MS SQL server Brute-force protection

hi,

anyone implement Brute-force protection in MS SQL server? how can it be done other than complex password?
LVL 1
marrowyungSenior Technical architecture (Data)Asked:
Who is Participating?
 
Pawan KumarConnect With a Mentor Database ExpertCommented:
yes one.
0
 
Pawan KumarDatabase ExpertCommented:
We can use rdbgaurd. It is third party.
RdpGuard is a host-based intrusion prevention system (HIPS) that protects your Windows Server
 from brute-force attacks on various protocols and services (RDP, FTP, SMTP, MySQL, MS-SQL, IIS Web Login, ASP.NET Web Forms, MS Exchange,
 RD Web Access, etc).

Open in new window


Settings you can manage.
https://rdpguard.com/mssql-protection-settings.aspx

Free trial. We can use the free trial of rdpgaurd and see if it works fine with our requirement.
https://rdpguard.com/
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
so this is for windows but it is not for SQL server natively ?
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Pawan KumarDatabase ExpertCommented:
Both.
0
 
Pawan KumarDatabase ExpertCommented:
edited my last comment. basically it will be 2 layer i think - Server and then DB.
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
"edited my last comment. basically it will be 2 layer i think - Server and then DB."

so is one , that tools for both layer ?
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
tks.
0
 
Vitor MontalvãoMSSQL Senior EngineerCommented:
Please explain what is for you a brute-force protection?
You can always hire some security guards that looks like gorillas and have them securing your data center :)
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
"You can always hire some security guards that looks like gorillas and have them securing your data center :)"

application firewall or IP guard from cisco.

but from SQL server point of view, what can we do ?
0
 
Vitor MontalvãoMSSQL Senior EngineerCommented:
Firewall is always the best thing to do so you can limit the machines that can connect to the SQL Server.
Then protect SQL Server instance by managing the accesses limiting it only to the necessary users and permissions.
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
"Then protect SQL Server instance by managing the accesses limiting it only to the necessary users and permissions."

you mean user access right, right ?
0
 
Vitor MontalvãoMSSQL Senior EngineerCommented:
you mean user access right, right ?
Sure. There's no magic formula. The formula is always the same:
- Limit access from machines and people and give only the necessary permissions and not more.
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
" Limit access from machines and people and give only the necessary permissions and not more."

DBA always do it and usually only give READ ONLY right to wave the effect of write operation.

but here is more on password attack and connection, anyway you use to block the IP address by SQL server control, we usually do IIS IP address filtering.
0
 
Vitor MontalvãoMSSQL Senior EngineerCommented:
Did you read my articles?
Virtual accounts are almost unbreakable. For regular users use domain accounts with a strong password policy.
Database servers need to be installed in a different network in the background so they should be the last servers to be accessed, meaning that somebody that want to attack your database need to get first access to your main network and from there he needs to go through local firewalls until reach your database server. And you can add more network layers to add more security. The more complex the infrastructure is, more hard is to be broken by hackers.
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
"Database servers need to be installed in a different network in the background so they should be the last servers to be accessed, meaning that somebody that want to attack your database need to get first access to your main network and from there he needs to go through local firewalls until reach your database server. "

sure.

this is very common for any ecommence platform, later on still depends on how many DMZ they got,

"And you can add more network layers to add more security. The more complex the infrastructure is, more hard is to be broken by hackers."

sure and tks.

knew about the "Windows Authentication mode" but that one also more security by domain login, which the whole information is encrypted across the network, so this is good and SQL login and password is not encrypted.

by Virtual Service account, it means SQL service account, right? the service account SQL server create when installing, right? I don't use this keyboard usually.
0
 
Vitor MontalvãoMSSQL Senior EngineerCommented:
by Virtual Service account, it means SQL service account, right? the service account SQL server create when installing, right?
Yes. With that nobody is able to know the services passwords.
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
tks.
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
tls both.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.