Social Engineering: How to prevent unauthorized access to SQL Server using SQL Logins

02 Oct
Social Engineering: How to prevent unauthorized access to SQL Server using SQL Logins

People are always concerned about Security when it comes to their data.  I don’t blame them, I love keeping my job and I love to protect the sensitive data we store. You also don’t want someone with little SQL skills going in and running huge queries that bring the server to a screeching halt. In all honesty though, security has a HUGE aspect that is outside the realm of anyone’s technical expertise, it’s the “social factor” of security that is tricky.

I was notified by a colleague that individuals are giving out SQL Server Login passwords to contractors. Office politics can be tricky sometimes, so I have devised an email template to deal with such a situation.  Make sure you replace my name with yours before sending it out and feel free to customize the seasonal aspects of the email (i.e. weather). May your trials with Social Engineering be successful!


Good morning,

Looks like today’s weather will be fantastic, I hope you all enjoy taking a break at lunch time and heading out to enjoy the last few days of nice weather before winter arrives. Speaking of winter arriving, it usually bring with it bitter cold that can crack the skin on your knuckles if you’re not properly protecting your hands with gloves.

Similarly, our databases need protection. They’re not affected by below 0c (32 F for you that refuse to use the metric system) temperatures. However, they still need protection from unauthorized access. As a general rule, we do not give out our passwords for SQL Logins to contractors. The reason for this is we can no longer track what they have access to because having the username and password for a SQL Login can give them access to multiple servers and environments. Some of you might be thinking “Ayman you’re an idiot, we can just change the password after!” You’re absolutely correct, and after changing the password we would have to change every application that has the password information in it 🙂 . We also do not give out these passwords to people outside of IT without explicit permission from upper management (not sure who that would be but now I’ve just covered my bases).

In conclusion, it’s a wonderful day. Let’s try to keep it that way by not giving out our passwords to Temps, Contractors, and non-IT folks. If they need access to something a request can be made via the SDE ticketing system.

Thank you for your time, patience, and co-operation. Enjoy your day!



Tags: ,

2 responses to “Social Engineering: How to prevent unauthorized access to SQL Server using SQL Logins

  1. Satheesh Kumar

    October 9, 2013 at 5:01 AM

    Seasonal email like this will help. But if I sense that the password is shared, I would pull my sleeves to monitor the same and pass some stringent policy. It all depends on our environment 🙂

    • Ayman El-Ghazali

      October 9, 2013 at 12:59 PM

      Even if you have a great password, if people are sharing it and using SQL Accounts it is difficult to track who is logging in with that SQL Account. Security is a social construct as much as it is a technical one.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: