Sql Server Password Change History

0 views
Skip to first unread message

Pit Gebeyaw

unread,
Aug 4, 2024, 4:12:11 PM8/4/24
to minddiscstanwydd
WithADAudit Plus' simple, easy-to-read reports, a single click is all it takes to pull up the complete details of who changed/set passwords, when, and from which machine. These reports can be exported and scheduled to be automatically generated at specified times and delivered to your inbox.

The Enforce password history policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused.Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time. The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute force attacks. If users are required to change their password, but they can reuse an old password, the effectiveness of a good password policy is greatly reduced.


Specifying a low number for Enforce password history allows users to continually use the same small number of passwords repeatedly. If you don't also set Minimum password age, users can change their password as many times in a row as necessary to reuse their original password.


The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse isn't prevented, or if users continually reuse a few passwords, the effectiveness of a good password policy is greatly reduced.


If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you don't also configure the Minimum password age policy setting, users might repeatedly change their passwords until they can reuse their original password.


Note: After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised.


The major impact of configuring the Enforce password history setting to 24 is that users must create a new password every time they're required to change their old one. If users are required to change their passwords to new unique values, there's an increased risk of users who write their passwords somewhere so that they don't forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization, but these passwords make it easier for an attacker to guess. Also, an excessively low value for the Maximum password age policy setting is likely to increase administrative overhead because users who forget their passwords might ask the Help Desk to reset them frequently.


But my Ubuntu is configured to log password changes to /var/log/auth.log and my RHEL and CentOS log password changes to /var/log/secure, if they are made with the passwd command. You will see pam_unix(passwd:chauthtok): password changed for messages.


Auditing password changes and resets in Active Directory is crucial for several reasons. First and foremost, it enhances security. By monitoring and documenting these activities, administrators can identify any unauthorized or suspicious password modifications. This allows for swift action to be taken to prevent potential security breaches or unauthorized access to sensitive information.


Furthermore, tracking password changes and resets helps with auditing and compliance. Many industries have strict regulatory requirements that mandate the maintenance of a secure and auditable system. By keeping a record of password-related activities, organizations can demonstrate compliance with these regulations during audits, ensuring the integrity and confidentiality of data.


Moreover, audit password changes and resets assist in troubleshooting and problem resolution. When users encounter login issues or password-related problems, having a log of recent password changes can help administrators identify the cause and implement appropriate solutions quickly.


Auditing password changes and resets in Active Directory natively requires two main steps: configuring group policy settings to enable auditing, and then finding the corresponding Event ID in Windows Event Viewer. We go through the steps in more detail here:


Installing and configuring Lepide Active Directory Auditor is easy. After configuring, you can carefully monitor password changes and password resets in real-time, including users with soon-to-expire passwords, users with already expired passwords, users whose passwords never expire, accounts with passwords due to be changed at next logon and recent logon failures.


I have a recent unfortunate event. I host a business partner's SQLServer 2005 server, and the "sa" password was mysteriously changed (nobody wants to take responsibility on it). So I was wondering, is there a way I can configure SQL Server 2005 to log all password changes?


I know that could be achieved with Windows Server 2003, Windows Server 2008 or similar. But the thing is, I am running on Windows XP Pro (I know I should not be doing this, but my business partner claims she doesn't have the budget to buy a full fledge Windows Server OS).


Do they have enough money to recreate the database from scratch once you loose data for the second time? Seriously, you should simply the Windows event viewer to see the last access. SA typically will show an event in the the security log.


Password policies enable admins to define password policies and associated rules that enforce password settings at the group and authentication-provider level. Okta provides a default policy to enforce the use of strong passwords to better protect your organization's assets. Admins can also create other policies that are less or more restrictive and apply them to users based on group membership.


When an admin creates a temporary password for LDAP sourced users, users must change their password when they next sign-in if the LDAP server password policy requires or allows it. To create password policies that support temporary passwords, consult the LDAP server manual provided by the vendor.


The security question is required to perform a password reset with SMS. With an Early Access feature, you can omit a security question from the password recovery flow. This applies to Okta and AD-sourced users only. To enable it, contact Okta Support.


Okta can help prevent AD and LDAP-sourced users from getting locked out of their Windows account and hardware device due to too many failed Okta sign-in attempts. This feature also helps prevent a malicious third party from using Okta to lock out users.


Okta also prevents Okta-sourced users from getting locked out of their Okta accounts as a result of too many failed Okta sign-in attempts. This feature adds the ability to block suspicious sign-in attempts from unknown devices.


Okta can detect whether sign-in attempts are coming from a known or unknown device. A known device is one that has been previously used to sign in to Okta. An unknown device has never been used to sign in to Okta.


If Okta determines that the failed sign-in attempts are coming from an unknown device, Okta locks out new sign-in attempts from unknown devices. Okta still allows users to sign-in from known devices. This helps prevent malicious parties from disrupting Okta users' access to their accounts and enhances account protection.


The minimum lockout duration for lockouts triggered by unknown devices is two hours. If a legitimate user needs to sign in from a new device during this time, Okta initiates the self-service account unlock flow (if the org admin has enabled it). When the user unlocks the account, they're allowed to sign in from the new device.


Admins don't see user accounts on the Admin Console that were locked out due to unknown devices, and they can't unlock these accounts. To support users who lost a device and have a new one, Okta recommends that admins enable the self-service account unlock functionality so these users don't have to wait for the lockout duration to expire before they can access their account. See Self-service recovery options.


With the rights that the sa login has by default in SQL Server, it is imperative to change this password on a regular basis whether it is monthly, quarterly or semi-annually. In addition, as DBAs move on to other opportunities, it is wise to change the sa password as well. Changing the sa password should be a relatively easy process requiring little to no impact on the organization. Unfortunately, changing the sa password on a regular basis is not a common practice at most organizations, because the impacts of changing the password are unknown.


The first step in the process is to find out when the sa password was last changed. If this timeframe is unacceptable to your organization, then steps need to be taken to understand where the sa login is used and how the application can be modified to use another login.


In SQL Server 2000 a documented process does not exist to determine when the sa password was changed. The best means to determine if the sa password has changed is based on the value from the updatedate column in the master.dbo.syslogins table. This value seems to be the only possible column to determine if any property (default database, default language, etc.) for the sa login has changed. Since the sa properties do not change frequently, the value for this column should be a reasonable, but not an absolute indicator of when the sa password was last changed. Reference the code below to determine the value for the sa login's updatedate column.

3a8082e126
Reply all
Reply to author
Forward
0 new messages