Chapter 2 User authentication, Authorization, and Security (3): Protect server from violent attacks

Original: http://blog.csdn.net/dba_huangzj/article/details/38756693, featured folder:http://blog.csdn.net/dba_huangzj/article/details/37906349

Without the consent of the author. No matter what person should not be published in the form of "original", but also for commercial purposes, I am not responsible for any legal liability.

Previous article: http://blog.csdn.net/dba_huangzj/article/details/38705965

Objective:

Violent attacks (Brute-force attack) are attempts to crack password by almost all possible combinations of characters. or use a dictionary table. Includes nearly all possible password to implement the password hack method. Suppose your password is very easy, then it will be cracked very quickly.

Therefore, it is very important to test the password.

Realize:

1. Find SQL password first without using the Force password policy:

SELECT name, is_disabled from sys.sql_logins WHERE is_policy_checked = 0 ORDER by name;

2. Then use the strong password policy for these logins:

ALTER LOGIN Fred with check_policy = On,check_expiration = on;

This command does not change the existing password until the password expires password still valid.

The password expiry time can be checked using the following function:

SELECT loginproperty (' Fred ', ' daysuntilexpiration ');

3. You are also able to force the change of password at login, but you need to provide a negotiated password and inform the user, for example, the following code is to force Fred this login to make changes password, and then you use the need to the change me ! This as "Initial password", you need to inform the user, login to use it, login success will prompt you to change the password.

ALTER LOGIN Fred with PASSWORD = ' need to the change me! ' Must_change, Check_policy = on, check_expiration = on;

Original source:http://blog.csdn.net/dba_huangzj/article/details/38756693

4. Be able to use the script to all the required changes in the login name all explicit:

SELECT  ' ALTER LOGIN ' + QUOTENAME (name) + ' with PASSWORD = ' "You need the Change me one by one" must_change, Check_policy = O N, check_ expiration = on; ' From    sys.sql_logins WHERE   is_policy_checked = 0 ORDER by name;

Suppose you need to agree with the user to change their password in the application, be able to take this article: http://msdn.microsoft.com/zh-cn/library/ms131024.aspx (change password programmatically)

Principle:

The best way to protect password from brute force attacks is to use the Windowspassword strategy because it only consents to your use of strong password.

In addition, the brute force attack password is showings in the error log of SQL Server and in the event log of Windows.

The SQL login password or key is not stored in any system tables. Only the password hash value is stored, that is, there is no way to decrypt it. The hash value is stored in the system table so that it may be matched with the hash value generated by the password using the hash function when logging in.

Original source:http://blog.csdn.net/dba_huangzj/article/details/38756693

Many others:

One of the components of the expiration policy is "lockout threshold". Suppose you want to enable a failed attempt to lock a SQL login, you need to set the Check_policy option to on. Also, configure your account lockout policy in Active Directory or locally.

You can use the following statement to query for locked accounts:

SELECT name from Sys.sql_logins WHERE loginproperty (name, N ' isLocked ') = 1 ORDER by name;

Original Source:http://blog.csdn.net/dba_huangzj/article/details/38756693

Next: http://blog.csdn.net/dba_huangzj/article/details/38817915

Chapter 2 User authentication, Authorization, and Security (3): Protect server from violent attacks