Database accounts can be a powerful attack vector for a dedicated attacker. Whether it’s an account left with high level access to environment settings, low level accounts with the ability to perform user enumeration or just an old fashioned brute force attack, leaving accounts with little to no security can spell disaster for an organization.
When creating a user account, consider what the account will be used for and if the privileges that are provided to the user are enough for them to perform the job they’re tasked with. It’s better to go back and assign higher privileges to a user as their role requires it rather than give them the keys to the kingdom on the first day.
SecureCloudDB offers a full report of user accounts across an entire environment, providing user details and privileges at a glance. Administrators are able to consistently review who has access to what in the environment and use that information to adjust privileges as needed based on changes required for users to do their job.
This report is accessible in SecureCloudDB by selecting "Foundational Security" in the main menu, "Reports" in the sub menu, and then "User Assessment".
Account Brute Force
Some database services ship out with built-in, high privileged account settings, usually with default passwords. If a default user account is left sitting within an environment it can be an easy target for a brute force attack. For example, the “sa” account is the original login created during the installation of Microsoft SQL Server and is widely known to contain sysadmin privileges.
A best practice is to set a very strong password for these types of accounts or if the service allows, disable the account and establish other accounts to serve the role if specific permissions are required.
To take it one step further, SecureCloudDB ships with a number of default rules that monitor accounts such as the “sa” account for settings such as:
- Ensure the 'sa' Login Account has been renamed
- Ensure the 'sa' Login Account is set to 'Disabled'
- Ensure no login exists with the name 'sa'
Even if an account does not have a high level of privilege it may still be able to query and search for other accounts within the database. This means that an attacker would have the ability to search for default accounts or accounts with elevated privilege, eventually leaving the compromised user account open to brute force attacks.
To protect against account enumeration, set permissions so that lower level users can’t read any user accounts within the environment. Use SecureCloudDB to create alerts for database activity based on a specific user, a user type or any action performed at a specific time. This makes it quick and simple to detect anomalous activity as soon as it happens. If activity related to account enumeration is detected, it’s possible to then investigate and implement remediation for the situation.
To establish a "New Alert Policy", click on "Policies" in SecureCloudDB's main menu and select the blue "New Policy" button to the right of the screen.
You wouldn’t think that database accounts would have such an open attack surface but from untamed account privileges to brute force attacks, losing track of an account could leave an organization open to attack. SecureCloudDB is specialized for the cloud and provides a real-time overview of the cloud environment, configurations and user activity, enabling organizations to reduce the risk of an attacker exploiting their infrastructure.