Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 323
  • Last Modified:

SQL Server authentication hashes

I've been tasked with seeing which MSSQL Database accounts can query the table that stores the encrypted password hashes for SQL authentication accounts across MSSQL 2000, 2005 and 2008 instances? Please can you provide the exact table these hashes are stored in, I beleive it isnt the same for all versions of MSSQL?
0
pma111
Asked:
pma111
  • 6
  • 2
1 Solution
 
EvilPostItCommented:
In SQL Server 2005 & 2008 its the sys.sql_logins table. Unfortunately I dont have a 2000 instance so cant check although it may be the same table....

I believe its only members of the sysadmins group which can see the contents of the password_hash column but I will have to check to make sure its correct.
0
 
pma111Author Commented:
That would be most useful, thanks.
0
 
EvilPostItCommented:
In this article i found the line...
CONTROL SERVER permission is required to examine the password_hash column of sys.sql_logins.

So looks like the control CONTROL SERVER permission is required.

http://social.technet.microsoft.com/wiki/contents/articles/7937.password-audit-for-sql-server-logins-find-blank-or-common-passwords-for-sql-logins.aspx
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
EvilPostItCommented:
As a side note, probably a good idea for you to read the article i posted last as it looks along the lines of what you want to do...
0
 
EvilPostItCommented:
Is this answer sufficient or do require further clarification?
0
 
pma111Author Commented:
The only other thing was whether sys_logins may be "invisible" to a non sys admin, they claim the view isnt even there! Which I thought could be permissions related?
0
 
EvilPostItCommented:
A user who doesnt have the correct level of permissions see's the sql_logins table but the password_hash column is blank.

They will only see rows for the sa account and themselves. No other SQL logins will be visible.
0
 
EvilPostItCommented:
Is this clarification sufficient?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now