i am not sure if this is what u r looking for but take a look at this
XP_CRYPT You can easily perform a dynamic column encryption in views, procedures and triggers in SQL Server or Oracle with a simple set of functions. They are implemented as Extended Stored Procedures, stored procedures, and user defined functions (UDF). They can be used in addition to, or instead of the entire database encryption
then start the SQL Server with net start SQLServer
then it's secured.....sometimes the service for the SQL Server has a different name..or you have to put /y behind net stop SQLServer....to stopt it
that's my method....it works well
ps:to find quickly the folder where are the 2 files are type:
dir /s c:\xpsql70.dll dir /s c:\xplog70.dll
have fun
mfg mR_NIcE
GhostCow
Jan 19 2004, 09:18 PM
thanks dood it looks like the best method up to date! hope it'll work!
RFlash
Jan 22 2004, 06:00 PM
There are almost 2 thingz to say about the method of mR_NIcE:
1. You stop/start the sql server, an event that sometimes light the attention of the sysop, and for sure remain registered is some log.
2. You installs 2 .dlls that for sure will protect the server from the majority of the rehackers but maybe not from the creators of the 2 modified .dlls
RFlash
Wolfman
Jan 23 2004, 10:59 AM
QUOTE (RFlash @ Jan 22 2004, 06:00 PM)
There are almost 2 thingz to say about the method of mR_NIcE:
1. You stop/start the sql server, an event that sometimes light the attention of the sysop, and for sure remain registered is some log.
2. You installs 2 .dlls that for sure will protect the server from the majority of the rehackers but maybe not from the creators of the 2 modified .dlls
RFlash
You are absolutly correct. The modding of the DLL's consists in changing the way you access the cmdshell trough sql from its standard name to a new one thus leaving a way in to who knows it.
Cya Wolfman
FiNaLBeTa
Jan 23 2004, 11:24 AM
call me old fashion, but i still change the soll pass. after changing it, you have 3 possibility's, 1 admin dos nothing and you have a backdoor. (happens alot) 2 admin changes the pass to something new. (not weak sqlpass) 3 admin changes the pas back.
note on 3: just run a file that changes the pasword again every day... and you are home free.
GhostCow
Jan 23 2004, 11:50 AM
how about doing both?
W2K
Jan 31 2004, 10:03 PM
I need xplog70.dll and xpsql70.dll
globe7
Feb 2 2004, 01:54 PM
QUOTE (mR_NIcE @ Jan 19 2004, 07:50 PM)
OK I do it like this...
search this 2 files....xpsql70.dll...and xplog70.dll..usually they are in a folder which is called ''bin''
then stop the sql server....net stop SQLServer
an delete the 2 files...sometimes there are only one of the 2 files....an replace the 2 files with..this 2 files
then start the SQL Server with net start SQLServer
then it's secured.....sometimes the service for the SQL Server has a different name..or you have to put /y behind net stop SQLServer....to stopt it
that's my method....it works well
ps:to find quickly the folder where are the 2 files are type:
dir /s c:\xpsql70.dll dir /s c:\xplog70.dll
have fun
mfg mR_NIcE
tnx i learn something new
Stephen79
Feb 2 2004, 03:57 PM
QUOTE (W2K @ Jan 31 2004, 11:03 PM)
I need xplog70.dll and xpsql70.dll
Seems like you need a new set of glasses too
esorone
Feb 2 2004, 05:03 PM
Hmm very interessting post.
Gonna check out the .dll
mr.anderson
Feb 2 2004, 05:17 PM
Yeah actually deleting them is the only way to make sure no one will make NT account and access via netbios
fre4k
Apr 17 2004, 05:05 PM
the best way to change SQL USERPASSES is:
- First connect to the sql with sqlexec
- for expample username and pass is sa/NULL, go to "%s" in your sqlexec and then type:
EXEC sp_password NULL, 'lalala', 'sa'
- now the new password is called: lalala
- if the old password is called "sa" type
EXEC sp_password sa, 'lalala', 'sa'
- an now is the new pass: lalala
Works GREAT for me !
-fre4k
som3aa
Apr 22 2004, 11:04 AM
delete xplog70.dll
DumpZ
Apr 22 2004, 12:21 PM
The best way to secure SQL is to get a really strong password, and DENY execute. (which is not possible on the sa account)
sfzhi
Apr 23 2004, 04:56 AM
very interessting post. in my opinion a strong password is the best secure
t00sTr0nG
Apr 23 2004, 07:40 AM
I stop the SQL and change thist dll´s : xplog70.dll, xpsql70.dll! I think this ist the best method to secure sql! t00sTr0nG
qcred11
Apr 23 2004, 11:33 PM
Try to use this freeware tool. Here is the short description:
QUOTE
IIS password protection of files and folders has always been dificult. IISPassword brings the ease and power of Apache's htaccess to Microsoft IIS. No longer is there a need for system user accounts and complex access permissions for maintaining a secure, password protected web site.
IISPassword uses Basic HTTP Authentication for password protecting web sites on IIS, just like htaccess works on Apache. That makes your password protected Apache web site compatible with IIS, and vice versa.
A powerful and intuitive interface makes it possible to password protect a web site in just moments. More advanced settings provide options such as user group management and protection of certain file types.
after you change .dll files.... Is it possible to get back in through sqlexec? Assuming that I didn't install a backdoor?
som3aa
Apr 26 2004, 11:42 AM
QUOTE
after you change .dll files.... Is it possible to get back in through sqlexec? Assuming that I didn't install a backdoor?
LOL , that's what securing sql is about to prevent accessing the sql how could u use it to get in if u want to prevent access through sqlexec
The question is exactly as : if i sell my car to someone and i take the money can i use the car whenever i want
Miserly
Apr 26 2004, 01:28 PM
hmm the links for the dlls are down somebody pls could upload them again?
and does somebody know how to modify the original dlls, so that i can change that whats needed to everything i want? (like said, when you use this dlls the craetor still can access the server...) thx in advance!
btw: when changing the sa password, the admin will recognize it, if he uses the account? or is the sa axx an extra axx (think so, never hacked sql until now^^)
DumpZ
Apr 27 2004, 09:40 AM
Well if the password is blank the admin sometimes doesn't even knows that SQL is installed. Because on a windows Small Buisness server SQL is automaticly installed during the normal installation.
And often the admin doens't use the sql server and doesn't know its running.
But if the admin is using the server he/she will notice when it changed and probably change it back, or change it to a stronger pass
Killaloop
Apr 27 2004, 10:32 AM
QUOTE (Miserly @ Apr 26 2004, 01:28 PM)
hmm the links for the dlls are down somebody pls could upload them again?
and does somebody know how to modify the original dlls, so that i can change that whats needed to everything i want? (like said, when you use this dlls the craetor still can access the server...) thx in advance!
btw: when changing the sa password, the admin will recognize it, if he uses the account? or is the sa axx an extra axx (think so, never hacked sql until now^^)
if you really want to do this hexedit the file and look for xp_cmdshell
replace it with something you like
Miserly
Apr 27 2004, 11:25 AM
thx for your answers, DumpZ & Killaloop! @killaloop: do i have to replace this hm lets call it string ^^ with a string of the same length, like at serv-u modding or doesnt it matter how long the new string is? thx in advance
Macsou
Apr 29 2004, 01:51 PM
TO Secure SQL PASS :
GO to : /MSSQL7/Binn/ Or /MSDE/Binn/ and tape : osql -U sa -P "" -Q "sp_password NULL,Here Your Password,sa"
Bye all Fr.
Hi Niko
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
