RE: New Paper: Microsoft SQL Server Passwords

["Pauli Porkka" <pauli.porkka () prettybit fi>]

Unfortunately changing the collation to case sensitive means that all the
stored procedures and direct sql queries need to be case sensitive as well.
Meaning that for example creating a table "Customer" and referencing to it
with "customer" in sql query will produce an error. So when changing to case
sensitive collation make sure that all the procedures and sql queries
(including any sql scripts which create a database and its tables and so
forth.) are checked on non-production database before proceeding.


Pauli Porkka/PrettyBit Software Oy
pauli.porkka () prettybit fi
www.prettybit.fi

-----Original Message-----
From: Toni Lassila [mailto:toni.lassila () mc-europe com]
Sent: 9. heinäkuuta 2002 8:55
To: NGSSoftware Insight Security Research
Cc: bugtraq () securityfocus com
Subject: RE: New Paper: Microsoft SQL Server Passwords


> -----Original Message-----
> From: NGSSoftware Insight Security Research
> [mailto:nisr () nextgenss com]
> Sent: Monday, July 08, 2002 17:33
> To: bugtraq () securityfocus com
> Subject: New Paper: Microsoft SQL Server Passwords
>
>
> Hi all, I've written a paper on how users' passwords, or
> rather their hashes, are stored in Microsoft's SQL Server.
> The paper discusses the manner in which they are hashed and
> how they can be more easily brute forced as two hashes
> are stored: a case sensitive password hash and an upper case
> password hash are produced. Needless to say, when auditing
> password strength, it is far easier to go after the UPPER cased
> version.

An added weakness that has not been widely noted:

If you select a case-insensitive collation for your SQL Server
installation, the user accounts and passwords will be case
insensitive as well. This means there is a good chance any
given SQL Server will have very weak passwords.

You can verify if you are operating with case-insensitive
passwords by running this query:

Select SERVERPROPERTY(N'Collation')

If the name of the collation setting contains 'CI' instead
of 'CS', all your SQL login passwords are case-insensitive.
To remedy this is not a simple task, though. I quote from BOL:


"After a collation has been assigned to any object other
than a column or database, you cannot change the collation
except by dropping and re-creating the object. This can be
a complex operation. To change the default collation for an
instance of Microsoft® SQL Server(tm) 2000 you must:

Make sure you have all of the information or scripts needed
to re-create your user databases and all of the objects in them.

Export all of your data using a tool such as bulk copy.

Drop all of the user databases.

Rebuild the master database specifying the new collation.

Create all of the databases and all of the objects in them.

Import all of your data."


> this. (With a Windows account people have access to other
> operating system services as well as SQL Server, but with just
> an SQL login they should only be able to access the SQL
> Services. The latter is the 'more safe' option in the author's
> opinion)

With this I simply disagree.

--
Toni Lassila        toni.lassila () mc-europe com
Operations Engineer           +358 9 5655 1882