MS SQL SA account lockout from scan


#1

I ran a deep and ultimate openvas scan on a SQL host, and the SA account was locked out.
I understood that a scan did not attempt penetration.

why did this occur and is there a way to prevent it from occurring again?

Any suggestions on how to secure the SA account on the SQL box?

Thanks


#2

Unfortunately this assumption is not correct. A vulnerability scan is for sure doing some kind of penetration on the scanned device/service, especially when using one of the pre-defined “Ulimate” scan configurations.

Please have a look at the following documentation below for more information:

https://docs.greenbone.net/GSM-Manual/gos-4/en/read_before_use.html

This includes e.g. notes for locked out accounts which might happen at any time. Furthermore the usage of the “Ultimate” scan configurations belongs to the “allows the configuration of invasive behavior” mentioned there.

There are a few possibilities available:

  1. Switching back to the “Full and Fast” scan configuration (the mentioned VT below will do less tries on the SA account).

  2. Remove the following VT from your scan configuration:

    Name: Microsoft’s SQL Server Brute Force
    OID: 1.3.6.1.4.1.25623.1.0.10862
    Family: Default accounts

  3. Securing the SA account on the SQL box:

would be my preferred solution. If the SA account is locked out by the server globally and not based on the IP any attacker is able to lock you out of your service.

Please note that this question itself on how to secure your SQL box is out of the scope of this forums and especially of this vulnerability tests category. Please have a look at the manual of the MSSQL server or contact the support of Microsoft for more information.