Do I need the ''sa'' account?
-
I have a SQLserver/webserver that some bot is trying to hack by logging in to the 'sa' account. I have port 1433 open because I do a lot of remote development, but I have a 'hardened' password, and I use another account anyway.
My solution when I spot this activity (attempting every two seconds) is to block the offending IP at the firewall.
What should I do, though? Can I delete the 'sa' account, which is well known and highly privileged? Can I rename it to a more complex name?
-
System administrator (sa) is a special login provided for backward compatibility. By default, it is assigned to the sysadmin fixed server role and cannot be changed.
Login "sa" cannot be dropped from server role nor change it.The only opction is to give complex password & change it regularly.
------------
Prakash Sawanthttp://psawant.blogspot.com
-
Don't do anything with sa, maybe the best way is to set 1433 inside the firewall and not allow any access thru that port. You can use NAT to give your remote user the access they need (via VPN I might recommend!) if you lose sa account it will be a nightmare to run your SQL Server.
About the hacker, as long as you have 1433 open it will be not onoy one but many trying to get into your system. Good luck
-
The VPN bit would be the solution for you, a cheap CISCO Pix VPN can be obtained for around $425 and they're very easy to configure, however if you can't do that here are some other suggestions.
You could open a random port higher than 1024 like 6875 or 4098 or any other port that is unused and redirect that port to 1433 once you get inside your DMZ. You might try to change this from time to time to other ports to keep the bad guys guessing.
Also you should lock down the access on that port to the IP you do your remote development from. If you have a static IP from an office for instance this is easy and you just have to allow that 1 IP, however if you're doing it from a DSL or Cable or Dialup connection you can usually talk to your ISP and see which Subnets you could possibly be assigned to and the only allow from those subnets. By the principle of least priviledge, open the port to the samllest number of IPs nessesary to acomplish what you need to do.
Then apply good SA password change policy, which you should also follow for changing the Keys for your VPN if you set one up. Heck for the VPN try to at least use DES if not TripleDES and one time keys if you can. I try to change my SA password at least once a month. I know an admin that changes his once a week, but I'm not that paranoid.
-
OK, looks like I got some good advice. Thanks!
Summary:
1) Can't disable or rename 'sa'
2) Continue to use a strong password for 'sa' but change it frequently
3) Get the VPN going with highest security possible
4) Connect to to the server using some port other than 1433 (higher than 1024) and redirect down using the VPN/firewall box (sounds like 1433 attracts a lot of interest)
Porbably I could shut down the remote SQL server access for the long periods in between development activity (I have full access, it's my server). Is there an easy way to do that?
Thanks to all
-
I was under the impression that in SQL 2005 you could rename the SA account
ALTER LOGIN sa DISABLE;
ALTER LOGIN sa WITH NAME = 'New_Name';
ALTER LOGIN sa ENABLE;
Check BOL
-
Someone is probably going to hate me for saying something like this, but changing the password more than monthly is really competely unnecessary.
Choose passwords that are 5 or 6 word sentences with a bit of 1337 speak mixed in and no dictionary or brute force attack will ever guess your sa password unless the bad guys have access to a supercomputer for decades.
The password should still be changed, periodically, just as a good measure, but any more frequently than monthly is serious overkill - especially if you or one other administrator are the only ones who have it.
Here's an example to get you going:
Why n0t cR347e a p@5SworD l1k3 Thi5?
The more characters you use (as in different characters, not character count), the better. Using strange punctuation and things other than alphanumeric passwords greatly improves the strength of your password.
If you can show me a dictionary or brute force cracker that can crack the password above in less than a month, then you have far greater problems to worry about than just your sa password...
Our password policy (for all users for network logon as well as database accounts) requires that all passwords have, at minimum, two 5-letter words, separated by any number of spaces, punctuation, or combinations thereof, mixed case, and numbers. Special characters either in extended ASCII or unicode are preferred, but not required. The users really don't have a problem with it and we actually have found that we have fewer requests for password resets, now that they don't have to try to memorize incredibly cryptic single-word passwords or passwords limited to 20 characters.
As a related side-note, restricting passwords to anything less than 100 characters is just foolish and completely pointless. A 100-character password, hashed, is not going to take much storage or processing power, no matter how large your application.
-
Just for completeness, I'll explain why sentences or multiple words are better than a single password.
Even if someone was to create a dictionary cracker or brute force algorithm that was "intelligent" (ie tried making intelligible sentences using word relations), it would be stronger to have a multi-word password than a standard alphanumeric password. An alphanumeric password, when case sensitive, is basically a base-62 number, when treated mathematically. There are 52 letters and 10 numbers in the standard ASCII alphanumeric characters. If you expand it to include all keyboard characters (except space), you still only have a base-94 number (correct me if I'm wrong there).
I'll go with the whole keyboard method, since it's the stronger of the two, just to make a point.
948 is 6,095,689,385,410,816 possible combinations for an 8-character password. That's if you use all possible combinations.
There are far more than 94 words in the english language and thousands (if not millions) more, if all languages are considered. Even using a really conservative number like 10,000 words (small vocabulary? I don't know...), you're now talking about a base-10,000 number. Annnnnd 10,0006 (for a six-word password) comes to...are you ready? 1,000,000,000,000,000,000,000,000 (1024) combinations. And that's assuming you use plain, no-nonsense english words with no punctuation, spaces, or anything. If you add spaces, punctuation, and messed up words (ie 1337 speak) into the equation, that number grows even larger.
Just for comparison purposes, the 6-word password has ~(948)1.52 combinations, with plain english... With 8 words (like the 8-character password), the possible combinations increase 100,000,000 times, to give you 1032 (that's ~(948)2.03 or ~9416) combinations, all while being far easier to remember than a 16-character base-94 password. Is that enough for you?
-
Yes you could shut down remote access to your SQL server the easiest way would probablys be either at your border router, or your firewall during times while you are not using it for development. Again the principle fo least priveledge applies here. If you don't need it close the port, when you need it again, open it back up.
-
Just a note on passwords, in particular 'strong' passwords. You need not got to the lengths of 'pass phrases', multiple words with spaces, if you use a 16 character password that meets the following requirements:
- has ar least 1 upper case letter
- has ar least 1 lower case letter
- has ar least 1 number
- has ar least 1 special character
It is virtually impossible to 'crack'. Check out LoftCrack for Windows passwords or NGS SQL Crack for more information about how long it takes to crack these types of passwords.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
-
Of course those will be hard to crack, but they will also be hard to memorize. I know I wouldn't want to have to memorize a 16-character string that combined all of that (8 characters would be fine, but that's still pushing it for a lot of users).
We tried that strategy (it was always the strategy before we implemented the passphrase policy), and users were constantly forgetting their passwords because people, in general, suck at coming up with passwords that meet all of those requirements and are still easily memorable. A short phrase just sticks better. Randomly generated passwords were tried, as well (a word from a huge dictionary was chosen, at random, and then one character was changed to a completely different random character, case was randomized, and numbers and symbols were inserted at random, to end up with somethin like f@N-ta5Gc), but we dropped that policy very very quickly because it worked even worse.
Also, the 16-character thing was just a comparison to show how large a regular password would have to be to equal the strength, against a really smart fictional dictionary cracker, of an 8-word passphrase.
In reality, passwords of that length are likely uncrackable for many years to come, except by social engineering.
Anyway, it's just some food for thought to get people thinking outside of the rather restrictive box they artificially set for one of their most important assets - their security. Why limit it if you don't have to?
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply