I've just discovered a computer serving sensitive data from MS SQL Server that appears to have virtually no security protection. I would like to protect this box as quickly as possible.
My problem is that I'm a Linux admin with no experience of Microsoft databases helping out in an remote office with no IT staff. (Also the installation is in Spanish so please forgive me if I'm mangling any names).
So I found a program called SQL Server Enterprise Manager (There's no version number in the 'about' dialog, but the copyright in the help files says '1988-2000') which lets me read all the data, create accounts and change passwords of any existing accounts. It doesn't ask me for a password.
How can I close this gaping hole in security?
Does this situation suggest the existence of other vulnerabilities that I should check for?
You may be passing windows authentication to the server - and if you are a domain admin/computer admin you'll be able to get into any 2000 install and most 2005 installs.
After you figure out how you are connecting, you should do a security audit, first checking the server security roles, to see who is listed as sysadmin. This should be under the security node under the database instance, not under individual databases - I'm referring to the tree structure hierarchy in EM.
Then you can delve into databases if needed to lock permissions down and make things secure and stable. You may also want to change the sa password, which is a 'backdoor' SQL login for you to get in when you are locked out.
http://technet.microsoft.com/en-us/library/cc966456.aspx
I'd also try running the best practices analyzer.
http://www.microsoft.com/downloads/details.aspx?familyid=b352eb1f-d3ca-44ee-893e-9e07339c1f22&displaylang=en
Is the problem that this computer is actually actively accessing and exploiting data on your SQL server or is it that you're able to access the SQL server, seemingly with no restriction... because those are two different things entirely. Also some details would be helpful, like which version and edition of SQL server are you running?
SQL Server Enterprise Manager is used to manage SQL 2000 and earlier versions. SQL Server Management Studio is used to manage SQL 2005 and later versions.
If you cannot remove the SQL Server Enterprise Manager, you could remove the SQL Server Registration or almost check the flag "ask always username and password" in the Server Registration.
Check also the sa (root) password for sql server, because until SQL Server 2000 there was the option to leaave it blank!