Chapter 1 Securing Your Server and Network (10): Use extended protection to avoid authorizing relay attacks

Original source: http://blog.csdn.net/dba_huangzj/article/details/38368737, featured catalogue:http://blog.csdn.net/dba_huangzj/article/details/37906349

No person shall, without the consent of the author, be published in the form of "original" or used for commercial purposes, and I am not responsible for any legal liability.

Previous article: http://blog.csdn.net/dba_huangzj/article/details/38332605

Objective:

During the client and server visits, the authorization is maintained, and the connection can be accepted or denied through authentication. Because the authentication contains the address, password and other information, if the attacker intercepts this information, there will be an authorization relay attack (authentication relay attack), there are two ways to achieve this kind of attack, the first is called: Luring attack (luring attack) , the client is lured to the server set by the attacker. The second is called fraud attacks (spoofing attack), also known as man-in-the-middle attacks, where attackers intercept information between clients and SQL Server through DNS redirection, IP routing, and other technologies.

In 2009, Microsoft released its security report (Advisory 973811), which provided two mechanisms: service binding and channel binding. Service-binding requires the client to provide the signed SPN into the authorization information. If an attacker attempts to use a certificate obtained from linked information or does not provide a signed SPN, it will not be able to connect to SQL Server, which has little performance impact.

Channel binding provides a higher level of security, but has some performance impact. By using the Secure Transport Layer Protocol (Transport Layer Security (TLS)), inherited from SSL, you can ensure that the client is authorized to use channel Binding Token (CBT) and encrypt it.

Realize:

1. Open the SQL Server Configuration Manager, in the SQL Server Network Configuration node, right-click the protocol for the instance, open the Properties window and select the Advanced tab:

2, if the client supports "Extended Protection", select: "Must", otherwise, select "Allow":

3. If the SQL Server service belongs to some SPNs, add the name to the accepted NTLM SPN, separated by semicolons:

4, if you want to enable channel Binding Protection, and force all connection encryption, you can go to the "Flag" tab, "Force Encryption" is set to "yes", if the encryption does not require coercion, only the service Binding will be turned on.

Principle:

When extended protection is enabled in SQL Server Configuration Manager, you can choose to enable clients that support this feature, or you can force all connections to use, and Win 7 and Windows Server R2 have built-in extended protection to enable other clients. Need to install a patch: http://support.microsoft.com/kb/968389.

More:

More detailed information can be accessed: http://msdn.microsoft.com/zh-cn/library/ff487261.aspx and http://blogs.technet.com/b/srd/archive/2009/ 12/08/extended-protection-for-authentication.aspx