Logging on as SA. It Never Fails

From books on-line:

System administrator (sa) is a special login provided for backward compatibility. By default, it is assigned to the sysadmin fixed server role and cannot be changed. Although sa is a built-in administrator login, do not use it routinely. Instead, make system administrators members of the sysadmin fixed server role, and have them log on using their own logins. Use sa only when there is no other way to log in to an instance of Microsoft® SQL Server™ (for example, when other system administrators are unavailable or have forgotten their passwords).

Everytime I teach a SQL Server course, I tell about the horrors of having an application logging in as sa.  I tell them that if you must run in mixed mode, don't assign sa a password, assign it a passsentence.  You've got 128 letters, use them all.  How about "This is my sa pâssword!  Every time I use sa I will do 100 pushups so I can beat up geeks who tell me not to use it!@#$%^&*()[]{}"

I think that's a pretty safe password.  120+ characters, numbers, symbols, mixed case and a little international flava thrown in too.  You'd need one dedicated individual to launch a brute force attack on that password (my estimate is that it would take about 1.1e267 tries to guess it with a brute for attack).

Anyways, every single time I mention this in a SQL Server course, at least one person (sometimes two or three) tells me that some accounting package or cash register system requires them to login with the sa account.  And even worse, the password will ALWAYS be one of three things: password, admin or a blank password.  So they always try to change it to something more secure, and the app will basically implode on itself because it requires the sa account with that password because they've hard coded it like that.  As Charlie Brown would say, "ARGHHHHH."

Ok, if you are one of the people who have no idea why this is a bad idea, let me break it down for you (if you are a database guru (or even just not security-impaired individual) you might want to stop reading because this will probably be boring to you (unless you like laughing at the misfortune of others)).  This is all kinds of bad-times.  For a quick security review, remember that writing a secure app is like defending a castle.  You have to defend all possible ways in.  An attacker only has to find one weak spot.  The more layers of security, the easier it will be for you to defend.

SQL Injection Attacks.
Steven Livingston broke it down nicely in a past post, so I'm not going to cover it again.  You can use Google to search for SQL Injection for more information.  Anyways, I get “we do security through the user interface” quite a bit.  Well that's great.  Just make sure that you have bullet proof validation code.  And pray that your newly hired intern that you've got working on some trivial reporting aspect of the app also writes bullet proof code.  Oh, and stored procedures will not always save you.  Anyone ever seen a stored procedure that has code that looks like this: "exec ('SELECT FirstName, LastName from Employees WHERE City IN (' + @CityList + ')'"?  You and I may be security experts, but all it takes is someone else on our team who was up late drinking Martinis and playing Prince of Persia to come in a introduce a whole slew of bad times.  For more SQL Injection fun, Ted Neward has a really nice post on SQL Injection attacks and sillyness vendors are guilty of.

Brute Force Attack
Guess what SQL Server doesn't do?  Lock out accounts after x amount of bad logins.  You can try as many password combinations as you want.  And the best part?  You already know the username!  Yea haw!  In 10 minutes, I wrote an application that scans the network looking for SQL Servers, and tries 2000 common admin passwords.  The hardest part was finding a text file with passwords and remembering how to read in textfiles (XML, how you spoil me).  For a single server, it can do all 2000 passwords in less than 10 seconds.  Guess what...it can find “admin” as a password pretty easily. 

“Who cares, we are behind a firewall!” you say?  Guess what?  You guessed it, most attacks come from within the firewall.  All it takes is one sales person to run an attachment that launches this attack.  Block exes, scrs, cmds, bats, .pifs and whatever executables as attachments?  Great!  But all it takes is one person to write an old school virus that attaches itself to a floppy disk, or someone gets it via an attachment from their hotmail account and it's hamster huey and the big kablooie time. 

Right-click, open with Notepad
You can view connection strings from notepad you know.  You can view any string really.  Take a look at this program, creatively called Strings.  A little search for password= would work nicely.  I'd be amazed that if people logging into SQL Server with an sa account could spell DES, let alone know to encrypt connection strings.

The scary:

This is what always gets people a little nervous.  In class, I tend to format partitions from a text box in Visual Basic using XP_CMDSHELL.  I'll also create domain users with a password of my choosing.  All kinds of fun stuff.  Give me access to XP_CMDSHELL and you've given me the world (well, at least the local computer and perhaps the network).  And you just know that people that login to SQL Server as sa also give SQL Server domain admin permissions...

Subtle Data Changes
Someone dropping a database or formatting a hard drive doesn't scare me.  We've got backup tapes.  What scares me is someone writing code that makes subtle changes.  Perhaps flipping numbers in address or phone numbers.  Deleting a character from an e-mail address.  Adding tiny amounts to purchases or inventory levels.  Things that might not be figured out for week, way past when our backup tapes get rotated back into circulation.

So, how do you solve this?  First of all, don't log on as sa, dummy.  If you need to do some "admin" like tasks, break them off into a separate application.  And even then make sure you need the sa level of security.  I'd create a separate login with "backup operator" privileges, or whatever else is needed.  I'd also HIGHLY recommend not even using SQL Server authentication.  Windows Auth is default for a reason.  It's not that hard to use, in fact you might even find it easier (and for the love of god, don't require people to log in as Administrator to use the app too!!!!!). 

No Comments