Databases
  1. Home
  2. Computing & Technology
  3. Databases
See More About:
Database Insecurity
The Attack
More of this Feature
Part 1: The Problem
Part 3: The Remedy
Related Resources
Database Servers Take the Security Test
SQL Server Resources
Database Security Resources
From Other Guides
Network Security Tutorial
Web Site Security
Electronic Commerce
Elsewhere on the Web
Microsoft Security White Paper
SQL Server Security Checklist

How did these attacks occur? Each one exploited the same well-known, glaring vulnerability in a database server that leaves the doors wide open to those with malicious intent.

Microsoft's SQL Server database product is extremely popular among e-commerce developers due to its tight integration with Microsoft's Internet Information Server web server. However, this easy integration often encourages developers without the necessary training to attempt complex projects.

During the installation process, SQL Server prompts the user to create a system administrator (or "sa") account that grants full access to the database. In older versions of SQL Server, clicking quickly through the installation screens without paying careful attention resulted in the creation of this powerful account without any password protection! With the release of SQL Server 2000, Microsoft added a check box to the installation screen requiring the administrator to manually acknowledge this security risk before allowing the creation of a password-free account.


 SQL Server 2000 Installation

Unfortunately, older versions of SQL Server still exist on a large number of websites and the hacker community is gleefully aware of that fact. Exploiting this vulnerability is quite simple. Unless a firewall is present, all the hacker needs to do is start the SQL Server client software on his or her own computer and type in the address of the database server (often the same as the web URL). If the default value still exists, the hacker immediately obtains full access to the database and can view, modify or delete information at will.

What can be done about this serious problem? Read on for some simple solutions for SQL Server database administrators.

Next page > The Remedy > Page 1, 2, 3
Explore Databases
About.com Special Features
Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Connect Your Home Computers

Easy ways to connect two computers for networking purposes. More >

Databases
  1. Home
  2. Computing & Technology
  3. Databases

©2009 About.com, a part of The New York Times Company.

All rights reserved.