server security.