MS-SQL Windows Authentication Enforcement
| Attack ID: | CPAI-2004-54 |
 |
|
| Publish Date: | |
|
|
| Last Update: | |
|
|
| Category: | MS-SQL Authentication |
|
|
| Vulnerable Systems: | Microsoft SQL Servers |
|
|
| Source: | SmartDefense Research Center |
|
|
| Description: | SQL Server Authentication sends passwords in a method that is considered unsafe as it enables relatively easy password sniffing and cracking. By using the much stronger Windows Authentication, it is possible to ensure a safer means of verifying user identity and avoiding user credentials theft. |
|
|
| Severity: | |
| Details: | Access to SQL server resources requires some sort of authentication mechanism which can be set to either SQL Server authentication or Windows authentication. Windows authentication is inherently more secure than SQL Server authentication (and therefore recommended by Microsoft). Windows credentials are delivered to SQL Server without passing the actual password, while SQL authentication sends the login name and password in unencrypted format. This means that anyone who can capture network traffic carrying client authentication information can easily retrieve it. |
|
|
| Attack Detection: | Users of VPN-1 NG with Application Intelligence R55, R55W and InterSpect who have applied the solution outlined below, will be able to identify blocked non-Windows authentication attempts. Users of R55 will identify the rule number 6999 appearing on the SmartView Tracker log viewer. Users of R55W and InterSpect will receive the following log entries: Attack Name: MS-SQL Server Protocol Enforcement Violation |
|
|
| Solution: | Users of VPN-1 NG with Application Intelligence R55 and InterSpect should update their SmartDefense by clicking the Update Now button on the SmartDefense SmartDashboard General window. Users of VPN-1 NG with Application Intelligence R55W should update their SmartDefense by clicking the Online Update button on the SmartDefense SmartDashboard General window. The Update adds a new check box option to the SmartDefense MS-SQL Server protocol window. The new protection, Enforce Windows Authentication provides the ability to enforce Windows authentication upon connection to Microsoft SQL Servers. The Protection also performs sanity checks on the SQL login packet ncluding verifying packet size and various fields lengths. The protection has been added to the SmartDefense navigation tree, under MS-SQL > MS-SQL Server protocol. To enable the Protection: 1. On the SmartDefense navigation tree, select Application Intelligence > MS-SQL > MS-SQL Server protocol.
2. Enable Enforce Windows Authentication. In order for the protection to work, make sure to enable both the 'Match on Any [Applies to NG with Application Intelligence R55 and above]' and the 'Block SA login attempt with blank password' options.
3. Install policy on all modules. |
|
|
| Industry Reference: | |
|
|
| Additional Information: | CERT IN-2002-04 National Security Agency (NSA) |
