Video Screencast Help

SQL Vulnerabilities

Created: 09 May 2013 | 3 comments

Greeetings all, I am a new member to the community and BE newbie so please take it easy on me. smiley

I have Symantec BE 2010 R3 running on a Windows 2008 R2 SP1 server for a network file server. I run daily incremental and weekly full backup jobs on a tape autoloader. I am trying to mitigate some vulnerabiites that deal with SQL. I am not a SQL guy so I am not sure where to begin. I do know that SQL 2005 comes with BE, but is it a requirement? I don't have SQL Management Studio installed and I am not sure where to start to execute SQL command procedures. The vulnerabilities I am trying to fix are:

SQL Insecure sp_createorphan Procedures and Permissions Detected

SQL Insecure sp_replcmds Procedures and Permissions Detected

SQL Insecure sp_unprepare Procedures and Permissions Detected

SQL Insecure sp_resyncexecute Procedures and Permissions Detected

SQL Insecure sp_replwritetovarbin Procedures and Permissions Detected

SQL Insecure sp_replsetsynstatus Procedures and Permissions Detected

SQL Does Not Enforce C2 Auditing Detected

SQL Accounts With Same Username and Password Detected

SQL Insecure Registry Access Commands Detected

SQL Insecure Password Policy Enforcement Detected

SQL Logins Do Not Enforce Password Policy Detected

SQL SA Login Does Not Enforce Password Policy Detected

SQL Logins Does Not Have Password Expiration Detected

SQL SA Login Does Not Have Password Expiration Detected

Microsoft Windows Service Isolation Privilege Escalation - SQL Server

 

Any assistance would greatly be appreciated!

 

Operating Systems:

Comments 3 CommentsJump to latest comment

pkh's picture

By default, BE uses SQL 2005 Express to store its database, BEDB.  The SQL instance is BKUPEXEC. What you can do is to patch this instance to the latest SQL fixes.

amboy's picture

Thank you for your response. I will give that a shot. Thanks!

GoBigRed's picture

Did you get your issues resolved and if so what were they?  I appreciate any help with this as I too am a SQL novice.  Thanks in advance