A few words on SQL Server security

Well, lately there has been quite some talk about security.

Security is a very flaky matter, since it is so easy to compromise.

Even the most sound security strategy can be half compromised just by sending a screenshot of your SQL Server Management Studio over the internet.

For example, you have a consultant helping you to solve a problem remotely, and the consultant asks you to send a screenshot of an error message by email.

You take the screenshot and send it, without removing the server and instance names.

Here is what just went wrong:

  • once the screenshot is persisted to disk, it is possible for it to be read by other people
  • sending an image over the internet means that it travels a long way before it reaches the recipient
  • there is always someone somewhere who could be interested in the server and instance name

Here is a lesson 101 on hacking:

“Gather as much information as possible because every bit of information gets you closer to getting in”.

According to this lesson, knowing the server name, for example, makes the hacking much easier, because there is one less unknown.

Here is an example: if someone wanted to get unauthorized access to a SQL Server instance, they would need the following:

  • network access to the server
  • server name and instance name
  • login name
  • password

So, lets say, each one of the above is 25% of hacking the system.

Wait, by sending that image (the one that has the server and instance name in it) over the internet you just lost 25% of your security.

If you have the sa account enabled, you just lost another 25% of your security by default.

Now, what is left is 50% secure system, and if someone really wanted to harm it, they would need to have a physical access to the network and / or to find a loophole in the firewall and they can start working on the last 25% of the security breach: finding out the sa account password.

 

To be fair, here is lesson 101 of securing SQL Server after installing it:

“Create a login which is a sysadmin with a strong password and immediately disable the default sa account.”

Why?

Because the sa account is predictable, it has predictable name, and by default it is 50% less secure.

(One time I was visiting a friend at a gated community and as I was waiting for him to come pick me up from the front door downstairs, I tried the pinpad, just out of boredom. I typed 1234#, and guess what: I was in. True story. Remember the movie “Space Balls”? The code to the atmosphere shield was 1234… :) )

Anyhow, this is why I am saying that security is just as good as the awareness of it.

 

 

2 comments to A few words on SQL Server security