articles

Articles of SQLschool.gr Team

How to find SQL Logins with blank password

Antonios Chatzipavlis

Tuesday 18 October 2016

Παρόλο που κανένας σώφρων επαγγελματίας δεν αφήνει sql logins με blank password δυστυχώς υπάρχουν κάποιοι που κάνουν κάτι τέτοιο.

Όταν με φωνάζουν να κοιτάξω έναν SQL Server τρέχω διάφορα queries για να μπορέσω να καταλάβω σε τι θα μπλέξω και τι ανακόντα θα βρω μπροστά μου.

Ένα από αυτά που τρέχω είναι το παρακάτω το οποίο μου δείχνει αν κάποιο sql login έχει blank password και αν είναι ενεργοποιημένο ή όχι.

Σε αυτό κάνω χρήση μιας όσο και τόσο γνωστής (δυστυχώς) function της PWDCOMPARE

Απλά τρέξετε το και κάντε κάτι για αυτό γιατί είναι αμαρτία να είστε βορά σε κάθε κακόβουλο. Επίσης αυτό είναι κάτι που αποτρέπεται by default με το enforce password policy και δεν μπορώ να καταλάβω γιατί κάποιος το βγάζει σε παραγωγικό περιβάλλον.

select    name
    ,    is_disabled
    ,    case PWDCOMPARE('',password_hash)
        when 0 then 'No'
        when 1 then 'Yes'
        end as has_blank_password
from sys.sql_logins

name                                     is_disabled has_blank_password
---------------------------------------- ----------- ------------------
sa                                       0           No
##MS_PolicyTsqlExecutionLogin##          1           No
u1                                       0           No
##MS_PolicyEventProcessingLogin##        1           No
mitsos                                   0           Yes

Antonios Chatzipavlis

Antonios is a Data Solutions Consultant and Trainer. He has been working in IT since 1988. In his career, he has worked as senior developer, IT Manager, Solutions Architect and IT Consultant. Since 1995 he has been devoted on new technologies and software development tools, mainly by Microsoft, either by training company staff and colleagues or assisting them in design, development and implementation as a consultant or chief developer. He has focused in Databases and Data Science since 1995. He specialized in Microsoft SQL Server since version 6.0 in areas like SQL Server Internals, Database Design and Development, Business Intelligence and in 2010 he has started working with Azure Data Platform, NoSQL databases, Big Data Technologies and Machine Learning. He is an active member of many IT communities in Greece, answering colleagues' questions and writing articles in his web site. He is the owner of SQLschool.gr which is a community portal with a lot of information about Microsoft SQL Server. He has been a Microsoft Certified Trainer (MCT) since 2000. Microsoft honored him as MVP on Data Platform due to his activities in SQL Server since 2010. He holds a large number of Microsoft Certifications and Microsoft SQL Server Certifications since version 6.5.