Solved

Checking UserId's / Passwords Strength

Posted on 2006-07-18
10
233 Views
Last Modified: 2007-12-19
I received a request from management to scan users on a SQL Server to see if they have strong passwords.  I don't know of a tool that can do this so I am needed advice.  Is there any tool or application that can do this? (Free / Open Source would be great!)
0
Comment
Question by:SECGRAD
  • 5
  • 3
10 Comments
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133488
0
 

Author Comment

by:SECGRAD
ID: 17133534
Excellent! It mentions that it works on MS SQL Server 7 or 2000. Have you tried it successfully in MS SQL 2005?
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133564
It won't work in 2005 as is. Not that it really needs to, because you can actually enforce strong passwords through ALTER LOGIN in 2005.
0
 

Author Comment

by:SECGRAD
ID: 17133617
So, I should rephrase my question. Is there any tools, scripts, or application that can scan user accounts against SQL 2005 to determine if they have strong passwords? (Free / Open Source would be great!)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 18

Accepted Solution

by:
SjoerdVerweij earned 500 total points
ID: 17133692
/*
This script originally lived at http://evolvedcode.net/

For the original version of this script and a wide variety
of other code and scripts, please visit the site.

- EvolvedCode.net staff


Changes:
26.10.2002
Included simplified dictionary loader
Included smart temporary table deletion

*/

--Check if any of our temporary objects already exist
IF (OBJECT_ID('tempdb..#tLogins') IS NOT NULL)
  DROP TABLE #tLogins;
IF (OBJECT_ID('tempdb..#tBruteDict') IS NOT NULL)
  DROP TABLE #tBruteDict;
IF (OBJECT_ID('tempdb..#tUserDict') IS NOT NULL)
  DROP TABLE #tUserDict;
GO

--Variables for use throughout the script
DECLARE @Counter INT;
DECLARE @WordList VARCHAR(1000);

SET @WordList = 'E:\Wordlists\QuickDict.txt';

SET NOCOUNT ON

--Create tables to hold temporary data
CREATE TABLE #tLogins(
  [UID]           INT IDENTITY(1,1) NOT NULL,
  [Login]         SYSNAME NOT NULL,
  [SID]           VARBINARY(85) NOT NULL,
  [Password]      SYSNAME NULL,
  [PasswordHash]  VARBINARY(256) NULL,

  [IsAdmin]       BIT DEFAULT(0) NOT NULL,
  [BlankPass]     BIT DEFAULT(0) NOT NULL,
  [SamePass]      BIT DEFAULT(0) NOT NULL,
  [BrutePass]     BIT DEFAULT(0) NOT NULL
);
CREATE TABLE #tBruteDict(
  [RawText] SYSNAME NOT NULL
);
CREATE TABLE #tBruteCS(
  [RawText] SYSNAME NOT NULL
);
CREATE TABLE #tUserDict(
  [RawText] SYSNAME NOT NULL
);

--Create a list of the regular (non-nt) users
INSERT INTO #tLogins( [SID], [Login], [IsAdmin], [PasswordHash] )
SELECT
L.[sid],
L.[name],
CASE
 WHEN L.[sysadmin] = 1 OR L.[securityadmin] = 1 OR L.[serveradmin] = 1 OR L.[setupadmin] = 1 OR L.[processadmin] = 1 OR L.[diskadmin] = 1 THEN 1
 ELSE 0
END,
LX.[password_hash]
FROM [master]..[syslogins] AS L
  LEFT JOIN sys.sql_logins LX ON L.sid = LX.sid
WHERE L.[isntname] = 0;

--Identify users with blank passwords
UPDATE #tLogins
SET [BlankPass] = 1
FROM #tLogins
WHERE [PasswordHash] IS NULL;

--Identify users with password = username
UPDATE #tLogins
SET [SamePass] = 1, [Password] = [Login]
WHERE PWDCOMPARE( [Login], [PasswordHash] ) = 1;

--Identify users with one or two character (ASCII 0-255) passwords
SET @Counter = 0;

WHILE @Counter <= 255
BEGIN

  INSERT INTO #tBruteCS( [RawText] )
  VALUES( CHAR(@Counter) );

  SET @Counter = @Counter + 1;

END

INSERT INTO #tBruteDict( [RawText] )
SELECT Src.[RawText]
FROM #tBruteCS AS Src

INSERT INTO #tBruteDict( [RawText] )
SELECT Src.[RawText]+New.[RawText]
FROM #tBruteDict AS Src, #tBruteCS AS New;

DROP TABLE #tBruteCS;

UPDATE #tLogins
SET [BrutePass] = 1, [Password] = Dict.[RawText]
FROM #tLogins AS Src
  LEFT JOIN #tBruteDict AS Dict ON PWDCOMPARE( Dict.[RawText], Src.[PasswordHash] ) = 1
WHERE Dict.[RawText] IS NOT NULL AND Src.[BrutePass] = 0 AND Src.[BlankPass] = 0 AND Src.[SamePass] = 0;

DROP TABLE #tBruteDict;

--Identify users with passwords from our dictionary
IF @WordList IS NOT NULL
BEGIN
  BULK INSERT #tUserDict FROM 'E:\WordLists\QuickDict.txt';

  UPDATE #tLogins
  SET [BrutePass] = 1, [Password] = Dict.[RawText]
  FROM #tLogins AS Src
    LEFT JOIN #tUserDict AS Dict ON PWDCOMPARE( Dict.[RawText], Src.[PasswordHash] ) = 1
  WHERE Dict.[RawText] IS NOT NULL AND Src.[BrutePass] = 0 AND Src.[BlankPass] = 0 AND Src.[SamePass] = 0;
END

DROP TABLE #tUserDict;

--Reset nocount
SET NOCOUNT OFF

--Report any users whose logins were weak
SELECT
 [Login] AS [Username],
 ISNULL( [Password], '-- currently unknown --' ) AS [Password],
 CASE
   WHEN [BlankPass] = 1 OR [SamePass] = 1 OR [BrutePass] = 1 THEN 1
   ELSE 0
 END AS [Cracked?],
 [IsAdmin] AS [Admin User?],
 [BlankPass] AS [Blank Password?],
 [SamePass] AS [Username = Password?],
 [BrutePass] AS [Password Bruteforced?]
FROM #tLogins
ORDER BY [Login];

DROP TABLE #tLogins;

0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133698
(Note the changes: sysxlogins becomes sys.sql_logins, et cetera)
0
 

Author Comment

by:SECGRAD
ID: 17133746
Good. Where is the QuickDict.txt mentioned in SET @WordList = 'E:\Wordlists\QuickDict.txt'; ?

Shouldn't this be imported to test against a dictionary?
0
 
LVL 18

Expert Comment

by:SjoerdVerweij
ID: 17133769
The script imports it (BULK INSERT). You can download an example one from the link I sent above. Make sure to change the path and file name accordingly. Keep in mind that it is a path ON THE SERVER, not the machine you run the script from.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
I have a large data set and a SSIS package. How can I load this file in multi threading?
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now