Is the sa account out of fashion?

  • feersum_endjinn (12/18/2015)


    Ed Wagner (12/18/2015)


    but very scary how easy it was to hack the password. It didn't take long at all to crack and computing power certainly isn't going down.

    Just out of interest how long did it take and how long/complex were the passwords. I use LastPass to generate passwords (as I use it for personal use) and this is an example password I'd use for "sa" - [font="Courier New"]BD@g@!fw&t652S6[/font]

    The demo you mentioned isn't available to view online is it? 🙂

    It was letters, numbers and symbols. I want to say it was about 16 characters long, but I don't remember the exact password he used. It was under a minute to break it.

    I saw it at a SQL Saturday in Kalamazoo, MI, but the chapter is now closed. :angry: I found the presentation available for download from SQL Saturday 299 (Columbus) at http://www.sqlsaturday.com/299/Sessions/BuildSchedule.aspx. The real impact came from the demos, though.

    Edit: The title of the presentation is "Hacking SQL Server - A Peek into the Dark Side"

  • feersum_endjinn (12/18/2015)


    So to clarify - advise is to disable built-in "sa" account, setup a replacement for it, call it something not so obvious. I take it that this is done by creating new SQL login (with complex password) and adding it to sysadmin group?

    Yes, but make sure nothing is using the sa account before you disable it. If developers are using it to connect, their applications will break. If they are using it, it's a situation that really needs to be fixed.

  • Eric M Russell (12/18/2015)


    Renaming the real 'SA' account, and then creating a new (so called) 'SA' account with least privilege can be useful in those situations where developers and 3rd party tools think they need it. 😉

    Nice! I'd be interested to see what kind of internet searches those folks ran for the first few hours after you hand over the credentials and they try using it 😛

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

  • Ed Wagner (12/18/2015)


    feersum_endjinn (12/18/2015)


    So to clarify - advise is to disable built-in "sa" account, setup a replacement for it, call it something not so obvious. I take it that this is done by creating new SQL login (with complex password) and adding it to sysadmin group?

    Yes, but make sure nothing is using the sa account before you disable it. If developers are using it to connect, their applications will break. If they are using it, it's a situation that really needs to be fixed.

    Heh... so no confidence in the BSOFH thing and just changing it instead of busting a hump to figure out everywhere it might be used? The emails you get about failures will contain a pretty clear list of what's using it. :-P:-D

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Orlando Colamatteo (12/18/2015)


    Eric M Russell (12/18/2015)


    Renaming the real 'SA' account, and then creating a new (so called) 'SA' account with least privilege can be useful in those situations where developers and 3rd party tools think they need it. 😉

    Nice! I'd be interested to see what kind of internet searches those folks ran for the first few hours after you hand over the credentials and they try using it 😛

    Well, at least it wont be a search about how to restore a deleted table.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (12/18/2015)


    Orlando Colamatteo (12/18/2015)


    Eric M Russell (12/18/2015)


    Renaming the real 'SA' account, and then creating a new (so called) 'SA' account with least privilege can be useful in those situations where developers and 3rd party tools think they need it. 😉

    Nice! I'd be interested to see what kind of internet searches those folks ran for the first few hours after you hand over the credentials and they try using it 😛

    Well, at least it wont be a search about how to restore a deleted table.

    That's definitely a neat idea. Effectively, changing it into a honeypot login would be a neat way to find out what's using it. Instead of waiting for people to respond to inquiries they're just going to argue about anyway, they'll want to send you all the information you ask for. Interesting twist.

  • Ed Wagner (12/19/2015)


    Eric M Russell (12/18/2015)


    Orlando Colamatteo (12/18/2015)


    Eric M Russell (12/18/2015)


    Renaming the real 'SA' account, and then creating a new (so called) 'SA' account with least privilege can be useful in those situations where developers and 3rd party tools think they need it. 😉

    Nice! I'd be interested to see what kind of internet searches those folks ran for the first few hours after you hand over the credentials and they try using it 😛

    Well, at least it wont be a search about how to restore a deleted table.

    That's definitely a neat idea. Effectively, changing it into a honeypot login would be a neat way to find out what's using it. Instead of waiting for people to respond to inquiries they're just going to argue about anyway, they'll want to send you all the information you ask for. Interesting twist.

    Yeah, if someone wants to have Full Control Over The Database Server, then let them specifically ask for that and then get approval from executive management. If someone simply requests 'SA' access, then I'll interpret that however I choose depending on their role. Most users outside the DBA group who request 'SA' access on a database server don't even know what SYSADMIN privilege means. All they know (or think they know) is that it's some special account that will let them do anything they need going forward without having to go back to the DBA for additional requests. However, often times all they will ever need is to select from any table in a specific database, and if you analyze the problem close enough upfront, it's actually only a much smaller subset of those tables. As a DBA, I'd rather deliberately give someone less than what they asked for at the risk of having them complain, rather than giving them more access than what they really need and risk having them destroy or breach the data.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 7 posts - 16 through 21 (of 21 total)

You must be logged in to reply to this topic. Login to reply