Solved

Checking UserId's / Passwords Strength

Posted on 2006-07-18
10
241 Views
Last Modified: 2007-12-19
I received a request from management to scan users on a SQL Server to see if they have strong passwords.  I don't know of a tool that can do this so I am needed advice.  Is there any tool or application that can do this? (Free / Open Source would be great!)
0
Comment
Question by:SECGRAD
  • 5
  • 3
10 Comments
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133488
0
 

Author Comment

by:SECGRAD
ID: 17133534
Excellent! It mentions that it works on MS SQL Server 7 or 2000. Have you tried it successfully in MS SQL 2005?
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133564
It won't work in 2005 as is. Not that it really needs to, because you can actually enforce strong passwords through ALTER LOGIN in 2005.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:SECGRAD
ID: 17133617
So, I should rephrase my question. Is there any tools, scripts, or application that can scan user accounts against SQL 2005 to determine if they have strong passwords? (Free / Open Source would be great!)
0
 
LVL 18

Accepted Solution

by:
SjoerdVerweij earned 500 total points
ID: 17133692
/*
This script originally lived at http://evolvedcode.net/

For the original version of this script and a wide variety
of other code and scripts, please visit the site.

- EvolvedCode.net staff


Changes:
26.10.2002
Included simplified dictionary loader
Included smart temporary table deletion

*/

--Check if any of our temporary objects already exist
IF (OBJECT_ID('tempdb..#tLogins') IS NOT NULL)
  DROP TABLE #tLogins;
IF (OBJECT_ID('tempdb..#tBruteDict') IS NOT NULL)
  DROP TABLE #tBruteDict;
IF (OBJECT_ID('tempdb..#tUserDict') IS NOT NULL)
  DROP TABLE #tUserDict;
GO

--Variables for use throughout the script
DECLARE @Counter INT;
DECLARE @WordList VARCHAR(1000);

SET @WordList = 'E:\Wordlists\QuickDict.txt';

SET NOCOUNT ON

--Create tables to hold temporary data
CREATE TABLE #tLogins(
  [UID]           INT IDENTITY(1,1) NOT NULL,
  [Login]         SYSNAME NOT NULL,
  [SID]           VARBINARY(85) NOT NULL,
  [Password]      SYSNAME NULL,
  [PasswordHash]  VARBINARY(256) NULL,

  [IsAdmin]       BIT DEFAULT(0) NOT NULL,
  [BlankPass]     BIT DEFAULT(0) NOT NULL,
  [SamePass]      BIT DEFAULT(0) NOT NULL,
  [BrutePass]     BIT DEFAULT(0) NOT NULL
);
CREATE TABLE #tBruteDict(
  [RawText] SYSNAME NOT NULL
);
CREATE TABLE #tBruteCS(
  [RawText] SYSNAME NOT NULL
);
CREATE TABLE #tUserDict(
  [RawText] SYSNAME NOT NULL
);

--Create a list of the regular (non-nt) users
INSERT INTO #tLogins( [SID], [Login], [IsAdmin], [PasswordHash] )
SELECT
L.[sid],
L.[name],
CASE
 WHEN L.[sysadmin] = 1 OR L.[securityadmin] = 1 OR L.[serveradmin] = 1 OR L.[setupadmin] = 1 OR L.[processadmin] = 1 OR L.[diskadmin] = 1 THEN 1
 ELSE 0
END,
LX.[password_hash]
FROM [master]..[syslogins] AS L
  LEFT JOIN sys.sql_logins LX ON L.sid = LX.sid
WHERE L.[isntname] = 0;

--Identify users with blank passwords
UPDATE #tLogins
SET [BlankPass] = 1
FROM #tLogins
WHERE [PasswordHash] IS NULL;

--Identify users with password = username
UPDATE #tLogins
SET [SamePass] = 1, [Password] = [Login]
WHERE PWDCOMPARE( [Login], [PasswordHash] ) = 1;

--Identify users with one or two character (ASCII 0-255) passwords
SET @Counter = 0;

WHILE @Counter <= 255
BEGIN

  INSERT INTO #tBruteCS( [RawText] )
  VALUES( CHAR(@Counter) );

  SET @Counter = @Counter + 1;

END

INSERT INTO #tBruteDict( [RawText] )
SELECT Src.[RawText]
FROM #tBruteCS AS Src

INSERT INTO #tBruteDict( [RawText] )
SELECT Src.[RawText]+New.[RawText]
FROM #tBruteDict AS Src, #tBruteCS AS New;

DROP TABLE #tBruteCS;

UPDATE #tLogins
SET [BrutePass] = 1, [Password] = Dict.[RawText]
FROM #tLogins AS Src
  LEFT JOIN #tBruteDict AS Dict ON PWDCOMPARE( Dict.[RawText], Src.[PasswordHash] ) = 1
WHERE Dict.[RawText] IS NOT NULL AND Src.[BrutePass] = 0 AND Src.[BlankPass] = 0 AND Src.[SamePass] = 0;

DROP TABLE #tBruteDict;

--Identify users with passwords from our dictionary
IF @WordList IS NOT NULL
BEGIN
  BULK INSERT #tUserDict FROM 'E:\WordLists\QuickDict.txt';

  UPDATE #tLogins
  SET [BrutePass] = 1, [Password] = Dict.[RawText]
  FROM #tLogins AS Src
    LEFT JOIN #tUserDict AS Dict ON PWDCOMPARE( Dict.[RawText], Src.[PasswordHash] ) = 1
  WHERE Dict.[RawText] IS NOT NULL AND Src.[BrutePass] = 0 AND Src.[BlankPass] = 0 AND Src.[SamePass] = 0;
END

DROP TABLE #tUserDict;

--Reset nocount
SET NOCOUNT OFF

--Report any users whose logins were weak
SELECT
 [Login] AS [Username],
 ISNULL( [Password], '-- currently unknown --' ) AS [Password],
 CASE
   WHEN [BlankPass] = 1 OR [SamePass] = 1 OR [BrutePass] = 1 THEN 1
   ELSE 0
 END AS [Cracked?],
 [IsAdmin] AS [Admin User?],
 [BlankPass] AS [Blank Password?],
 [SamePass] AS [Username = Password?],
 [BrutePass] AS [Password Bruteforced?]
FROM #tLogins
ORDER BY [Login];

DROP TABLE #tLogins;

0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133698
(Note the changes: sysxlogins becomes sys.sql_logins, et cetera)
0
 

Author Comment

by:SECGRAD
ID: 17133746
Good. Where is the QuickDict.txt mentioned in SET @WordList = 'E:\Wordlists\QuickDict.txt'; ?

Shouldn't this be imported to test against a dictionary?
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133769
The script imports it (BULK INSERT). You can download an example one from the link I sent above. Make sure to change the path and file name accordingly. Keep in mind that it is a path ON THE SERVER, not the machine you run the script from.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question