Solved

Checking UserId's / Passwords Strength

Posted on 2006-07-18
10
223 Views
Last Modified: 2007-12-19
I received a request from management to scan users on a SQL Server to see if they have strong passwords.  I don't know of a tool that can do this so I am needed advice.  Is there any tool or application that can do this? (Free / Open Source would be great!)
0
Comment
Question by:SECGRAD
  • 5
  • 3
10 Comments
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133488
0
 

Author Comment

by:SECGRAD
ID: 17133534
Excellent! It mentions that it works on MS SQL Server 7 or 2000. Have you tried it successfully in MS SQL 2005?
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133564
It won't work in 2005 as is. Not that it really needs to, because you can actually enforce strong passwords through ALTER LOGIN in 2005.
0
 

Author Comment

by:SECGRAD
ID: 17133617
So, I should rephrase my question. Is there any tools, scripts, or application that can scan user accounts against SQL 2005 to determine if they have strong passwords? (Free / Open Source would be great!)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 18

Accepted Solution

by:
SjoerdVerweij earned 500 total points
ID: 17133692
/*
This script originally lived at http://evolvedcode.net/

For the original version of this script and a wide variety
of other code and scripts, please visit the site.

- EvolvedCode.net staff


Changes:
26.10.2002
Included simplified dictionary loader
Included smart temporary table deletion

*/

--Check if any of our temporary objects already exist
IF (OBJECT_ID('tempdb..#tLogins') IS NOT NULL)
  DROP TABLE #tLogins;
IF (OBJECT_ID('tempdb..#tBruteDict') IS NOT NULL)
  DROP TABLE #tBruteDict;
IF (OBJECT_ID('tempdb..#tUserDict') IS NOT NULL)
  DROP TABLE #tUserDict;
GO

--Variables for use throughout the script
DECLARE @Counter INT;
DECLARE @WordList VARCHAR(1000);

SET @WordList = 'E:\Wordlists\QuickDict.txt';

SET NOCOUNT ON

--Create tables to hold temporary data
CREATE TABLE #tLogins(
  [UID]           INT IDENTITY(1,1) NOT NULL,
  [Login]         SYSNAME NOT NULL,
  [SID]           VARBINARY(85) NOT NULL,
  [Password]      SYSNAME NULL,
  [PasswordHash]  VARBINARY(256) NULL,

  [IsAdmin]       BIT DEFAULT(0) NOT NULL,
  [BlankPass]     BIT DEFAULT(0) NOT NULL,
  [SamePass]      BIT DEFAULT(0) NOT NULL,
  [BrutePass]     BIT DEFAULT(0) NOT NULL
);
CREATE TABLE #tBruteDict(
  [RawText] SYSNAME NOT NULL
);
CREATE TABLE #tBruteCS(
  [RawText] SYSNAME NOT NULL
);
CREATE TABLE #tUserDict(
  [RawText] SYSNAME NOT NULL
);

--Create a list of the regular (non-nt) users
INSERT INTO #tLogins( [SID], [Login], [IsAdmin], [PasswordHash] )
SELECT
L.[sid],
L.[name],
CASE
 WHEN L.[sysadmin] = 1 OR L.[securityadmin] = 1 OR L.[serveradmin] = 1 OR L.[setupadmin] = 1 OR L.[processadmin] = 1 OR L.[diskadmin] = 1 THEN 1
 ELSE 0
END,
LX.[password_hash]
FROM [master]..[syslogins] AS L
  LEFT JOIN sys.sql_logins LX ON L.sid = LX.sid
WHERE L.[isntname] = 0;

--Identify users with blank passwords
UPDATE #tLogins
SET [BlankPass] = 1
FROM #tLogins
WHERE [PasswordHash] IS NULL;

--Identify users with password = username
UPDATE #tLogins
SET [SamePass] = 1, [Password] = [Login]
WHERE PWDCOMPARE( [Login], [PasswordHash] ) = 1;

--Identify users with one or two character (ASCII 0-255) passwords
SET @Counter = 0;

WHILE @Counter <= 255
BEGIN

  INSERT INTO #tBruteCS( [RawText] )
  VALUES( CHAR(@Counter) );

  SET @Counter = @Counter + 1;

END

INSERT INTO #tBruteDict( [RawText] )
SELECT Src.[RawText]
FROM #tBruteCS AS Src

INSERT INTO #tBruteDict( [RawText] )
SELECT Src.[RawText]+New.[RawText]
FROM #tBruteDict AS Src, #tBruteCS AS New;

DROP TABLE #tBruteCS;

UPDATE #tLogins
SET [BrutePass] = 1, [Password] = Dict.[RawText]
FROM #tLogins AS Src
  LEFT JOIN #tBruteDict AS Dict ON PWDCOMPARE( Dict.[RawText], Src.[PasswordHash] ) = 1
WHERE Dict.[RawText] IS NOT NULL AND Src.[BrutePass] = 0 AND Src.[BlankPass] = 0 AND Src.[SamePass] = 0;

DROP TABLE #tBruteDict;

--Identify users with passwords from our dictionary
IF @WordList IS NOT NULL
BEGIN
  BULK INSERT #tUserDict FROM 'E:\WordLists\QuickDict.txt';

  UPDATE #tLogins
  SET [BrutePass] = 1, [Password] = Dict.[RawText]
  FROM #tLogins AS Src
    LEFT JOIN #tUserDict AS Dict ON PWDCOMPARE( Dict.[RawText], Src.[PasswordHash] ) = 1
  WHERE Dict.[RawText] IS NOT NULL AND Src.[BrutePass] = 0 AND Src.[BlankPass] = 0 AND Src.[SamePass] = 0;
END

DROP TABLE #tUserDict;

--Reset nocount
SET NOCOUNT OFF

--Report any users whose logins were weak
SELECT
 [Login] AS [Username],
 ISNULL( [Password], '-- currently unknown --' ) AS [Password],
 CASE
   WHEN [BlankPass] = 1 OR [SamePass] = 1 OR [BrutePass] = 1 THEN 1
   ELSE 0
 END AS [Cracked?],
 [IsAdmin] AS [Admin User?],
 [BlankPass] AS [Blank Password?],
 [SamePass] AS [Username = Password?],
 [BrutePass] AS [Password Bruteforced?]
FROM #tLogins
ORDER BY [Login];

DROP TABLE #tLogins;

0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133698
(Note the changes: sysxlogins becomes sys.sql_logins, et cetera)
0
 

Author Comment

by:SECGRAD
ID: 17133746
Good. Where is the QuickDict.txt mentioned in SET @WordList = 'E:\Wordlists\QuickDict.txt'; ?

Shouldn't this be imported to test against a dictionary?
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133769
The script imports it (BULK INSERT). You can download an example one from the link I sent above. Make sure to change the path and file name accordingly. Keep in mind that it is a path ON THE SERVER, not the machine you run the script from.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now