更正缺少的 SQL Server sa 登录哈希加密 salt 变体

注意:这篇文章是由无人工介入的微软自动的机器翻译软件翻译完成。微软很高兴能同时提供给您由人工翻译的和由机器翻译的文章, 以使您能使用您的语言访问所有的知识库文章。然而由机器翻译的文章并不总是完美的。它可能存在词汇,语法或文法的问题,就像是一个外国人在说中文时总是可能犯这样的错误。虽然我们经常升级机器翻译软件以提高翻译质量,但是我们不保证机器翻译的正确度,也不对由于内容的误译或者客户对它的错误使用所引起的任何直接的, 或间接的可能的问题负责。

点击这里察看该文章的英文版: 980671
症状
在 Microsoft SQL Server 2005 和更高版本中,SQL Server 的多个实例使用相同的加密 salt 内置的 sa 登录。因为该 salt 值是相同的所有安装,某些类型的暴力攻击强制变得更可行,如果攻击者就可以先获得访问哈希密码的攻击。哈希的密码是仅供 SQL Server 的管理员。
原因
SQL Server 2005 和更高版本中,加密的 salt 值生成一起 sa 登录。如果启用 CHECK_POLICY,则加密的 salt 值不是再生当用户更改密码,以使之与密码历史记录保持一致。默认状态下,CHECK_POLICY 启用 SQL Server 2005 年。在禁用该 CHECK_POLICY 时 salt 一致性不再需要为 sa 登录,并在下次更改密码重新生成新的 salt 值。

