Chapter 2 User Authentication, Authorization, and Security (3): protects servers against brute force attacks, authentication

Chapter 2 User Authentication, Authorization, and Security (3): protects servers against brute force attacks, authentication
Source: Workshop

Without the consent of the author, no one shall be published in the form of "original" or used for commercial purposes. I am not responsible for any legal liability.

Previous Article: http://blog.csdn.net/dba_huangzj/article/details/38705965

 

Preface:

 

Brute-force attack attempts to crack the password by combining almost all possible characters, or uses a dictionary table containing almost all possible passwords to crack the password. If your password is simple, it will be cracked soon. Therefore, password testing is very important.

 

Implementation:

 

1. First, find the SQL password that does not use the mandatory password policy:

 

SELECT name, is_disabled FROM sys.sql_logins WHERE is_policy_checked = 0 ORDER BY name;

 

2. Use a strong password policy for these logins:

 

ALTER LOGIN Fred WITH CHECK_POLICY = ON,CHECK_EXPIRATION = ON;

 

This command does not change the existing password until the password expires. You can use the following function to check the password expiration time:

SELECT LOGINPROPERTY('Fred', 'DaysUntilExpiration');

 

3. you can also force a password change during login, but you need to provide a negotiated password and inform the user, for example, the following code is to force the Fred login name to change the password during login, then You used You need to change me! As the "initial password", You need to inform the user to use it during login. After successful login, you will be prompted to change the password.

ALTER LOGIN Fred WITH PASSWORD = 'You need to change me !' MUST_CHANGE, CHECK_POLICY = ON, CHECK_EXPIRATION = ON;

Source: http://blog.csdn.net/dba_huangzj/article/details/38756693

 

4. You can use a script to display all the login names to be modified:

SELECT  'ALTER LOGIN ' + QUOTENAME(name) + ' WITH PASSWORD = ''You need to change me 11'' MUST_CHANGE, CHECK_POLICY = ON, CHECK_ EXPIRATION = ON; ' FROM    sys.sql_logins WHERE   is_policy_checked = 0 ORDER BY name;

 

If you need to allow users to change their passwords in the application, refer to this article: http://msdn.microsoft.com/zh-cn/library/ms131024.aspx (programmatically changing the password)

 

Principle:

 

 

The best way to protect your password against brute force attacks is to use a WIndows Password policy because it only allows you to use a strong password. In addition, the brute-force password will be kept in the SQL Server Error Log and Windows event log.

The password or key for SQL logon is not stored in any system table, but only the hash value of the password. That is to say, there is no way to decrypt the password. The hash value is stored in the system table so that it matches the hash value generated by the hash function with the transmitted password during subsequent logon.

 

Source: http://blog.csdn.net/dba_huangzj/article/details/38756693

More:

 

One of the components of the expiration Policy is lockout threshold. If you want to enable the attempt to lock the SQL logon failure, you need to set the CHECK_POLICY option to ON, and configure your account lock policy in Active Directory or local.

 

 

You can use the following statement to check whether a locked account exists:

SELECT name FROM sys.sql_logins WHERE LOGINPROPERTY(name, N'isLocked') = 1 ORDER BY name;

Source: http://blog.csdn.net/dba_huangzj/article/details/38756693

Help translate (3)

