SQL Server Login - failed login attempts
Is there a way to set consecutive failed login attempts to a specific number like 3 or 4 times (for SQL Server Logins)? If this count is crossed the expectat开发者_如何学Pythonion is to lock the account.
You can enforce the pasword policy of the Windows server on which SQL Server is installed using the CHECK_POLICY
option of CREATE USER
, see http://msdn.microsoft.com/en-us/library/ms189751.aspx and http://msdn.microsoft.com/en-us/library/ms161959.aspx. It's not clear from the documentation but it does look like the user will be automatically locked out if the number of bad attempts exceeds the Windows security policy's setting.
You'll need to administer the security policy in the domain or local security policy MMC snapin (see http://technet.microsoft.com/en-us/library/dd277400.aspx).
There are two authentication modes used in SQL Server: the Windows Authentication and mixed mode (enables both Windows Authentication and SQL Server Authentication)
The first mode is a way less vulnerable to the brute-force attacks as the attacker is likely to run into a login lockout (the Account Lockout Policy feature) after a finite number of attack attempts ("a specific number like 3 or 4 times"). Every production environment, if using the Windows Authentication mode, should utilize the lockout policy feature, as it practically excludes the brute-force attack success
When it comes to SQL Server authentication brute-force attack vulnerability, the situation is not so bright. In fact, the SQL Server Authentication has no features that allow detecting when the system is under a brute-force attack. Moreover, SQL Server is very responsive when it comes to validating SQL Server authentication credentials. It can easily handle repeated, aggressive, brute-force login attempts without negative overall performance that might indicate such attacks. This means that the SQL Server Authentication is a perfect target for password cracking via brute-force
精彩评论