August 22, 2008 at 7:55 am
This is one of those "Well that sucks..." situations.
Vendor software has a hard coded login that uses SQL auth instead of Windows. This login has view all rights for their entire system.
I need to find some way to lock this down a bit more, I can't change the password and the password is default like... "password" bad 🙂
I was thinking along these lines:
-Can I monitor the machine the connection is coming from and/or the IP range?
-Can our network people setup some firewall restrictions along those lines as well?
We only have 10 users of this system and they are all in the same office (accounting system).
So on the SQL Server side I was thinking I could monitor for logins perhaps by machine name or something and kill any connections that aren't coming from those 10 machines?
If I could also see the windows user who was requesting the login (but I don't see how since it is an SQL login).
From the network side: same setup basically-
Restrict by machine name and IP address or something. So only those 10 users can even connect to the server (it is a standalone server that this vendor database is on)
Restrict all connections to the server to be within a set area (only the accounting department, no one from the rest of the organization).
Thoughts on how I can mitigate this risk?
August 22, 2008 at 8:19 am
"hard coded with week password ... " sounds familiar :sick:
Most of the time, the installers just don't know it is stored in an ini-file or a reg.key.
Search "program files" and the registry and I'm pretty sure you'll find it.
You could create a login trigger ( need sql2005 sp2 ) and only accept that userid from certain workstations.
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
August 22, 2008 at 8:29 am
ALZDBA (8/22/2008)
"hard coded with week password ... " sounds familiar :sick:Most of the time, the installers just don't know it is stored in an ini-file or a reg.key.
Search "program files" and the registry and I'm pretty sure you'll find it.
You could create a login trigger ( need sql2005 sp2 ) and only accept that userid from certain workstations.
Yeah, I'm going to do that search and check (maybe I'll get lucky!)
So maybe look for:
work station
app name
and include a time of day check as well (we sure as heck won't have anyone using it at 2 AM for example, that would be a bad sign right there... and if they ARE going to be working late they can give me a heads up and I'll make an exception for that work station).
August 22, 2008 at 8:49 am
Johan has a good suggestion, but I'd honestly contact the vendor and complain. In this era of security issues, there's no excuse and you might get the info from them, or even another solution.
When you say rights to the entire system, do you mean sysadmin? Typically vendors require this because they add logins, but don't really understand they can use security admin (which I don't like), or just have a DBA create the login, which often works. Their application often can pick up the new logins you create, and you can get away with dbo or less rights in their database only.
I like the idea of a DDL trigger. That will help. If you can get the network guys to filter things as well, that might be good. Windows can limit logins from certain machines, don't forget to add yours and the windows admin as well.
August 22, 2008 at 9:32 am
Sorry, I wasn't clear.
Rights to view all data tables for reporting purposes.
So they can't change anything, but they sure as heck could open up Access or Excel or whatever, connect with user: blah and password: weak_sad_password and then go crazy with sucking out juicy juicy data... (Sprunge to borrow from Futurama)
August 22, 2008 at 11:27 am
Maxer (8/22/2008)
Sorry, I wasn't clear.Rights to view all data tables for reporting purposes.
So they can't change anything, but they sure as heck could open up Access or Excel or whatever, connect with user: blah and password: weak_sad_password and then go crazy with sucking out juicy juicy data... (Sprunge to borrow from Futurama)
In the connection data there is also a field "application name", maybe extend your ddl trigger filter with the info you get from the application.
(I hope it is not the default '.Net famework...')
As an extra you could temporary log all connections to an invertory table and adjust your ddl trigger later on.
An example can be found a http://sqljunkies.com/WebLog/ktegels/archive/2006/11/09/25306.aspx
Johan
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply