Sybase Users
- Enforce account password complexity and lockout.
Enforce the use of strong passwords for Sybase accounts. ASE 12.x has a number of excellent features for ensuring user password security.
You can specify that an account should be locked after some maximum number of failed login attempts.
To set the limit globally:
sp_configure "maximum failed logins", 5
To set the limit for a user:
sp_addlogin test, "foobar432", maxfailedlogins = 2
To set the limit for a role:
create role test_role with passwd "test432", max failed_logins 5
You can use sp_modifylogin to set the limit for a user after an account has been created, or “alter role” to set the limit for an existing role.
You can ensure that all (new) passwords have at least one digit, using the statement
sp_configure "check password for digit", 1
You can specify a minimum password length globally, using the statement
sp_configure "minimum password length", 4
Or you can set the length for a specific user like this:
sp_modifylogin "test", @option="min passwd length", @value="9"
- Remove privileges from the default sa account.
You might want to remove privileges from the default sa account, and instead set up a number of separate, role-based database administration accounts (that have either the sa_role or sso_role). The reason for this is that attackers are generally aware of the existence of the sa account and will specifically target it. Attackers may not have access to a mechanism that allows them to retrieve ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
