Security

  • If you plan not to use the SA account, remember to put a password on it.

    I don't use the SA account so just to be sure I have placed an sql alert on my servers to see if anyone logs onto (or fails) the server as SA. Hence I get a netsend (+ email) to my terminal if anyone tries to use the SA account. (You need auditing turned on to do this)

    Steven

  • what alert is that exactly ?

  • I add alerts against the following error codes (in sql server agent), then add myself as the operator for the alert.

    18454 Login succeeded for user '%ls'. Connection: Non-Trusted. (with the text sa)

    18455 Login succeeded for user '%ls'.

    18452 Login failed for user '%ls'. Reason: Not associated with a trusted SQL Server connection.

    18456 Login failed for user '%ls'.

    Steven

  • Some things to consider:

    • If hackers hijack an account in BUILTIN\Administrators, they've hijacked an account with local administrative rights. Based on the way NT and SQL Server work, if they get that kind of access and know what they are doing, the data on the SQL Server box isn't secure as they can take it off and do nasty things with it.
    • If the NT group is local to the SQL Server and an account in BUILTIN\Administrators is compromised, that account can be used to be added to every local group on the server, which gives access to SQL Server.
    • Usually, the only user accounts given local administrative rights on a SQL Server box are Domain Admins and DBAs (and this isn't always the case). So if they hijack a DBA account, they are in the database. If they hijack a Domain Admins level account, they can easily add themselves to any domain level NT group, and that means if a domain NT group is being used, they've now got access.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • The accounts can be restricted to prevent normal curiousity. However, if we're talking about compromises, it's likely the person who has compromised the system will take the steps required to get the data off the SQL Server. If a local Administrators group account gets compromised, the data is open for the taking.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • I work with hosting and I always remove BUILTIN\Administrators from the SQL Server. I don't want to allow access to a bunch of NT/2000 technichians who know nothing about SQL. We've had too many troubles with this in the early days when NT/2000 technichians who knew how to write "SELECT *" also thought that they automatically knew everything about administrating SQL Server.

    Then I add personal NT logins for each DBA that work or are responsible for an environment and one emergency account that the the 24/7 watch could use in case of an emergency and a DBA can't be reached. You have to open a specified envelope to get the password to the emergency account.

    I also remove access to any MSSQL\ directories for local and domain admins. Only the SQL Service accounts, the DBA accounts and the emergency account have access to those directories.

    'sa' is not used. We only add a strong password to it.

  • Argyle,

    While your method will prevent casual poking around in the database, any Domain Admin could easily get into the MSSQL\ directories, even change the PWD for your emergency account to one they know and use that to access the database.

    Naturally, with the above methods you would most likely know that someone was poking around, but you still couldn't prevent it.

    If you really want to keep them out (and probably tick them off) remove the Domain Admins group from the Local Administrators group. :o)

    JasonL


    JasonL

  • Removing the domain admins from the local admins will most likely cause more issues. ou'd be better off implementing some auditing to catch changing of the ownership of folders.

    I'd also implement the "you get fired if you mess with my sql server" policy. Most of my executives thoroughly support this.

    Steve Jones

    steve@dkranch.net

  • quote:


    Argyle,

    While your method will prevent casual poking around in the database, any Domain Admin could easily get into the MSSQL\ directories, even change the PWD for your emergency account to one they know and use that to access the database.

    Naturally, with the above methods you would most likely know that someone was poking around, but you still couldn't prevent it.

    If you really want to keep them out (and probably tick them off) remove the Domain Admins group from the Local Administrators group. :o)

    JasonL


    A domain admin could change the password for the emergency account but all logins with any of the accounts are tracked. We would know if someone were using them. There is really no way to get around this as you say except tracking all logins or not use domain accounts at all.

    When it comes to the SQL Server directores domain admins are removed from the access list so I don't see how they could gain access to them except by "taking ownership" of the files which also can be tracked.

    /Argyle

    Edited by - Argyle on 03/31/2002 06:18:53 AM

  • Taking ownership can be tracked, but so can logins to SQL Server which tells you if someone is going in who normally shouldn't be. There's also nothing stopping a domain admin who wants to be malicious from taking control of a DBA account and using it to access the system.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • Yup, no real way to prevent domain admins to do something malicious unless you disallow domain accounts completely which might not be a good idea. Hopefully the domain admins can be trusted 😛

    If you don't trust them completly (like me ;)), tracking is the way to go.

    1.

    Track "taking ownership" etc. on the SQL files to see if someone is tampering with the SQL server files without actually loging in to the SQL Server.

    2.

    Track logins to the SQL Server itself.

    /Argyle

Viewing 11 posts - 16 through 25 (of 25 total)

You must be logged in to reply to this topic. Login to reply