1.5 Remove unused accounts and change default passwords

Information

Many Sybase components that interact with ASE create user accounts with weak
passwords such as Sybase, SQL or the username itself.

It is recommended that default accounts are given passwords that conform to a strong
password policy. Furthermore, accounts that are not in use should be removed. Below is a
list of common accounts to inspect:

. probe
. sybmail
. jstask
. mon_user

Rationale:

Default passwords present an easy means of compromising a database, even for unskilled
attackers. Even if the targeted user account does not have access to powerful roles or
sensitive data, the attacker need only find a privilege escalation vulnerability to execute a
full compromise.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Connect to the ASE server as a user that has select permission on
master.dbo.syslogins (such as a user with the sso_role) and execute the
following SQL statement to retrieve a list of database usernames:

use master

select name from syslogins

2. Set strong passwords on these accounts via the sp_password stored procedure and
ensure all client components that make use of the account are updated to use the
new password.

See Also

https://workbench.cisecurity.org/files/1612