December 6, 2021 at 12:00 am
Comments posted to this topic are about the item Getting Beyond Passwords
December 6, 2021 at 7:42 am
This was removed by the editor as SPAM
December 6, 2021 at 12:34 pm
I've just moved on but in my previous position we had a single sign on application into which all our systems were integrated.
Before you could sign on to anything you had to sign on to the single sign on application that would send your mobile a push notification to confirm that you were the person who had just tried to sign on. From that device you could then access those apps that your administrator had assigned to you.
The advantage to that was that apart from your main network login and the MFA gateway you had no passwords to remember. One of the prime requirements for any new tool being brought into the organisation was that it be capable of integrating with the single sign on application.
These days I think the level of risk in relying on just passwords is just too high. The barrier to entry for malicious actors is just too low.
December 6, 2021 at 2:21 pm
"Recently I saw someone suggest MFA for SQL Server. I would hope that we would get not only more complex authentication for the platform, perhaps even two-person authentication. but I'm not holding out hope. I think the integration AD is likely to require more steps than most administrators want to take. For now, I expect that any sort of on-premises SQL Server security is going to remain the same. For cloud databases, I do think that we will see other options as they become available."
We already have MFA authentication for Azure SQL.
For two-person authentication, it would be simply a matter of linking your AD account to another's cell phone - like your boss or the DBA on-call. Jane attempts to log into SQL Server, and then Fred get's an authentication request like "Jane is attempting to login to server XYZ" on his phone?
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 6, 2021 at 2:52 pm
I've just moved on but in my previous position we had a single sign on application into which all our systems were integrated.
We have that as well. It remembers for 30 days, but I regularly approve my own logins. Same thing for quite a few other services. I like the one for Azure that pops a number on the screen and I have to pick the right number on my device.
December 6, 2021 at 2:53 pm
We already have MFA authentication for Azure SQL.
For two-person authentication, it would be simply a matter of linking your AD account to another's cell phone - like your boss or the DBA on-call. Jane attempts to log into SQL Server, and then Fred get's an authentication request like "Jane is attempting to login to server XYZ" on his phone?
The Azure SQL one isn't part of SQL Server, though. It's linked into the auth process for Azure. I do wish there were some verify added to on-premises SQL Server for admins.
Not sure about calling someone else, especially in a crisis, but certainly some way to verify the login is the person trying to log in.
December 6, 2021 at 2:58 pm
I had some "fun" last night trying to get into my playstation account with 2FA turned on. Enter username and password, next it tells me it sent a text to my phone. I wait about 10 minutes, then it arrives. I enter the code and it tells me my login token expired. Repeat this process for 30 minutes before I was able to find my backup recovery codes and was able to log in.
It would be nice if we could just standardize on a single MFA application that had both a mobile and a desktop application for it. I know I find it frustrating needing to grab my phone every time I want to log into Outlook. And SOME apps on phones that require MFA are a royal pain in the butt. Open app, enter credentials, switch app to the MFA app, and go back and it is asking you to log in again... which will generate a new token and your MFA code may have expired by then.
I do see a flaw with the "desktop" application though - if your desktop/laptop gets stolen, they now have your MFA application and can potentially access all of your stuff.
MFA is a good thing; don't get me wrong there. It is just implemented poorly in a lot of places that just ends up frustrating the end user.
Another problem that comes up from MFA is application integration. If application A requires MFA to authenticate, and application B is passing a username and password pair to application A for authentication, MFA will prevent application B from talking to application A. That is unless you have a way to bypass MFA, in which case you have a potential weak spot in your system. Git (GitLab, GitHub, etc) get around this by having private keys that need to be decrypted, but this brings back the original problem - those keys are protected with a password without MFA.
I am not against MFA, I think it is actually a good password replacement, I am just against MFA sprawl and no universal method for managing it so I need to have 6 different apps on my phone for handling MFA on different platforms. Passwords on the other hand are nice and standardized enough that 1 password manager can handle passwords for almost any website. The exception being when the website has a password and a security question, but that isn't MFA, that is just 2 passwords which is not that much more secure than 1.
