Is your SQL server secure?

This document is only for technical exchange and shall not be used for illegal purposes. I am not responsible for any problems.

Let's talk about one thing first. Last year, a colleague installed an XP system on his laptop, which has been added to the system users three times. The usernames are all internetusers. He asked his colleagues what their laptop has done recently, the answer is that a software company installed a set of database software. Now I basically understand what is going on, because my colleague's login interface does not display the administrator user name, And I press the restart key twice, log on to the system with the administrator user, and see the SQL server running icon. Open the query analyzer and log on with sa. The password is blank. The logon is successful.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0TI615V-0.jpg "/>

I searched the internetusers keyword online and found that many people have encountered this problem. These problems are caused by the installation of sqlserver, and the sa password is too simple, it is estimated that intruders use some software to catch bots in batches.

Sa's weak password has serious consequences. Mr. Smith has written several articles in this area before. Ordinary computer users may not understand these articles. You should know something about your software company's technical staff, I called the manager of the software company and told my colleague about the computer. The manager said that he knew the danger of sa being empty and said that he would try to solve the problem, I am wondering why I don't tell my technical staff why, in case of data and database server problems, who should be responsible, i'm afraid it's still a dark box for software users and network administrators.

Software companies have a lot of security issues. Mr. Smith was invited to perform a security test on a local company last year. When the test was about to end, the Internet sniffed the SA password of an SQLServer database. According to the company's network administrator, the database server ran a set of software with a fixed IP address on the Internet, for data exchange with subsidiaries in various regions, the SA password is set by the software installer, and the database server has never encountered any security problems. Despite the complexity of the SA password, it consists of more than 10 characters, which are composed of digits and letters. But as soon as I saw some characters of the SA password, I immediately thought of a software company in China, will this software company have the same SA password settings, or most of them? After several months of testing, Mr. Smith found even more astonishing situations. Some database software products of multiple software companies in China have security risks, seriously threatening the security of running servers and data, intruders can completely control a large number of database servers on the Internet in a short time. As we all know, the following content is not illustrated, and only letters represent the name of the software company.

1. The background database of A product of Company A uses SQLServer database. During Server installation, A user is created in the database, which has the same permissions as SA, although the password is relatively complex, the password is the same. Once leaked, the security of the database server will be threatened, and the user's existence is not described in the product manual. The products of Company B and Company C share this situation.

2. It is also A product of Company A that uses the SQLServer database. I don't know why. The SA password is the same and has obvious features like non-weak password ), I suspect that this password was used as an example when the company trained technicians. Company D and E also have this situation.

3. Some products of Company F, G, and H are also SQL Server databases. When installing the server, a user is also created in the database. Fortunately, they are only common permissions, you can only perform operations on the database and cannot execute the extended stored procedure in the master database. Some of these user passwords are the same as the user name, and some are saved in the ini configuration file in plain text, once these usernames and passwords are disclosed, they may pose a threat to data security. When will the database privilege escalation vulnerability occur.

4. A software product of company I is installed on an embedded device, and the background database is also SQLServer. The SA password settings are complex by default, but they are all the same, the password is stored in a table in the database in plaintext format. After testing, we found that there is still a user in the database with the same permissions as SA. The password and SA are different, but they are also fixed. I don't know where to create the user.

For the sake of security and convenience management, many software companies recommend users to purchase remote access products from other companies after installing their own products, all the security measures are relatively good, and there are security functions such as signature binding and KEY options. Intruders cannot enable remote desktop service for Connection Control, but because the SA password has been leaked, remote Access software may also be cracked. The remote access software company J can authenticate the physical address of the network card of the access party. Intruders can obtain the physical address of the network card of the server through the Ipconfig/all command after obtaining the SA password of the server, then, change the physical address of your computer's network adapter to the physical address of the server's network adapter, and run the remote access client to connect to the server and perform graphic operations, of course, the premise is that the server can be remotely accessed in the settings. The access client of Remote Access Software Company K can be downloaded through the web method enabled by the server. However, you need to enter the correct user name and password on the web page, the user name and password on the Web page are stored in a file in the installation directory of the Remote Access software. Intruders can use the SA password to use the type command to obtain information in the file. The user name is in plain text, the password is encrypted by some inconvenience). After intruders crack the encrypted password and obtain the plaintext, they can log on to the background of the web management interface to obtain the distribution access client, run the client to manage the server graphically.

So many security risks are related to the use of SQL Server databases, but this does not mean that SQL Server databases have security problems, it is precisely because of the excellent stability and security of the SQLServer database that has been widely used. The security risk is only caused by the database users that have been built by the software, the software using other databases certainly has similar risks, but I have not tested it. I would like to explain it to avoid misunderstanding. Adding a user to a database seems to be a "hidden rule" of some software companies. I think the purpose of a software company is good to help users, this allows users to focus only on foreground program operations without worrying about how the background works, but ignores the security process, if the user can set the password of a new database user when installing the application, and encrypt the password and save it in the configuration file, it will be safer and more flexible, I believe that smart programmers will solve this problem.

There are a lot of servers on the Internet that run these software with security risks. These servers may have fixed IP addresses, or use peanut shells, steps, and other software for parsing, who knows, I hope this article will attract the attention of all software companies on product security, and do not threaten the security of database servers due to your negligence, let the majority of system maintenance personnel and network administrators back to the dark pot. Here are two methods to check whether the SQLServer server is intruded:

1. After intruders intrude into the server, they usually open 3389 of the server, create hidden users, and then log on. We only need to go to the C: \ Documents ents and Settings directory to check whether there is a user name available, whether hidden or not, it will be displayed here.

2. Some intruders prefer to keep a high-privilege SQL Server database user. As a backdoor, we can open the SQL Server Query analyzer and then open the master-system table-dbo in sequence. in sysxloginssqlserver2000, sql2005, and 2008, Mr. Smith did not find a method for viewing database users. If you know how to view the database users, you can see the sqlserver database users in the name column of this window, generally, there are three users: sa, BUILTIN \ Administrators, and NULL. If there are other users, there may be intrusions or the situations I mentioned above, so pay attention to them. Of course, these three users are not necessarily the only ones, mr. Wang has also seen multiple sa and NULL under the name, but he does not know what is going on. The specific problem still needs to be analyzed.

This article from the "Network Management Mr. Wang" blog, please be sure to keep this source http://xiaowang.blog.51cto.com/1083/517691