虽然这是适用于所有帐户,在生成过程中生成 sa 登录帐户。因此,其 salt 值相同的生成过程中创建和维护期间 SQL Server 安装程序的一个实例。

注意SQL Server 2008 此问题也会影响使用基于策略的管理功能的默认登录,但降低了风险。默认状态下,这些登录被禁用。

缓解措施

即使加密的 salt 值保持不变跨多个安装,它不会危及安全的密码哈希足够。若要利用这种行为,怀有恶意的用户必须有管理访问权限的 SQL Server 实例以获取密码哈希。如果最佳做法后面紧跟普通的用户将无法检索密码哈希。因此,它们将无法利用缺少的加密 salt 的变体。
替代方法
对于 SQL Server 2005 Service Pack 2 或更高版本中,您可以运行以下脚本以重置的 sa 登录帐户的加密的 salt 值。若要进行该脚本您必须登录具有控制服务器权限的帐户或该帐户必须是 sysadmin 服务器角色的成员。 You should be aware that, after you reset the cryptographic salt, the password history for the sa login will also be reset.
-- Work around for SQL Server 2005 SP2+---- Sets the password policy check off for [sa]-- Replaces [sa] password with a random byte array-- NOTE: This effectively replaces the sa password hash with -- a random bag of bytes, including the salt,-- and finally sets the password policy check on again---- After resetting the salt, -- it is necessary to set the sa password,-- or if preferred, disable sa--CREATE PROC #sp_set_new_password_and_set_for_sa(@new_password sysname, @print_only int = null)AS	DECLARE @reset_salt_pswdhash nvarchar(max)	DECLARE @random_data varbinary(24)	DECLARE @hexstring nvarchar(max)	DECLARE @i int	DECLARE @sa_name sysname;		SET @sa_name = suser_sname(0x01);	SET @random_data = convert(varbinary(16), newid()) + convert(varbinary(8), newid())	SET @hexstring = N'0123456789abcdef'	SET @reset_salt_pswdhash = N'0x0100'	SET @i = 1	WHILE @i <= 24	BEGIN		declare @tempint int		declare @firstint int		declare @secondint int		select @tempint = convert(int, substring(@random_data,@i,1))		select @firstint = floor(@tempint/16)		select @secondint = @tempint - (@firstint*16)		select @reset_salt_pswdhash = @reset_salt_pswdhash +			substring(@hexstring, @firstint+1, 1) +			substring(@hexstring, @secondint+1, 1)		set @i = @i+1	END	DECLARE @sql_cmd nvarchar(max)	SET @sql_cmd = N'ALTER LOGIN ' + quotename(@sa_name) + N' WITH CHECK_POLICY = OFF;	ALTER LOGIN ' + quotename(@sa_name) + N' WITH PASSWORD = ' + @reset_salt_pswdhash + N' HASHED;	ALTER LOGIN ' + quotename(@sa_name) + N' WITH CHECK_POLICY = ON;	ALTER LOGIN ' + quotename(@sa_name) + N' WITH PASSWORD = ' + quotename(@new_password, '''') + ';'	IF( @print_only is not null AND @print_only = 1 )		print @sql_cmd	ELSE		EXEC( @sql_cmd )go----------------------------------------------------------------------------------------- Usage example:--DECLARE @new_password sysname -- Use tracing obfuscation in order to filter the new password from SQL traces-- http://blogs.msdn.com/sqlsecurity/archive/2009/06/10/filtering-obfuscating-sensitive-text-in-sql-server.aspx--SELECT @new_password = CASE WHEN 1=1 THEN     -- TODO: replace password placeholder below with a strong password    --   ##[MUST_CHANGE: replace this placehoder with a new password]##:   ELSE EncryptByPassphrase('','') ENDEXEC #sp_set_new_password_and_set_for_sa @new_passwordgoDROP PROC #sp_set_new_password_and_set_for_sa go
为 SQL Server 2008,您可以运行下面的脚本。若要进行该脚本您必须登录具有控制服务器权限的帐户或该帐户必须是 sysadmin 服务器角色的成员。
-- Work around for SQL Server 2008---------------------------------------------------------------------------- Set the password policy check off for [sa]-- Reset the password-- Set the password policy check on for [sa] once again-- -- NOTE: The password history will be deleted--CREATE PROC #sp_set_new_password_and_set_for_sa(@new_password sysname, @print_only int = null) AS	DECLARE @sql_cmd nvarchar(max);	DECLARE @sa_name sysname;	-- Get the current name for SID 0x01. 	-- By default the name should be "sa", but the actual name may have been chnaged by the system administrator	--	SELECT @sa_name = suser_sname(0x01);	-- NOTE: This password will not be subject to password policy or complexity checks	-- if desired, this step can be replaced with a "throw away" password for 	-- and set the real password after the check policy setting has been set	--	SELECT @sql_cmd = 'ALTER LOGIN ' + quotename(@sa_name) + ' WITH CHECK_POLICY = OFF;	ALTER LOGIN ' + quotename(@sa_name) + ' WITH PASSWORD = ' + quotename(@new_password, '''') + ';	ALTER LOGIN ' + quotename(@sa_name) + ' WITH CHECK_POLICY = ON;'	IF( @print_only is not null AND @print_only = 1 )		print @sql_cmd	ELSE		EXEC( @sql_cmd )go----------------------------------------------------------------------------------------- Usage example:--DECLARE @new_password sysname-- Use tracing obfuscation in order to filter the new password from SQL traces-- http://blogs.msdn.com/sqlsecurity/archive/2009/06/10/filtering-obfuscating-sensitive-text-in-sql-server.aspx--SELECT @new_password = CASE WHEN 1=1 THEN     -- TODO: replace password placeholder below with a strong password    --   ##[MUST_CHANGE: replace this placehoder with a new password]##:   ELSE EncryptByPassphrase('','') ENDEXEC #sp_set_new_password_and_set_for_sa @new_passwordgoDROP PROC #sp_set_new_password_and_set_for_sa go
In SQL Server 2008, the cryptographic salt for the Policy Based Management logins can be reset by using the following script. 若要进行该脚本您必须登录具有控制服务器权限的帐户或该帐户必须是 sysadmin 服务器角色的成员。
-------------------------------------------------------------------------- Set the password policy check off for the Policy principals-- Reset the password-- Set the password policy check on for them once again---- NOTE: -- These principals are not intended to establish connections to SQL Server-- So this SP will also make sure they are disabled--CREATE PROC #sp_reset_password_and_disable(@principal_name sysname, @print_only int = null) AS	DECLARE @random_password nvarchar(max)		SET @random_password = convert(nvarchar(max), newid()) + convert(nvarchar(max), newid())	DECLARE @sql_cmd nvarchar(max)	SET @sql_cmd = N'ALTER LOGIN ' + quotename(@principal_name) + N' WITH CHECK_POLICY = OFF;	ALTER LOGIN ' + quotename(@principal_name) + N' WITH PASSWORD = ''' + replace(@random_password, '''', '''''') + N''';	ALTER LOGIN ' + quotename(@principal_name) + N' WITH CHECK_POLICY = ON;	ALTER LOGIN ' + quotename(@principal_name) + N' DISABLE;'	IF( @print_only is not null AND @print_only = 1 )		print @sql_cmd	ELSE		EXEC( @sql_cmd )goEXEC #sp_reset_password_and_disable '##MS_PolicyEventProcessingLogin##';EXEC #sp_reset_password_and_disable '##MS_PolicyTsqlExecutionLogin##';goSELECT name, password_hash, is_disabled FROM sys.sql_loginsgo
状态
将在未来的 service pack SQL Server 2005、 SQL Server 2008 和在将来的 SQL Server 版本中解决此问题。
更多信息
Microsoft thanks 使用我们帮助保护客户的下列:
sql2005 sql2008

警告:本文已自动翻译

属性

文章 ID:980671 - 上次审阅时间:03/02/2010 23:15:17 - 修订版本: 1.0

Microsoft SQL Server 2005 Developer Edition, Microsoft SQL 2005 Server Enterprise, Microsoft SQL Server 2005 Enterprise Edition for Itanium Based Systems, Microsoft SQL Server 2005 Enterprise X64 Edition, Microsoft SQL Server 2005 Standard Edition, Microsoft SQL Server 2005 Standard X64 Edition, Microsoft SQL 2005 Server Workgroup, Microsoft SQL Server 2008 Developer, Microsoft SQL Server 2008 Enterprise, Microsoft SQL Server 2008 Standard, Microsoft SQL Server 2008 Web, Microsoft SQL Server 2008 Workgroup

  • kbmt kbpasswords kbexpertiseadvanced kbsurveynew kbprb KB980671 KbMtzh
反馈