>
>The password cracker relies on getting access to the hashes that SQL
>users to store old style usernames and passwords. This are stored within
>a SQL database on the servers, and can be retrieved. However, they can
>ONLY be retrieved by users who already have SA rights. This is the
>information that theregister, and Mr Greene leaves out. The hashes are
>stored in sysxlogins, which is not available to your average joe user.
>
This is true, however, people with SA rights is not limited solely to the
SA account as your post implies. This fault also includes anybody with
administrator access to SQL, if you are using windows authentication. So
if your box has been rooted in some other way you can be vulerable to this
as a additional attack. So if you start out with a secure (for microsoft)
box to begin with before installing your server you will be much better
off. Of course as you correctly point out there are all too many lazy
admins out there that dont take the time to do this.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]