MS SQL server Brute-force protection

marrowyung
marrowyung used Ask the Experts™
on
hi,

anyone implement Brute-force protection in MS SQL server? how can it be done other than complex password?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Pawan KumarDatabase Expert
Awarded 2016
Top Expert 2016

Commented:
We can use rdbgaurd. It is third party.
RdpGuard is a host-based intrusion prevention system (HIPS) that protects your Windows Server
 from brute-force attacks on various protocols and services (RDP, FTP, SMTP, MySQL, MS-SQL, IIS Web Login, ASP.NET Web Forms, MS Exchange,
 RD Web Access, etc).

Open in new window


Settings you can manage.
https://rdpguard.com/mssql-protection-settings.aspx

Free trial. We can use the free trial of rdpgaurd and see if it works fine with our requirement.
https://rdpguard.com/
marrowyungSenior Technical architecture (Data)

Author

Commented:
so this is for windows but it is not for SQL server natively ?
Pawan KumarDatabase Expert
Awarded 2016
Top Expert 2016

Commented:
Both.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Pawan KumarDatabase Expert
Awarded 2016
Top Expert 2016

Commented:
edited my last comment. basically it will be 2 layer i think - Server and then DB.
marrowyungSenior Technical architecture (Data)

Author

Commented:
"edited my last comment. basically it will be 2 layer i think - Server and then DB."

so is one , that tools for both layer ?
Database Expert
Awarded 2016
Top Expert 2016
Commented:
yes one.
marrowyungSenior Technical architecture (Data)

Author

Commented:
tks.
Vitor MontalvãoIT Engineer
Distinguished Expert 2017

Commented:
Please explain what is for you a brute-force protection?
You can always hire some security guards that looks like gorillas and have them securing your data center :)
marrowyungSenior Technical architecture (Data)

Author

Commented:
"You can always hire some security guards that looks like gorillas and have them securing your data center :)"

application firewall or IP guard from cisco.

but from SQL server point of view, what can we do ?
Vitor MontalvãoIT Engineer
Distinguished Expert 2017

Commented:
Firewall is always the best thing to do so you can limit the machines that can connect to the SQL Server.
Then protect SQL Server instance by managing the accesses limiting it only to the necessary users and permissions.
Vitor MontalvãoIT Engineer
Distinguished Expert 2017
Commented:
marrowyungSenior Technical architecture (Data)

Author

Commented:
"Then protect SQL Server instance by managing the accesses limiting it only to the necessary users and permissions."

you mean user access right, right ?
Vitor MontalvãoIT Engineer
Distinguished Expert 2017

Commented:
you mean user access right, right ?
Sure. There's no magic formula. The formula is always the same:
- Limit access from machines and people and give only the necessary permissions and not more.
marrowyungSenior Technical architecture (Data)

Author

Commented:
" Limit access from machines and people and give only the necessary permissions and not more."

DBA always do it and usually only give READ ONLY right to wave the effect of write operation.

but here is more on password attack and connection, anyway you use to block the IP address by SQL server control, we usually do IIS IP address filtering.
Vitor MontalvãoIT Engineer
Distinguished Expert 2017

Commented:
Did you read my articles?
Virtual accounts are almost unbreakable. For regular users use domain accounts with a strong password policy.
Database servers need to be installed in a different network in the background so they should be the last servers to be accessed, meaning that somebody that want to attack your database need to get first access to your main network and from there he needs to go through local firewalls until reach your database server. And you can add more network layers to add more security. The more complex the infrastructure is, more hard is to be broken by hackers.
marrowyungSenior Technical architecture (Data)

Author

Commented:
"Database servers need to be installed in a different network in the background so they should be the last servers to be accessed, meaning that somebody that want to attack your database need to get first access to your main network and from there he needs to go through local firewalls until reach your database server. "

sure.

this is very common for any ecommence platform, later on still depends on how many DMZ they got,

"And you can add more network layers to add more security. The more complex the infrastructure is, more hard is to be broken by hackers."

sure and tks.

knew about the "Windows Authentication mode" but that one also more security by domain login, which the whole information is encrypted across the network, so this is good and SQL login and password is not encrypted.

by Virtual Service account, it means SQL service account, right? the service account SQL server create when installing, right? I don't use this keyboard usually.
Vitor MontalvãoIT Engineer
Distinguished Expert 2017

Commented:
by Virtual Service account, it means SQL service account, right? the service account SQL server create when installing, right?
Yes. With that nobody is able to know the services passwords.
marrowyungSenior Technical architecture (Data)

Author

Commented:
tks.
marrowyungSenior Technical architecture (Data)

Author

Commented:
tls both.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial