1.4 Secure the sa account

Information

The System Administrator account, sa, is extremely powerful, having the sa_role,
sso_role, oper_role and Sybase_ts_role by default. Furthermore, the password to the sa
account is blank on install.

Sybase recommends using the sa account only for initial database configuration such as
creating other users, devices and databases. It is then recommended that the sa account is
locked.

The following steps represent best practice handling of the sa account:

. Set a strong password on the sa account; although the sa account should ultimately
be locked, setting a strong password acts as a mitigating step while the database is
being configured or should it be accidently re-enabled. This may have severe
repercussions as the default password for the sa account is blank.
. Create separate user accounts and groups assigning the sa_role, sso_role,
oper_role and sybase_ts_role roles as necessary, following the principle of least
privilege.

. Remove the sa_role, sso_role, oper_role and the sybase_ts_role from the sa
account.
. Lock the sa account

Rationale:

The first attack an intruder is likely to launch against Sybase ASE will be to test whether the
sa account is enabled and whether it has a blank password. If both of these conditions are
true, the attacker has no additional work to do to fully compromise the database.
Furthermore, in many organizations auditing requirements mandate the user of non-
default accounts so that operations can be accurately tracked.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Connect to the ASE server as a user with the sa_role and execute the following SQL
statement to set a strong password on the sa account (where <StrongPassword>
should be substituted for a suitable password):

exec sp_password NULL, '<StrongPassword>'

2. Ensure the above statement returns Password correctly set.

3. Create separate user accounts and groups assigning the sa_role, sso_role,
oper_role and sybase_ts_role roles as necessary, following the principle of least
privilege.

4. Connect to the ASE server as a user with the sso_role and execute the following
SQL statements, ensuring they complete successfully, to strip the sa account of the
sso_role, oper_role and sybase_ts_role roles.

Note that it is essential that other accounts with at least the sa_role and the
sso_role have been created prior to carrying out this and the proceeding step.

revoke role sso_role from 'sa'

revoke role oper_role from 'sa'

revoke role sybase_ts_role from 'sa'

5. Connect to the ASE Server as user with the sa_role and executing the following
statement, ensuring it completes successfully, to strip the sa account of the
sa_role.

revoke role sa_role from 'sa'

6. Connect to the ASE server as a user with the sso_role and execute the following
SQL statement to lock the sa account:

exec sp_locklogin sa, 'lock'

7. Ensure the above statement returns Account locked.

See Also

https://workbench.cisecurity.org/files/1612