How hackers see your SQL Servers

Until SQL Slammer, Microsoft had taken a severe beating on IIS securities and vulnerabilities, but yet SQL servers had somehow evaded and disappeared from the radar screen. Perhaps because it is due to lack of automated tools and in order to hack a SQL server, a cursory knowledge of SQL is needed to attack the SQL server successfully. What ever the reasons, with the arrival of SQL Slammer and other worms the scenery is now changing. More and more automated tools are available to fully exploit the SQL vulnerabilities. A little knowledge with SQL can go a long way to break into corporate data bases. This article will explore some of software used to find holes in your SQL Server setup. It is not the intent to teach you how to hack a SQL server but rather use the tools to harden your SQL Server. Most experienced hackers will do some extensive information gathering about a particular site before making any direct moves. This is called footprinting. They need to employ the right technology without alerting the intrusion detection systems. One common source of information is in the Internet News Groups. In discussing problems and resolutions, security information may be inadvertently disclosed with information such as ADO connection string or SQL Server Security setting! Company administrative web pages and coupled with search engines, there is plenty of information available for hackers.