Searching for sa and XP_Cmdshell
-
Is there a way to scan your network for sa passwords which are blank or default sa and / or XP_Cmdshell turned on ? I just want to see what on our network has been left unsecured. I have used SQLPing unless I am using it wrong I beleive you can't use this for this ... however it has provided me with a list of servers on my network and which are on default 1433. As we have many servers I don't want to do this manually.
Thanks in Advance
-
If you have a list of servers, I believe the Microsoft Baseline Security Analyzer will help
-
MBSA will scan for the following when it comes to passwords!
Local Account PasswordsCheck Description
This check identifies any blank or simple passwords for each local user account on the computer. This check is not performed on domain controllers.
Microsoft® Windows® Server 2008, Microsoft® Windows® Server 2003, Windows Vista, Windows XP, and Windows 2000 operating systems all require user authentication through passwords. In general, users are permitted to choose their own passwords. The security of their account depends on the choice of the password. This check enumerates all user accounts and checks for the following password conditions:
•Password is blank.
•Password is the same as the user account name.
•Password is the same as the computer name.
•Password uses the word "password."
•Password uses the word "admin" or "administrator."
This check also notifies you of any accounts that have been disabled or are currently locked out.
For Windows XP computers that use simple file sharing (includes Windows XP Home Edition and Windows XP Professional computers not joined to a domain), MBSA will not flag local accounts with blank passwords. To help protect users who do not password-protect their accounts, Windows XP Professional accounts without passwords can only be used to log on at the physical computer console. By default, accounts with blank passwords can no longer be used to log on to the computer remotely over the network, or for any other logon activity except at the main physical console logon screen.
Notes
•Microsoft Baseline Security Analyzer does not attempt to crack passwords during this check, and instead attempts a password change request using each condition in the preceding list. Account lockout policy counts will be reset if in effect on the scanned computer.
Additional Resources
What's New in Security for Windows XP Professional and Windows XP Home Edition
Creating Strong Passwords
©2002-2007 Microsoft Corporation. All rights reserved.
-
RajaStyle123 (7/19/2010)
Is there a way to scan your network for sa passwords which are blank or default sa and / or XP_Cmdshell turned on ? I just want to see what on our network has been left unsecured. I have used SQLPing unless I am using it wrong I beleive you can't use this for this ... however it has provided me with a list of servers on my network and which are on default 1433. As we have many servers I don't want to do this manually.Thanks in Advance
SQLPing will do this, and it's configured by default. If you click on the options tab, right there on the upper left you should have an option to Attempt Login Probe (sa) like so:
K. Brian Kelley
@kbriankelley -
Twinsoft SME (7/19/2010)
MBSA will scan for the following when it comes to passwords!Local Account PasswordsCheck Description
This check identifies any blank or simple passwords for each local user account on the computer. This check is not performed on domain controllers.
Microsoft® Windows® Server 2008, Microsoft® Windows® Server 2003, Windows Vista, Windows XP, and Windows 2000 operating systems all require user authentication through passwords. In general, users are permitted to choose their own passwords. The security of their account depends on the choice of the password. This check enumerates all user accounts and checks for the following password conditions:
•Password is blank.
•Password is the same as the user account name.
•Password is the same as the computer name.
•Password uses the word "password."
•Password uses the word "admin" or "administrator."
This check also notifies you of any accounts that have been disabled or are currently locked out.
For Windows XP computers that use simple file sharing (includes Windows XP Home Edition and Windows XP Professional computers not joined to a domain), MBSA will not flag local accounts with blank passwords. To help protect users who do not password-protect their accounts, Windows XP Professional accounts without passwords can only be used to log on at the physical computer console. By default, accounts with blank passwords can no longer be used to log on to the computer remotely over the network, or for any other logon activity except at the main physical console logon screen.
Notes
•Microsoft Baseline Security Analyzer does not attempt to crack passwords during this check, and instead attempts a password change request using each condition in the preceding list. Account lockout policy counts will be reset if in effect on the scanned computer.
Additional Resources
What's New in Security for Windows XP Professional and Windows XP Home Edition
Creating Strong Passwords
©2002-2007 Microsoft Corporation. All rights reserved.
Thanks guys for the responses ... does this refer to windows accounts or sql accounts such as sa? as the text suggests windows ... Thanks Again
-
Also i'm guessing there is no way to check for XP_Cmdshell across the enterprise ?
-
U can use a script that will check against all the servers those r registered (by creating linked servers) -- in sysservers.... and check for "Enable or disable command shell" value in "select * from sysconfigures" table....
Hope it will work...
-
RajaStyle123 (7/21/2010)
Thanks guys for the responses ... does this refer to windows accounts or sql accounts such as sa? as the text suggests windows ... Thanks AgainThe sa account is a SQL Server-based login, not a Windows one.
Also, one advantage of using SQLPing is MBSA requires you have the appropriate rights on the computer to run it. So if you've got a computer that's been locked down where, say, Domain Admins has been pulled off, or a computer that's not in a trusting domain, MBSA won't work. SQLPing can still discover the SQL Server and attempt to login as the sa account with a blank password.
K. Brian Kelley
@kbriankelley -
RajaStyle123 (7/21/2010)
Also i'm guessing there is no way to check for XP_Cmdshell across the enterprise ?No, there's not. You're best bet is to write a script that logs on to all known SQL Servers (SQLPing can generate this list) and tests for xp_cmdshell.
Now while xp_cmdshell being disabled is recommended, realize that this is of limited practical use if they get sysadmin rights. If an attacker manages to get in with sysadmin level rights, any blocks you've put in place can be quickly eliminated. Since xp_cmdshell is an extended stored procedure and you can't get rid of the underlying DLL because you need some of the other extended stored procedures it provides, an attacker who knows his/her stuff can simple re-add xp_cmdshell or use the server configuration to re-enable it (SQL Server 2005/2008). That being said, if you have a policy in place in SQL Server 2008, that would be an extra step an attacker would have to go through to be able to enable and it stay enabled. All that being said, you should have it disabled to prevent accidental use or use as a shortcut by a well-meaning DBA, but ensure your auditors know that even should you disable it, an attacker can still turn it back on, so turning it off isn't really a control.
K. Brian Kelley
@kbriankelley
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply