More of this Feature • Part 1: The Problem • Part 3: The Remedy

Related Resources • Database Servers Take the Security Test • SQL Server Resources • Database Security Resources

From Other Guides • Network Security Tutorial • Web Site Security • Electronic Commerce

Elsewhere on the Web • Microsoft Security White Paper • SQL Server Security Checklist

How did these attacks occur? Each one exploited the same well-known, glaring vulnerability in a database server that leaves the doors wide open to those with malicious intent.

Microsoft's SQL Server database product is extremely popular among e-commerce developers due to its tight integration with Microsoft's Internet Information Server web server. However, this easy integration often encourages developers without the necessary training to attempt complex projects.

During the installation process, SQL Server prompts the user to create a system administrator (or "sa") account that grants full access to the database. In older versions of SQL Server, clicking quickly through the installation screens without paying careful attention resulted in the creation of this powerful account without any password protection! With the release of SQL Server 2000, Microsoft added a check box to the installation screen requiring the administrator to manually acknowledge this security risk before allowing the creation of a password-free account.

SQL Server 2000 Installation

Unfortunately, older versions of SQL Server still exist on a large number of websites and the hacker community is gleefully aware of that fact. Exploiting this vulnerability is quite simple. Unless a firewall is present, all the hacker needs to do is start the SQL Server client software on his or her own computer and type in the address of the database server (often the same as the web URL). If the default value still exists, the hacker immediately obtains full access to the database and can view, modify or delete information at will.

What can be done about this serious problem? Read on for some simple solutions for SQL Server database administrators.

Next page > The Remedy > Page 1, 2, 3