Have a strong sa account password. One security measure that developers frequently forget about is setting a strong sa password. The following scenario shows why having a strong sa password is so important.
Assume that the SQL Server machine is configured with a minimal amount of rights for the application user, there's an instance of SQL injection in the Web application, and the sa password is weak. Here's how a hacker can wreak havoc:
- The hacker locates an instance of SQL injection on the Web site.
- The hacker discovers that he can't execute-a SQL command using the typical hacking techniques.
- The hacker determines that he needs to run the command under the sa account, so he sets out to find out the sa password. The hacker knows he can run a SQL command with an alternate identity if he runs an OPENROWSET command such as
SELECT * FROM OPENROWSET
('SQLOLEDB',';'';
'','')
The hacker comes up with a SQL injection attack that will let him pass in a valid query. He uses sa as the username and guesses the password.
- The application errors out, which lets him know that the password was invalid.
- The hacker creates a simple brute-force program to crack the sa password.
- Once the hacker has the sa password, he can continue to execute the SQL injection attack using the OPENROWSET command.
Determining the sa password is much easier when the sa password is weak. For this reason, it's very important that you use a strong sa password.
Cover All the Bases
For some vulnerabilities, there is a simple fix or a single action to protect against them. SQL injection isn't one of those vulnerabilities. Although using parameterized queries will stop SQL injection, you have to use them 100 percent of the time. Using them 99.9 percent of the time means you have at least one Web page in which a hacker can get full access to your data. Because developers are human and humans make mistakes, a layered approach will give you greatest level of safety against SQL injection.