修正在 SQL Server sa 登入雜湊的密碼編譯 Salt 變化缺乏

重要:本文是以 Microsoft 機器翻譯軟體翻譯而成,而非使用人工翻譯而成。Microsoft 同時提供使用者人工翻譯及機器翻譯兩個版本的文章,讓使用者可以依其使用語言使用知識庫中的所有文章。但是,機器翻譯的文章可能不盡完美。這些文章中也可能出現拼字、語意或文法上的錯誤,就像外國人在使用本國語言時可能發生的錯誤。Microsoft 不為內容的翻譯錯誤或客戶對該內容的使用所產生的任何錯誤或損害負責。Microsoft也同時將不斷地就機器翻譯軟體進行更新。

按一下這裡查看此文章的英文版本:980671
徵狀
在 Microsoft SQL Server 2005 中和更新版本中,多個 SQL Server 執行個體內建的 sa 登入使用相同的密碼編譯 Salt。因為 salt 是相同的所有安裝,特定種類的強力強制攻擊會變得更為實用,如果攻擊者可以先取得存取權雜湊的密碼。雜湊的密碼都僅 SQL Server 的系統管理員可以使用。
發生的原因
SQL Server 2005 中和更新版本中,搭配 sa 登入,就會產生密碼編譯的 Salt。如果啟用 CHECK_POLICY 密碼編譯 Salt 是不時重新產生使用者將密碼變更為與密碼歷程記錄一致。預設情況下,CHECK_POLICY 已啟用 SQL Server 2005。當 [CHECK_POLICY 已停用時,Salt 一致性已不再需要該 sa 登入的並在下次密碼變更上重新產生新的 Salt。