Type issues:
Basic concepts-multiple choice questions;
Reasoning and simple computing: multiple choice questions. This type of problem will be clearer when you see the choice in the trial; what you can do, now is familiar with the concepts and theories mentioned in the review of the issue.
Discussion, summary, computing (? ): Prose issues
Topics will include:
Chapter 1, September May 1
1. Layer 5: what are they and what do they do?
2. Comparison layer (I created a table)
3. The common standard is HTTP. SMTP, ftp ip, and Ethernet
4. Media Access Control: Debate and control: Which one is better?
5. Error Control: Source errors and Their Remedial Measures (methods to prevent errors), focusing on the control of about 1st projection Films
Calclation's data loss is due to sudden errors (impulsive; "spike")-simple computing will be provided, and your task is to understand them and choose the right one.
Possible essays:
Describes how to use Web-based email Engineering
Chapter 1, September May 2
1. Title bar, in the TCP packet
2. Title bar, in the IP packet
3. Type of address, used on the Internet; address for alteration or resolution, especially the application address and network address
4. DHCP: What is it and how it works
5. LAN components
6. Ethernet: basic functions: How to forward and process emails; collision and response to their tasks; how to avoid more collisions after
Chapter 1 7
1. General security goals (CIA)
2. Activities or functions of basic security: identification, verification, authorization, accountability, and assurance
3. Vulnerability, exploitation, and attack
4. Defense in depth
Possible essays:
Discussing why information security/network security is a bigger problem today and 20 years ago due to improved computing/communication technology.
Chapter 2
1. Social Engineering: What is the second and how to defend against it
2. "Three Principles"-principle, easy to penetrate, principle, timeliness, effectiveness principle; Relationship and password and encryption (we employ the password and encryption, because of the above principles)
3. Stream password and Bock Password
Possible essay issues:
1. Content and relationship of network security technology
2. Types of security threats
3. Potential and cost threats
4. The password should be at least 8 characters in length, in the upstream and downstream situations, and numbers. It is easy to remember and give it to yourself, but it is hard to guess by others. Country-specific design (password that you can easily remember ).
5. Mechanism, Digital Signature
Chapter 2
All types of problems:
What is the purpose of host scanning?
What is the purpose of port scanning?
What is the purpose (job system) fingerprint?
Break the program: How to manage Vulnerabilities
Denial of Service Attack-Single message D OS attack; s murf flooding D OS attack; Distributed Denial-of-Service (D DoS) attack
Prevent DoS Attacks
Basic functions and limitations of the firewall
Packet filtering firewall; proxy firewall; comparison of two firewall Technologies
Access Control List (ACL) (slides 9-71-9-75)
Slide in learning, use the "hide" of Notes on the slide-below:

How to set the server

Set RADIUS server

Find an article about building a RADIUS server on Linux

Please smile:

How to build a RADIUS server on Linux

As a network administrator, you need to store user information for management for each network device you want to manage. However, network devices generally only support limited user management functions. Learn how to use an external RADIUS server on Linux to authenticate users. Specifically, an LDAP server is used for authentication, the user information stored on the LDAP server and verified by the RADIUS server can be centrally stored, which reduces the management overhead of user management and makes the remote login process safer.

As part of network security in modern systems, data security is as important as system security. Therefore, protecting data-ensuring confidentiality, integrity, and availability-is critical to administrators.

In this article, I will talk about the confidentiality of data security: ensure that protected data can only be accessed by authorized users or systems. You will learn how to create and configure a Remote Authentication Dial-In User Service Server (RADIUS) on Linux to perform User Authentication, authorization, and accounting (AAA ).

Introduction to components

First, let's talk about the RADIUS protocol, AAA components, how they work, and LDAP protocol.

The Remote Authentication Dial-In User Service protocol is defined In RFC 2865 of IET (see references for links ). It allows network access servers (NAS) to perform user authentication, authorization, and accounting. RADIUS is a UDP-Based Client/Server protocol. A radius client is a network access server. It is usually a vro, vswitch, or wireless access point (the access point is a specially configured node on the network, and WAP is a wireless version ). A radius server is usually a monitoring program running on a UNIX or Windows 2000 Server.

RADIUS and AAA

If NAS receives a user connection request, it will pass them to the specified RADIUS server, which verifies the user and returns the user configuration information to NAS. Then, NAS accepts or rejects connection requests.

The fully functional RADIUS server supports many different user authentication mechanisms. In addition to LDAP, it also includes:

PAP (Password Authentication Protocol, which is used together with PPP. In this mechanism, the Password is sent to the client in plaintext for comparison );

CHAP (Challenge Handshake Authentication Protocol, which challenges the Handshake verification Protocol, which is safer than PAP and uses both the user name and password );

Local UNIX/Linux System Password Database (/etc/passwd );

Other local databases.

In RADIUS, authentication and authorization are combined. If a user name is found and the password is correct, the RADIUS server returns an Access-Accept response, which includes some parameters (Attribute-value pairs) to ensure Access to the user. These parameters are configured in RADIUS, including the access type, protocol type, IP address specified by the user, an access control list (ACL), or a static route to be applied on NAS, there are other values.

The RADIUS accounting feature (defined in RFC 2866; see references for links) allows sending data at the beginning and end of a connection session, indicates the amount of resources that may be used during a session for security or billing, such as time, packets, and bytes.

Lightweight Directory Access Protocol

Lightweight Directory Access Protocol (LDAP) is an open standard that defines the full text for accessing and updating X.500 directories...>