MS SQL (Server 2008)

[JoeyofBladez]

Hi everyone,

I'm a college student new to the InfoSec community and will be participating in CCDC 2013, a competition designed to promote Information Assurance. In the competition, we have to secure and maintain a plethora of web apps and services. I've been doing a good job so far, but MS SQL on a windows server 2008 box in the qualifiers round really stumped me. Even google was giving sketchy answers, or ways to secure MySQL (the Linux SQL service not to be confused with MS SQL, the Windows version.

I was wondering if anyone here has any experience setting up MS SQL to be secure. I would probably just be setting up a simple database to protect (the main concern is that the scorebot can ping the default port MS SQL listens on, giving me points for having the service active). Any advice would be greatly appreciated.

 

[Speed Daemon]

Since Microsoft SQL Server is a for-profit product sold by a notoriously for-profit company, your best bet is to start laying out the cash. Buy yourself a book oriented to taking a certification test. That's your best bet outside of getting into a MCP training program and/or purchasing a MSDN subscription.

You might want to get to know your TCP/IP ports better, and know how to set the port(s) that SQL Server operates on on your system. Another thing is to make sure that the SA user account actually has a password. (!!!) But sooner or later you're going to get to know the entire product well enough to know beforehand what settings to look at.

 

[9to5cynic]

make sure the sa account is either disabled or has a password

Okay, I'll go a bit more in depth than just the sa....
> You're probably going to want to limit the sql permissions associated with the sql accounts... so don't have a bunch of people with 'delete' or 'execute' permissions.
> Also, look into the xp_cmdshell module... that's sure to be exploited.

And finally, you've got a few current buffer overflows to look out for with MSSQL2008, so be ready for that. You might want to try running mssql through emet? That might help. Maybe try forcing some ASLR or DEP?

Also, it might be fun to poke around in the config files in MSSQL and see if you can change the banner messages, and make them read as MySQL or something? Throw the red team off your tracks?

 

[SiempreTuna]

.. or just switch to Orifice - sorry! Oracle.

 

[9to5cynic]

Heh, if ya want to be real tricky, just set up netcat to listen on the mssql port.
',

 

[JoeyofBladez]

Heh, if ya want to be real tricky, just set up netcat to listen on the mssql port.
',

What would that do? Sorry, no experience with netcat.

I'm about to do a practice run with your suggestions. Thanks for pointing me in the right direction.

 

[9to5cynic]

To start, netcat is the 'TCP Swiss-Army Knife'... it can damn near anything.

<edit>
above I simply meant as a way of 'tricking' the scorebot's pings...

nc would listen on the port and (if so configured) reply to the ping the same way that MSSQL would. But that might be a bit 'cheap'.
</edit>


You can set it up to run as a simple chat program, function as a web server, or a backdoor for remote administration...

I'll describe a hypothetical use:

Say you need three services, MSSQL, HTTP, and SSH
You have two servers, MSSQL on ServerA and HTTP & SSH on ServerB
You also have a couple of work stations Win1, Win2, Lin1, Lin2

So on the Win1,Win2 workstations you can set up netcat to run on port 80 and spit out the headers for Apache or nginx (web servers more commonly used on unix boxes)... on Lin1,2 you could set up netcat on port 80 to spit out the headers for IIS (windows web server).

This likely wouldn't completely fool the red team, but it might break their routines a bit.

I wasn't on the CCDC at my school, but one year the red-team they brought in was professional pen-testers...

I'll try to post back later with a bit more on netcat and maybe some examples... it really is an awesome tool.

 

[JoeyofBladez]

I really appreciate it. I don't know if netcat will be allowed on our side but definitely worth learning. I'll see if it's legal.

Thanks again for the advice. Any instances you can think of, any vectors of attack of the red team are invaluable to me. I'm going to try to get used to the interface tomorrow and get back to you with what I have questions about. I really appreciate the help, man. I'm not used to running servers, only clients, so it's very new and takes some getting used to. Servers have a lot of configuration settings and rely on the network being secure in itself to be secure, so I need more experience with them.

 

[Speed Daemon]

Even if netcat and other network monitoring tools aren't allowed on your side, the practice of using ports other than the default one for a particular service whenever possible (using the port of a well-known service that you're not using is a good practice) is often a good idea for good security.

 

[JoeyofBladez]

Even if netcat and other network monitoring tools aren't allowed on your side, the practice of using ports other than the default one for a particular service whenever possible (using the port of a well-known service that you're not using is a good practice) is often a good idea for good security.

I thought of that as the first thing, but turns out scorebot listens on default ports. So that's not an option for this competition, though a good idea in the real world.