雖然這是適用於所有帳戶,sa 登入帳戶就會產生在建置程序。因此,其 Salt 在相同的建置程序期間建立的 SQL Server 安裝程式的執行個體期間維護。

附註對於 SQL Server 2008 這個問題也會影響原則架構的管理功能使用的預設登入,但降低風險。預設情況下,會停用這些登入。

緩和措施

即使密碼編譯 Salt 保持不變跨多重安裝,它不會足夠侵入您的密碼雜湊。若要利用這項行為,惡意的使用者必須具備系統管理員對 SQL Server 執行個體的存取權,才能取得密碼雜湊。如果有後接最佳作法一般使用者將無法擷取密碼雜湊。因此,他們無法利用密碼編譯的 Salt 變化缺乏。
其他可行方案
SQL Server 2005 Service Pack 2 或更新版本,您可以執行下列指令碼,以重設 sa 登入帳戶的密碼編譯的 Salt。若要執行指令碼,您必須能以登入具有控制伺服器權限的帳戶或帳戶是系統管理員 (sysadmin) 伺服器角色的成員。 You should be aware that, after you reset the cryptographic salt, the password history for the sa login will also be reset.
-- Work around for SQL Server 2005 SP2+---- Sets the password policy check off for [sa]-- Replaces [sa] password with a random byte array-- NOTE: This effectively replaces the sa password hash with -- a random bag of bytes, including the salt,-- and finally sets the password policy check on again---- After resetting the salt, -- it is necessary to set the sa password,-- or if preferred, disable sa--CREATE PROC #sp_set_new_password_and_set_for_sa(@new_password sysname, @print_only int = null)AS	DECLARE @reset_salt_pswdhash nvarchar(max)	DECLARE @random_data varbinary(24)	DECLARE @hexstring nvarchar(max)	DECLARE @i int	DECLARE @sa_name sysname;		SET @sa_name = suser_sname(0x01);	SET @random_data = convert(varbinary(16), newid()) + convert(varbinary(8), newid())	SET @hexstring = N'0123456789abcdef'	SET @reset_salt_pswdhash = N'0x0100'	SET @i = 1	WHILE @i <= 24	BEGIN		declare @tempint int		declare @firstint int		declare @secondint int		select @tempint = convert(int, substring(@random_data,@i,1))		select @firstint = floor(@tempint/16)		select @secondint = @tempint - (@firstint*16)		select @reset_salt_pswdhash = @reset_salt_pswdhash +			substring(@hexstring, @firstint+1, 1) +			substring(@hexstring, @secondint+1, 1)		set @i = @i+1	END	DECLARE @sql_cmd nvarchar(max)	SET @sql_cmd = N'ALTER LOGIN ' + quotename(@sa_name) + N' WITH CHECK_POLICY = OFF;	ALTER LOGIN ' + quotename(@sa_name) + N' WITH PASSWORD = ' + @reset_salt_pswdhash + N' HASHED;	ALTER LOGIN ' + quotename(@sa_name) + N' WITH CHECK_POLICY = ON;	ALTER LOGIN ' + quotename(@sa_name) + N' WITH PASSWORD = ' + quotename(@new_password, '''') + ';'	IF( @print_only is not null AND @print_only = 1 )		print @sql_cmd	ELSE		EXEC( @sql_cmd )go----------------------------------------------------------------------------------------- Usage example:--DECLARE @new_password sysname -- Use tracing obfuscation in order to filter the new password from SQL traces-- http://blogs.msdn.com/sqlsecurity/archive/2009/06/10/filtering-obfuscating-sensitive-text-in-sql-server.aspx--SELECT @new_password = CASE WHEN 1=1 THEN     -- TODO: replace password placeholder below with a strong password    --   ##[MUST_CHANGE: replace this placehoder with a new password]##:   ELSE EncryptByPassphrase('','') ENDEXEC #sp_set_new_password_and_set_for_sa @new_passwordgoDROP PROC #sp_set_new_password_and_set_for_sa go
為 SQL Server 2008 中,您可以執行下列指令碼。若要執行指令碼,您必須能以登入具有控制伺服器權限的帳戶或帳戶是系統管理員 (sysadmin) 伺服器角色的成員。
-- Work around for SQL Server 2008---------------------------------------------------------------------------- Set the password policy check off for [sa]-- Reset the password-- Set the password policy check on for [sa] once again-- -- NOTE: The password history will be deleted--CREATE PROC #sp_set_new_password_and_set_for_sa(@new_password sysname, @print_only int = null) AS	DECLARE @sql_cmd nvarchar(max);	DECLARE @sa_name sysname;	-- Get the current name for SID 0x01. 	-- By default the name should be "sa", but the actual name may have been chnaged by the system administrator	--	SELECT @sa_name = suser_sname(0x01);	-- NOTE: This password will not be subject to password policy or complexity checks	-- if desired, this step can be replaced with a "throw away" password for 	-- and set the real password after the check policy setting has been set	--	SELECT @sql_cmd = 'ALTER LOGIN ' + quotename(@sa_name) + ' WITH CHECK_POLICY = OFF;	ALTER LOGIN ' + quotename(@sa_name) + ' WITH PASSWORD = ' + quotename(@new_password, '''') + ';	ALTER LOGIN ' + quotename(@sa_name) + ' WITH CHECK_POLICY = ON;'	IF( @print_only is not null AND @print_only = 1 )		print @sql_cmd	ELSE		EXEC( @sql_cmd )go----------------------------------------------------------------------------------------- Usage example:--DECLARE @new_password sysname-- Use tracing obfuscation in order to filter the new password from SQL traces-- http://blogs.msdn.com/sqlsecurity/archive/2009/06/10/filtering-obfuscating-sensitive-text-in-sql-server.aspx--SELECT @new_password = CASE WHEN 1=1 THEN     -- TODO: replace password placeholder below with a strong password    --   ##[MUST_CHANGE: replace this placehoder with a new password]##:   ELSE EncryptByPassphrase('','') ENDEXEC #sp_set_new_password_and_set_for_sa @new_passwordgoDROP PROC #sp_set_new_password_and_set_for_sa go
In SQL Server 2008, the cryptographic salt for the Policy Based Management logins can be reset by using the following script. 若要執行指令碼,您必須能以登入具有控制伺服器權限的帳戶或帳戶是系統管理員 (sysadmin) 伺服器角色的成員。
-------------------------------------------------------------------------- Set the password policy check off for the Policy principals-- Reset the password-- Set the password policy check on for them once again---- NOTE: -- These principals are not intended to establish connections to SQL Server-- So this SP will also make sure they are disabled--CREATE PROC #sp_reset_password_and_disable(@principal_name sysname, @print_only int = null) AS	DECLARE @random_password nvarchar(max)		SET @random_password = convert(nvarchar(max), newid()) + convert(nvarchar(max), newid())	DECLARE @sql_cmd nvarchar(max)	SET @sql_cmd = N'ALTER LOGIN ' + quotename(@principal_name) + N' WITH CHECK_POLICY = OFF;	ALTER LOGIN ' + quotename(@principal_name) + N' WITH PASSWORD = ''' + replace(@random_password, '''', '''''') + N''';	ALTER LOGIN ' + quotename(@principal_name) + N' WITH CHECK_POLICY = ON;	ALTER LOGIN ' + quotename(@principal_name) + N' DISABLE;'	IF( @print_only is not null AND @print_only = 1 )		print @sql_cmd	ELSE		EXEC( @sql_cmd )goEXEC #sp_reset_password_and_disable '##MS_PolicyEventProcessingLogin##';EXEC #sp_reset_password_and_disable '##MS_PolicyTsqlExecutionLogin##';goSELECT name, password_hash, is_disabled FROM sys.sql_loginsgo
狀況說明
將在未來的 Service Pack 中 SQL Server 2005、 SQL Server 2008 和在未來發行版本的 SQL Server 解決這個問題。
其他相關資訊
Microsoft 的 thanks 使用我們協助保護客戶的下列:
sql2005 sql2008

警告:本文為自動翻譯

內容

文章識別碼:980671 - 最後檢閱時間:03/02/2010 23:15:17 - 修訂: 1.0

Microsoft SQL Server 2005 Developer Edition, Microsoft SQL Server 2005 Enterprise Edition, Microsoft SQL Server 2005 Enterprise Edition for Itanium Based Systems, Microsoft SQL Server 2005 Enterprise X64 Edition, Microsoft SQL Server 2005 Standard Edition, Microsoft SQL Server 2005 Standard X64 Edition, Microsoft SQL Server 2005 Workgroup Edition, Microsoft SQL Server 2008 Developer, Microsoft SQL Server 2008 Enterprise, Microsoft SQL Server 2008 Standard, Microsoft SQL Server 2008 Web, Microsoft SQL Server 2008 Workgroup

  • kbmt kbpasswords kbexpertiseadvanced kbsurveynew kbprb KB980671 KbMtzh
意見反應