The above is all just my opinion on what you should do.
As with all advice you find on a random internet forum - you shouldn't blindly follow it. Always test on a test server to see if there is negative side effects before making changes to live!
I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.
December 7, 2021 at 9:48 am
One of my domain passwords expired yesterday so I asked the service desk to reset it for me. I then spent half an hour trying to create a password that met the length, complexity and history requirements. Of course, I got no hints what these requirements were and I gave up after "IJustWantT0LoginSecurely!!!!!1" was deemed insufficiently long or complex. I couldn't say for certain I hadn't used it before though. I'm in the office today and in the end, one of the engineers suggested I changed directly on the DC. Needless to say, this isn't a sustainable solution.
How to post a question to get the most help http://www.sqlservercentral.com/articles/Best+Practices/61537
December 7, 2021 at 9:50 am
This was removed by the editor as SPAM
December 7, 2021 at 2:00 pm
Steve,
When you mentioned "perhaps even two-person authentication" in your editorial, what were you thinking about?
On out production servers, we do have login auditing enabled, and a daily email report of who logged in and when, so keep an eye on it.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 7, 2021 at 2:54 pm
Two people authenticate a process. For example, I want to turn auditing off, but I can't do it alone. I ALTER AUDIT SET OFF, but until another admin does this, it doesn't turn off.
December 7, 2021 at 2:58 pm
I had some "fun" last night trying to get into my playstation account with 2FA turned on.
...
I had that happen with SQL Saturday. In setting up new accounts, the delay from the service + a spam check delay caused me a lot of frustration in trying to get auth'd.
There are a lot of solutions, and standardizing would be nice, but I don't see everyone giving up to go with one provider. Personally, what I'd like to do is see a few types of auth's get standard. I like using a different device, but I want to have this work for some time. I think 30 days isn't too bad, which is what our IT standardizes with. I found I could click this with a lot of financial services as well, where they remember your MFA for 30 days.
December 8, 2021 at 10:20 am
May be an eID integration can replace passwords?
If server applications, adds the possibility to use them. Maybe at the AD/SSO point?
In Europe, there is a set of services(eIDAS), provided by the European Commission, to enable the mutual recognition of national electronic identification schemes across borders. Each country has it's on authority(DIGG in Sweden), to exercise supervision over eID publishers.
December 8, 2021 at 1:50 pm
Two people authenticate a process. For example, I want to turn auditing off, but I can't do it alone. I ALTER AUDIT SET OFF, but until another admin does this, it doesn't turn off.
It sounds like you're advocating a functional dependency between database management operations and the change management / DevOps process. So, instead of telling the DBA: "Don't create a new user login unless you first submit a ServiceNow ticket for approval" and then trusting that she will abide by the rule, it's more like the DBA would be blocked from creating the login until a ticket linked to the operation is approved, but then it begs the question of why the DBA would have such elevated permissions in the first place.
Perhaps the DBA would not actually have SYSADMIN membership but would instead attach a T-SQL script to the ticket, and then a DevOps process like Octopus or DbUp would automatically execute it when the approval is cleared. That type of arrangement exists today, but I guess there could be additional functionality baked into SQL Server to better integrate the process.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 8, 2021 at 4:36 pm
Not so much dependency with change management, but more that some applications, and some situations, require you ensuring no one person can act too indepedently. I wouldn't want this to go through specific people, but really, as long as any two admins agree, we do this.
Not a lot of stuff requires this, but as we get more regulation, especially around finances, medicine, etc., this becomes valuable to limiting the rouge admin or a silly mistake.
This comes from the idea in military of acknowledging an order or an action. Verify that something took place with two people.
Viewing 15 posts - 1 through 14 (of 14 total)
You must be logged in to reply to this topic. Login to reply